Doubts about the cyberattack that has brought down the Hospital Clínic: “The modus operandi does not match”

Doubts accumulate around the cyberattack that has knocked down the Hospital Clínic de Barcelona, ​​one of the most important in Catalonia. The center has had to suspend 150 non-urgent surgeries, 3,000 visits to external consultations and some 500 tests after seeing how its computer system was hijacked by a group of cybercriminals this Sunday. Its medical director and the head of the Catalan Cybersecurity Agency appeared on Monday to explain how the attack occurred and the degree to which the center was affected, but their explanations have generated even more uncertainty among specialists.



Dismantled a cybercriminal network that attacked thousands of companies, institutions and hospitals

Further

The main objection focuses on the authorship of the action. This type of cyberattack is characterized by being extremely difficult to trace and attribute. This is due to the technical complexity of unmasking cybercriminals, but also because of the false trails they leave behind to confuse law enforcement. Despite this, the Generalitat has pointed to the RansomHouse group as responsible for the attack less than 24 hours after starting the investigation.

RansomHouse is one of the most active cybercriminal groups in recent months, with some 30 confirmed victims since December 2021. However, there is something that does not fit in its alleged offensive against the Clínic: until now, RansomHouse had not seized the files of any of his goals. In fact, not carrying out this type of action is one of its flags, several specialists explain to elDiario.es.

With this action, the group would have gone from one extreme to another. From never paralyzing the systems of its victims to knocking down a critical infrastructure such as a hospital, leaving thousands of patients on edge. “It is not his modus operandi. These people don’t hijack the files; Rather, he steals them and sells them to third parties or charges blackmail in exchange for not doing so,” says Jorge Coronado, director of Quantika14, a Spanish cybersecurity firm specializing in digital forensics that has been tracking RansomHouse for several months. “If it had been them and they had used their usual modus operandi, they would not have prevented the hospital from continuing its activity,” he explains.

Other experts consulted by this means agree with this assessment. “Indeed, RansomHouse boasts that it does not use the usual file encryption techniques in hacking attacks. ransomware. On the contrary, they claim to limit themselves to demonstrating the vulnerabilities and deficiencies in the company’s protection system by stealing information that they then threaten to publish if they do not receive a payment”, sums up Miguel López, general director of Barracuda Networks.

“They justify themselves by saying that they access company systems because they discover that they have security vulnerabilities, but that they do not hijack the files. They enter but do not throw the ransom”, Coronado insists.

Despite this, the Generalitat assures that the attack suffered by the Clínic is an attack by ransomware and that it comes from RansomHouse, have explained Tomàs Roy, the director of the Cybersecurity Agency of Catalonia, and Sergi Marcén, General Secretary of Telecommunications of the Government. The result is that the hospital has not lost the patient data, but cannot access it. He also does not know when he will be able to do so, since he will not satisfy the ransom that the attackers would have requested to lift the blocking of the files. “We will not pay a cent,” said Marcén.

Asked about the doubts of the specialists about the participation of RansomHouse, sources from the Agència de Ciberseguretat de Catalunya assure this medium that the organization “has no doubts” about the authorship. “We are sure that it is them,” insist official sources, who explain that they cannot share the evidence that supports this thesis without further compromising the hospital’s cybersecurity.



During the press conference, Sergi Marcén explained that the attackers “use quite advanced technology” and “new techniques” that are making it difficult to recover the files. “The shared clinical history, which is the information system of all citizens, has not been compromised. This is on the servers of the Generalitat de Catalunya and in this case what has been attacked have been the virtual servers of the hospital”, he reported.

At the moment, the versions do not add up. “In this case, and from the information provided by the victim, it seems that there has been encryption of the information, but we do not know if this could be due to a change in operations by RansonHouse, to some error in the information provided by the entity attacked or that the attacking group could be someone else,” says López, from Barracuda Networks.

The inconsistencies between what happened at the Clínic and how RansomHouse has behaved so far do not end with the seizure of the files. The practices of this group include giving each of their successful cyberattacks a lot of publicity, with the goal of letting anyone who might be interested in the stolen information know that that data is now in their possession. This also increases the pressure on the victim to pay up. Cybercriminals use their portal on the dark web and even their Telegram channel for this purpose. However, none of them has published anything about the attack on the Catalan health center at the time of going to press.

“It is something very rare, because with a hospital we are talking about a database with incalculable value. I am very surprised that if it had been them they would not have communicated it, ”says Coronado. “It could be because they are still negotiating, but it would also be weird because the director has said that they are not going to pay,” he recalls.

“It was a strainer”

The Generalitat has explained that the cyberattack comes “from abroad”, and even a part of the Catalan press has advanced that the Government’s cybersecurity experts are already looking towards Russia. However, RansomHouse is not framed by specialists as one of the groups that act against the Western world sponsored by the Kremlin. On the contrary, one of the things that the researchers know about them is that the internal language of the group is English.

The data that has surfaced after the paralyzation of the hospital suggests that it could have been very vulnerable to cyberattacks. As Coronado exposes elDiario.es, an audit carried out this Monday has shown that the passwords of more than 100 emails belonging to the Clínic staff have been published in recent years on the Internet in various leaks. To this figure should be added those compromised emails but whose password is in the possession of cybercriminals and has not been published openly on the web.

“Hundreds of leaks with passwords and customer data are found. It is very possible that the hospital has suffered several computer attacks over the past few years and their data has been stolen. It was a strainer ”, warns this specialist. elDiario.es has asked the Agència de Ciberseguretat de Catalunya about this point, but has not received a response at the time of closing this information.

Miguel López, from Barracuda Networks, explains that this high number of exposed passwords should not have meant a security hole if the hospital took the appropriate countermeasures. “Unfortunately, the existence of leaked passwords in databases available to cyber attackers is very extensive, and virtually any company is going to have a significant number of users whose credentials may have been exposed,” he warns.

“In this sense, one might wonder if the entity had sufficient protection tools, since, if they had, the mere existence of exposed credentials would not have been enough to gain access to the systems. It is important to stress the need to have forensic analysis and incident response tools, multifactor authentication systems, user training, artificial intelligence applied to mail flows, among other means, in order to prevent this type of attack”, concludes the same expert.

Cyber ​​attacks on hospitals have multiplied in recent years. The social alarm generated by the paralysis of health infrastructures and the high value of medical data make them a juicy target for cybercriminals. However, this has also caused many groups to consider them a red line so as not to become a priority target for the security forces.

Related articles

Developing less flatulent cows could help combat climate change

Cows are one of the main methane producing sources worldwide thanks to their flatulence and burping, but recent research suggests breeding a version of...

Manjummel Boys: What happened to Ilayaraja? NOTICES EVEN IF RIGHTS ARE PURCHASED

Legendary music director Ilayaraja has been giving a series of shocks lately. It is known that Ilayaraja recently sent a legal notice to...

In April, the required gender wage gap was 8.33% in Ecuador

The April 2024 Multijob Index reveals a required salary gap according to gender 8.33% in favor of men, with an average requested salary of...