Doubts are gathering around the cyber attack that brought down Barcelona Hospital Clinic, one of the most important in Catalonia. The center has had to carry out 150 non-emergency surgeries, 3,000 outpatient consultations and suspend about 500 tests after it saw its computer system hijacked this week by a group of cybercriminals. Its medical director and the head of Catalonia’s cyber security agency appeared on Monday to explain how the attack took place and the extent of the damage to the center, but their explanations fueled further uncertainty among specialists.
The main objection focuses on the authorship of the action. This type of cyber attack is characterized by the fact that it is extremely difficult to trace and attribute. This is due to the technical difficulty of unmasking cybercriminals, but also because of the false trails they leave behind to confuse law enforcement. Despite this, the Generalitat pointed to the RansomHouse group as responsible for the attack 24 hours after the investigation began.
RansomHouse is one of the most active cybercriminal groups in recent months, with around 30 confirmed victims since December 2021. However, there’s something that doesn’t add up about his alleged offense against the clinic: RansomHouse has never taken anyone’s files before. from his purposes. In fact, not taking this type of action is one of its signs, several specialists explain to elDiario.es.
By doing this, the group would go from one extreme to the other. From never paralyzing victims’ systems to destroying critical infrastructure like hospitals, leaving thousands of patients on the brink. “This is not his modus operandi. These people are not hijacking files; Instead, he steals them and sells them to third parties or blackmails them in return,” says Jorge Coronado, director of Quantika14, a Spanish cybersecurity firm specializing in digital forensics that has been tracking RansomHouse for several months. “If they had been there and used the usual operating mode, they would not have prevented the hospital from continuing to operate,” he says.
Other experts consulted in this way agree with this assessment. “In fact, RansomHouse boasts that it does not use conventional file encryption techniques in hacking attacks. Ransomware. On the contrary, they claim to be limited to demonstrating vulnerabilities and gaps in the company’s security system by stealing information that they threaten to publish if they don’t receive payment,” summarizes Barracuda Networks CEO Miguel Lopez.
“They make excuses by saying they access company systems because they find they have security flaws, but they don’t steal files. They enter, but do not throw out Redemption“, – claims Coronado.
Despite this, the Generalitat claims that the attack carried out by the clinic is an attack Ransomware And that it comes from RansomHouse, explained Tomás Roy, director of the Catalan Cyber Security Agency, and Sergi Marcen, the Secretary General of Government Telecommunications. The result is that the hospital has not lost patient data, but cannot access it. It also doesn’t know when it will be able to do so because it won’t meet the ransom the attackers demanded to unblock the files. “We won’t pay a cent,” Marsen said.
Regarding the specialists’ doubts about the involvement of RansomHouse, sources at the Agència de Ciberseguretat de Catalunya assure this media that the organization has “no doubts” about the authorship. “We are confident they are,” official sources said, explaining that they could not share evidence that supports this thesis without further compromising the hospital’s cybersecurity.
At the press conference, Serge Marsen explained that the attackers “use quite advanced technology” and “new techniques” that make it difficult to recover files. “The shared clinical history, which is the information system of all citizens, was not affected. It is located on the servers of the Generalitat de Catalunya and in this case the virtual servers of the hospital were attacked,” he said.
Versions do not fit at this time. “In this case, and based on the information provided by the victim, it appears that information was encrypted, but we do not know if this may be due to a change in operations by RansonHouse, or an error in the information provided.” by the entity being attacked, or that the attacking group may be someone else,” says Lopez, of Barracuda Networks.
The discrepancy between what happened at the clinic and how RansomHouse has behaved so far doesn’t end with the seizure of the files. This group’s practice includes giving each successful cyberattack a great deal of publicity, with the goal of letting anyone interested in the stolen information know that the data is now in their possession. It also increases the pressure on the victim to pay. Cybercriminals use their portal on the dark web and even their Telegram channel for this purpose. However, none of them had published anything about the attack on the Catalan health center at the time of going to press.
“This is something very rare, because with the hospital we are talking about a database of immeasurable value. I’m very surprised that if they were, they wouldn’t have contacted it,” says Coronado. “Maybe because they’re still negotiating, but it’s also going to be weird because the director said they’re not going to pay,” he recalled.
“it was the hood”
The Generalitat has explained that the cyber attack is coming from “overseas” and even a section of the Catalan press has confirmed that the government’s cyber security experts are already looking to Russia. However, RansomHouse has not been established by specialists as one of the groups operating against the Kremlin-sponsored Western world. On the contrary, one of the things researchers know about them is that the group’s internal language is English.
Data that emerged after the hospital’s shutdown suggested it may have been highly vulnerable to cyberattacks. As Coronado reveals to elDiario.es, an audit conducted this Monday revealed that more than 100 email passwords belonging to clinic staff have been published on the Internet in recent years through various leaks. To this figure should be added those emails that have been compromised, but whose passwords are in the possession of cybercriminals and not publicly published on the network.
“There are hundreds of leaks with passwords and user data. It is very possible that several hospital computers have been hacked and their data stolen in the past few years. It was a hood,” warns this specialist. elDiario.es has contacted the Agència de Ciberseguretat de Catalunya about this matter, but has not received a response at the time of this information closing.
Miguel Lopez, of Barracuda Networks, explains that this large number of passwords should not mean a security hole if the hospital takes appropriate countermeasures. “Unfortunately, the availability of leaked passwords in databases accessible to cyber attackers is very extensive, and virtually any company will have a significant number of users whose credentials could be exposed,” he warns.
“In this sense, we may wonder if the subject had sufficient safeguards, because if they had, it would not have been sufficient to gain access to open credential systems alone.” It is important to highlight the use of forensic analysis and incident response tools, multi-factor authentication systems, user training, artificial intelligence on mail flows, among other means, to prevent this type of attack,” concludes the same expert.
Cyber attacks on hospitals have increased in recent years. The social alarm caused by the paralysis of health infrastructure and the high value of medical data make them a juicy target for cybercriminals. However, this has also led to many groups seeing them as a red line to avoid being a priority target for security forces.
Source: El Diario