Health, a new playground for hackers

Cyber ​​attacks against the healthcare industry have been exploding for several months. Between villainous attacks and cyber espionage, the reasons are diverse, and the investigations complex.


The night is calm in Villefranche-sur-Saône (Rhône) on February 15, 2021. The weekend ends when at 4.30 am, the IT manager of the city’s North West hospital receives a call. “My on-call technician explains to me that we are undergoing a cyberattack, says Nasser Amani. In 20 years of work in hospital information systems, this is the first time that we have seen such a well-prepared attack. ” The hospital is the target of ransomware dubbed Ryuk. A virus, introduced into the system several days earlier, has gradually entered the computer system, until the last step: data encryption. The hackers then demand a ransom in exchange for the decryption key.

Very quickly, a race against time begins. “We must first stop everything, to prevent it from spreading, especially in our storage infrastructures, continues Nasser Amani. Then we set up a crisis unit and we go into degraded mode. Everything is done by hand, the prescriptions, the follow-up. We are going back 20 years. ” Fortunately, the servers had been saved shortly before the attack. The hospital has therefore not lost any data. “But it could have been terrible, details Nasser Amani. We could have lost everything, 25 or 30 years of data for some patients. ”

Don’t give in to ransomware blackmail

If it had been otherwise, would the hospital have paid the ransom demanded by the pirates? “We never asked ourselves the question”, assures Nasser Amani. The doctrine in France for hospitals and public services more generally, is indeed not to pay, so as not to encourage attacks. However, private companies have sometimes done so to restart their activity as quickly as possible and avoid a loss of turnover. In the United States, some hospitals as well, which today prompts the hackers to continue.

And if they do not get the money, the hackers are not the losers, assures Stéphane Duguin, president of the CyberPeace Institute, which has just published a report on the risk of cyberattacks in the health sector. “They can take hold of patients’ medical data, he explains. This is expensive data. On the black market, they trade around 250 euros per unit. It is the cornerstone of other crimes, because others will use it for other crimes, such as identity theft, false declaration, access to bank details, fraud etc. ”

Technically vulnerable hospitals

If hospitals are attacked, it is also because they are considered technically more vulnerable by hackers. Vincent Trély is at the head of Apssis, the Association for the promotion of the security of health information systems: “To the hospital, he said, IT has not been a priority for the past ten years. A facility director will prefer to recruit nurses or build a new operating theater rather than replace PCs or invest in security tools to guard against a threat that may not materialize. ”

The rigor of hospital staff also raises questions. In Villefranche-sur-Saône, according to information from the investigation unit of Radio France, an employee had opened an attachment to an unknown email at his workplace during a phishing campaign. These fake emails mimic an official email and trick you into clicking on a link or attachment, allowing a virus to get into a system. This is how – out of pure opportunism – the attackers were able to infiltrate the establishment.

Laboratories also targeted

Hospitals are not the only ones suffering from cyber attacks. During this period of health crisis, many pharmaceutical companies were attacked. This is the case of Sanofi, without significant consequences, but also of AstraZeneca or Moderna. According to our information, many intelligence services have used these techniques to learn more about the making of vaccines.

The Netherlands-based European Medicines Agency (EMA) also suffered a hack in December 2020. But the focus here was different. According to Stéphane Duguin, from the CyberPeace Institute, this is a “double attack”: “First there was hard hacking, with data theft, and then the transformation, manipulation of that data, to undermine public confidence in the efficacy of a vaccine and therefore serve a geopolitical interest.” In this case, weaken the credibility of the AEM by publishing its own falsified data on the darkweb.

Highly organized criminal groups, sometimes protected by states

It is difficult to know who is behind these computer attacks. Criminal groups are often very well organized, in small decentralized cells, and can sometimes be protected by states. Two areas of the globe are of particular interest: Asia (with China and North Korea) and Eastern Europe (with the countries of the former communist bloc).

During some attacks, investigators found pieces of codes written in Cyrillic, suggesting that Russian speakers were behind them. Baptiste Robert, an “ethical” hacker, reminds us, however, that this information must be taken with a grain of salt: “This is the game of cat and mouse, he explains. Sometimes we find little clues in a piece of code that tell us that potentially it would be there. But the attackers who create this malicious code also play with it. The Russians have a good back but they are not the only ones playing this game. ” When it comes to cyber espionage, the United States, for example, is considered by some experts to be the world champions.

Long and complex investigations

Trying to trace the thread of an attack takes time and requires cooperation between police forces in several states. The effectiveness of the police response then depends on their degree of cooperation. And it is not always easy. According to cyber-investigator Pierre Penalba, author of the book Cyber crimes (Albin Michel, 2020), “As soon as we leave the French or European framework, there is a slowness due to cooperation.

France is nevertheless trying to create cooperation with its partners in Eastern Europe. “We have good cooperation with Russia and Ukraine, explains the deputy director of the fight against cybercrime at the central directorate of the judicial police, Catherine Chambon. They resulted in the arrest of the authors of Emotet, one of the most harmful banking Trojans in years. Ditto for the Egregor case treated trilaterally with the FBI, Ukraine and ourselves. This may have enabled the team behind this malware to be dismantled. ”

Unfortunately, in the Egregor case, the trial of the arrested pirates will be held in Ukraine, because they cannot extradite the criminals. In France, only the creator of Locky ransomware, Alexander Vinnik, was tried in Paris in October 2020. The prosecution appealed against his partial release on the facts of an attack on an automated data processing system. Other trials are expected, but the judicial response is slow compared to the explosion of pending cases of this type before the cybercrime section of the Paris prosecutor’s office. They have increased by 540% since 2019.

The concern around the proliferation of connected objects

The future encourages all the less optimism as the proliferation of connected objects gives rise to fear of the birth of a potential cyberterrorism. This fear is not new, recalls Vincent Trély, from Apssis: “In 1998, a man killed his wife and his wife’s roommate by taking control of the resuscitation monitoring machines from a distance and causing them to malfunction. Today, the risk is real because we have more and more connected objects in hospitals. All of these mechanisms have weaknesses. ”

To counter the threat, a cyber referent has just been set up at the National Anti-Terrorism Prosecutor’s Office. In addition, recently, the President of the Republic announced a plan of one billion euros to strengthen our IT security. In the meantime, the experts insist on the necessary sensitization of the general public to the basics of cybersecurity: never open an unknown attachment, change passwords frequently, secure them. In short, apply barrier gestures, whatever the nature of the virus.


Other news