The 2021 ransomware attack that temporarily crippled the Newfoundland and Labrador healthcare system started with an attacker getting into the VPN of a provincial healthcare information managed environment using the compromised credentials of a legitimate user, says a government report.
It’s the first time the province has acknowledged the attack was ransomware.
Released Tuesday, the report identifies the Hive ransomware group as the ones behind the attack.
The only reason the province can now reveal that, and other details, is the Hive group was itself crippled in January when its infrastructure was seized by the FBI.
While the report says the earliest evidence of compromise of the healthcare system was the October 15, 2021 entry through the VPN, investigators can’t say how the attacker got hold of the credentials.
“There is no evidence to indicate that the attack was intended to specifically target NLCHI (Newfoundland and Labrador Centre for Healthcare Information) or the Newfoundland and Labrador provincial health care system,” says the report. “However, the attacker, Hive
ransomware group, was known for its aggressive and sophisticated capabilities and its targeting of the health sector.”
After gaining access, the hacker moved laterally through the healthcare IT network, gained administrative privileges through a privileged user account, and connected to other systems and eventually to the system of the Eastern Health region.
Initially, Eastern Health said a drive with 200,000 files was compromised. Later, after a more thorough investigation, it said approximately 20,000 of those files had personal information of 31,500 people — mostly patients, but also 280 staff or former staff members.
The report outlines a timeline of the attack and the province’s response, but not how the attacker was able to move laterally without detection and get administrative privileges without detection.
It does say that after the attack was discovered, an endpoint detection and response (EDR) system was deployed throughout the NLCHI-managed environment, as well as mandatory multifactor authentication (MFA) for authentication to remote connections to NLCHI-managed domains where MFA was not already implemented.
MORE TO COME
