NL says ransomware group Hive is behind 2021 healthcare system cyberattack
The Newfoundland and Labrador government says ransomware group Hive was behind a cyberattack that crippled the province’s healthcare system a year and a half ago.
The top government officials still do not want to say whether they paid a ransom.
“We cannot disclose anything about a ransom demand for security reasons,” Attorney General John Hogan told reporters Tuesday afternoon.
“Again, this is advice we’re getting from security agencies, legal briefs, legal counsel and other groups that this has happened to.”
US law enforcement officials announced in January that they had dismantled the Hive ransomware network.
Hogan said the disclosure paved the way for officials in Newfoundland and Labrador to finally say who was responsible for the attack that targeted their systems 18 months ago.
“I want to reiterate that one of the reasons we’re able to reveal who the entity is is because of the work that has been done in the States by the Department of Justice there,” Hogan said.
“We now know that the threat has been eliminated. Now that it no longer exists, we feel safe in disclosing it to the public. If we did this sooner, we would still think the systems would be compromised.”
According to US law enforcement agencies, the Hive ransomware group targeted more than 1,500 victims around the world and received over $100 million in ransom payments as of June 2021.
US officials said the FBI had been hacking into Hive’s computer networks since late July 2022, hijacking its decryption keys and offering them to victims worldwide – preventing victims from having to pay the $130 million in demanded ransom.
Ransomware is deployed weeks after entering the system
The Newfoundland and Labrador government released a 12-page report Tuesday on the 2021 cyberattack after Hogan spoke to reporters.
A forensic investigation revealed that the earliest evidence of an attacker’s activity occurred on October 15 – more than two weeks before the ransomware was deployed.
According to the report, the attacker successfully established a VPN connection to the environment managed by the Newfoundland and Labrador Center for Health Information using the compromised credentials of a legitimate user account.
Officials still don’t know how those credentials were compromised.
Once inside, the attacker moved sideways, escalated its privileges via an account with administrative privileges, and connected to other systems.
Between October 26 and October 29, hackers “exfiltrated” data — including personal data and personal health data — from the system.
On October 30, cybercriminals deployed Hive ransomware and encrypted numerous systems. According to the report, this led to the IT outage that “caused widespread system disruptions and led to the detection of the attack.”
Last May, then Health Secretary John Haggie said expenses related to the cyberattack totaled nearly $16 million.
When asked by reporters Tuesday, Hogan had no updated details on the cost of the attack.
In December, more than 58,000 patients and staff were affected by the breach — more than one in 10 people in the province.
Read more articles from CBC Newfoundland and Labrador