N.L. says Hive ransomware group was behind 2021 cyberattack on health systems | CBC News

N.L. says Hive ransomware group was behind 2021 cyberattack on health systems
Social Sharing
Facebook
Twitter
Email
Reddit
LinkedIn
Justice minister won’t disclose whether province paid ransom

Rob Antle · CBC News · Posted: Mar 14, 2023 3:16 PM EDT | Last Updated: March 14
A silhouetted man hunched over a computer with data illuminated in the background.
The Hive ransomware group was responsible for a 2021 cyberattack on the Newfoundland and Labrador health-care system, provincial government officials have announced. (Kacper Pempel/Reuters)

47
comments
The Newfoundland and Labrador government says the Hive ransomware group was behind a cyberattack that paralyzed the province's health-care system a year and a half ago.

But top government officials still won't say whether they paid a ransom.

"We can't disclose anything about a request for a ransom, for security purposes," Justice Minister John Hogan told reporters Tuesday afternoon.

"Again, that's advice we get from security agencies, legal instructions, legal advice, and other groups that have had this happen to them."

U.S. law enforcement officials announced in January that they had dismantled the Hive ransomware network.

Hogan said that disclosure cleared the way for officials in Newfoundland and Labrador to finally say who was responsible for the attack that targeted their systems 18 months ago.

"One of the reasons again, I want to stress, that we're able to reveal who the entity is, is because of the work that was done in the States by the Department of Justice there," Hogan said.

"We now know that the threat has been extinguished. So now that that doesn't exist any more, we feel we're safe to disclose it to the public. Doing so any earlier would have still, we felt, put systems at risk."

A man wearing a suit looks at the camera and smiles.
Newfoundland and Labrador Justice Minister John Hogan won't say whether the province paid a ransom to cyberattackers in 2021. (Terry Roberts/CBC)
According to U.S. law enforcement, the Hive ransomware group targeted more than 1,500 victims around the world and received over $100 million in ransom payments, beginning in June 2021.

American officials said the FBI had penetrated Hive's computer networks since late July 2022, captured its decryption keys, and offered them to victims worldwide — stopping victims from having to pay $130 million in ransom demanded.

Ransomware deployed weeks after system penetrated
The Newfoundland and Labrador government released a 12-page report on the 2021 cyberattack Tuesday, after Hogan spoke with reporters.

A forensic investigation determined that the earliest evidence of attacker activity occurred on Oct. 15 — more than two weeks before the ransomware was deployed.

According to the report, the attacker successfully initiated a VPN connection to the environment managed by the Newfoundland and Labrador Centre for Health Information, using the compromised credentials of a legitimate user account.

Officials still don't know how those credentials were compromised.

N.L. health-care cyberattack is worst in Canadian history, says cybersecurity expert
Once inside, the attacker moved laterally, escalating their privileges through an account with administrative privileges, and connecting to other systems.

Between Oct. 26 and Oct. 29, hackers "exfiltrated" data — including personal information and personal health information — from the system.

On Oct. 30, the cyber-criminals deployed Hive ransomware and encrypted numerous systems. According to the report, that resulted in the IT outage which caused "widespread system disruption and led to the detection of the attack."

Number of people hit by privacy breach in 2021 cyberattack now up to 58,000: Eastern Health
Last May, then-health minister John Haggie said expenditures related to the cyberattack were just under $16 million.

Hogan did not have an updated amount on the costs of the attack, when asked by reporters Tuesday.

As of December, the number of patients and employees impacted by the breach topped 58,000 — more than one in every 10 people in the province