Cyberattack against CHRU Brest: what happened
Cyberattack against CHRU Brest: what happened
The hospital center avoided the worst. Story, with Jean-Sylvain Chavanne, CISO of the Brest CHRU, of the response to a cyberattack discovered when it was only in its infancy.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Published on: March 27, 2023
During a press briefing, this Friday, March 24, the management of the Brest CHRU explained that the reconnection to the Internet had started, the agents being able to send and receive e-mails again, in particular. After two weeks of operation in degraded mode. Story, from behind the scenes of the hospital's information system, of what happened.
It all starts on Thursday, March 9, in the evening. About 10 minutes before 9 p.m., the Brest CHRU IT teams receive a notification: the hospital center information system is likely to be the victim of an intrusion.
Without waiting, Jean-Sylvain Chavanne, CISO of the Brest CHRU, and his colleagues launched the first investigations in order to qualify the alert.
This notification is relatively brief: it relates to the identifiers of a compromised user account. But it is enough to search for connections with this account.
Very quickly, one thing became clear: this account had indeed been used to fraudulently gain access to the CHRU's information system. The actions carried out with it leave no room for doubt: they are clearly part of the initial reconnaissance – this phase, at the beginning of a cyberattack , during which the attacker begins the discovery and exploration of the IT environment. which he managed to access.
A hijacked user account
Firewall logs are used to establish the existence of connections and the internal servers they were used to access. The detection and response system on the hosts ( Endpoint Detection and Response , EDR ) detected these reconnaissance actions performed and generated the corresponding alerts.
It is all of these observations that lead to the conclusion that the best approach, to prevent the attacker from going further, is to disconnect the entire CHRU from the Internet.
Jean-Sylvain Chavanne remembers: "in all, it took us 2h30 to decide that, to be calm, to be sure to stop the attack at the right time and not miss something, we had to cut the Internet" .
But the investigations continued overnight, with the support of the National Information Systems Security Agency (Anssi), until 3 a.m.
At the same time, it was necessary to organize the care services in degraded mode, “collective work, with the various directors, the IT department, and of course the general management, which perfectly took the measure of the gravity of the situation”.
An assailant arrested in his tracks
When the decision is made, the exact state of progress of the cyberattack is not yet established. It will be necessary to wait until the next day and the intervention of a security incident response service provider (PRIS). This is ready at 8 a.m.
At midday, the good news falls: the attacker has not managed to elevate his privileges. Its nuisance capabilities therefore remained very limited, well below what it would have needed to successfully deploy ransomware widely and trigger it.
The network traces highlight the use of a command and control server that appeared shortly before, moreover shared on Twitter by researchers, but without it being possible to attribute it to a group of known cybercriminals. And without the block lists of the firewalls having had time to be updated.
The investigation suggests the involvement, prior to the start of the cyberattack, of stealing malware, an infostealer : the employee whose account was compromised was also the victim of hijacking of social network accounts around February 20 .
The investigations did not reveal the implementation of persistence capabilities, such as backdoors or new user accounts that would allow the attacker to return after being flushed out.
A complex environment
CHRU Brest has adopted HarfangLab's EDR, with a managed detection and response (MDR) service provider. But the EDR was not yet configured in blocking mode at the time of the cyberattack: “we were still in the process of purifying the many false positives”.
“The computerized patient file was always available. This is why we were able to keep consultations, emergencies, maternity, in particular ”.
Jean Sylvain Chavanne
CISO of Brest CHRU
Because there is no question of taking the risk, by activating the blocking mode too early, of disrupting the operation of a medical imaging server, for example.
Illustration: “our EDR regularly sends us alerts for unsigned executables carrying out commands likely to appear suspicious. While they are legitimate”. And this is due to biomedical equipment manufacturers who do not systematically sign their executables.
The Brest CHRU has nearly 8,000 users, 350 servers, and above all a very heterogeneous application base. HarfangLab's EDR covers all workstations and approximately 300 servers. Enough to have good visibility, even if it is not total, due in particular to certain unsupported operating systems.
The hospital center would like to go further, in particular with the deployment of network probes to overcome these limits, "but we are not in a position to have a person who would be able to operate them", explains Jean-Sylvain Chavanne, emphasizing a chronic recruitment difficulty for this type of profile. A job description has been open for a long time.
Disconnect from the Internet? A beneficial choice
Jean-Sylvain Chavanne highlights the resilience shown by health professionals in this ordeal. But disconnecting the CHRU from the Internet had several beneficial effects.
First of all, this disconnection made it possible to investigate active machines, looking for traces directly in RAM, while containing the threat.
In addition, the on-premise business applications were able to continue to function and be used normally, thus limiting the business impact: “the computerized patient file was still available. This is why we were able to keep consultations, emergencies, maternity, in particular ”. Care activity was able to remain almost normal.
However, the situation has made it possible to identify applications that need to be reclassified as critical, starting with stretcher carrying. It is essential to maintain a good discharge rate and avoid overcrowding of care services.
The incident that occurred at the beginning of March therefore led to a review of the risk analyses, taking into account the potential need to one day have to cut Internet flows again: "in such a case, we must have degraded procedures that allow us to continue to operate”.
The hospital center avoided the worst. Story, with Jean-Sylvain Chavanne, CISO of the Brest CHRU, of the response to a cyberattack discovered when it was only in its infancy.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Published on: March 27, 2023
During a press briefing, this Friday, March 24, the management of the Brest CHRU explained that the reconnection to the Internet had started, the agents being able to send and receive e-mails again, in particular. After two weeks of operation in degraded mode. Story, from behind the scenes of the hospital's information system, of what happened.
It all starts on Thursday, March 9, in the evening. About 10 minutes before 9 p.m., the Brest CHRU IT teams receive a notification: the hospital center information system is likely to be the victim of an intrusion.
Without waiting, Jean-Sylvain Chavanne, CISO of the Brest CHRU, and his colleagues launched the first investigations in order to qualify the alert.
This notification is relatively brief: it relates to the identifiers of a compromised user account. But it is enough to search for connections with this account.
Very quickly, one thing became clear: this account had indeed been used to fraudulently gain access to the CHRU's information system. The actions carried out with it leave no room for doubt: they are clearly part of the initial reconnaissance – this phase, at the beginning of a cyberattack , during which the attacker begins the discovery and exploration of the IT environment. which he managed to access.
A hijacked user account
Firewall logs are used to establish the existence of connections and the internal servers they were used to access. The detection and response system on the hosts ( Endpoint Detection and Response , EDR ) detected these reconnaissance actions performed and generated the corresponding alerts.
It is all of these observations that lead to the conclusion that the best approach, to prevent the attacker from going further, is to disconnect the entire CHRU from the Internet.
Jean-Sylvain Chavanne remembers: "in all, it took us 2h30 to decide that, to be calm, to be sure to stop the attack at the right time and not miss something, we had to cut the Internet" .
But the investigations continued overnight, with the support of the National Information Systems Security Agency (Anssi), until 3 a.m.
At the same time, it was necessary to organize the care services in degraded mode, “collective work, with the various directors, the IT department, and of course the general management, which perfectly took the measure of the gravity of the situation”.
An assailant arrested in his tracks
When the decision is made, the exact state of progress of the cyberattack is not yet established. It will be necessary to wait until the next day and the intervention of a security incident response service provider (PRIS). This is ready at 8 a.m.
At midday, the good news falls: the attacker has not managed to elevate his privileges. Its nuisance capabilities therefore remained very limited, well below what it would have needed to successfully deploy ransomware widely and trigger it.
The network traces highlight the use of a command and control server that appeared shortly before, moreover shared on Twitter by researchers, but without it being possible to attribute it to a group of known cybercriminals. And without the block lists of the firewalls having had time to be updated.
The investigation suggests the involvement, prior to the start of the cyberattack, of stealing malware, an infostealer : the employee whose account was compromised was also the victim of hijacking of social network accounts around February 20 .
The investigations did not reveal the implementation of persistence capabilities, such as backdoors or new user accounts that would allow the attacker to return after being flushed out.
A complex environment
CHRU Brest has adopted HarfangLab's EDR, with a managed detection and response (MDR) service provider. But the EDR was not yet configured in blocking mode at the time of the cyberattack: “we were still in the process of purifying the many false positives”.
“The computerized patient file was always available. This is why we were able to keep consultations, emergencies, maternity, in particular ”.
Jean Sylvain Chavanne
CISO of Brest CHRU
Because there is no question of taking the risk, by activating the blocking mode too early, of disrupting the operation of a medical imaging server, for example.
Illustration: “our EDR regularly sends us alerts for unsigned executables carrying out commands likely to appear suspicious. While they are legitimate”. And this is due to biomedical equipment manufacturers who do not systematically sign their executables.
The Brest CHRU has nearly 8,000 users, 350 servers, and above all a very heterogeneous application base. HarfangLab's EDR covers all workstations and approximately 300 servers. Enough to have good visibility, even if it is not total, due in particular to certain unsupported operating systems.
The hospital center would like to go further, in particular with the deployment of network probes to overcome these limits, "but we are not in a position to have a person who would be able to operate them", explains Jean-Sylvain Chavanne, emphasizing a chronic recruitment difficulty for this type of profile. A job description has been open for a long time.
Disconnect from the Internet? A beneficial choice
Jean-Sylvain Chavanne highlights the resilience shown by health professionals in this ordeal. But disconnecting the CHRU from the Internet had several beneficial effects.
First of all, this disconnection made it possible to investigate active machines, looking for traces directly in RAM, while containing the threat.
In addition, the on-premise business applications were able to continue to function and be used normally, thus limiting the business impact: “the computerized patient file was still available. This is why we were able to keep consultations, emergencies, maternity, in particular ”. Care activity was able to remain almost normal.
However, the situation has made it possible to identify applications that need to be reclassified as critical, starting with stretcher carrying. It is essential to maintain a good discharge rate and avoid overcrowding of care services.
The incident that occurred at the beginning of March therefore led to a review of the risk analyses, taking into account the potential need to one day have to cut Internet flows again: "in such a case, we must have degraded procedures that allow us to continue to operate”.
