N.L. says Hive ransomware group was behind 2021 cyberattack on health systems
Justice minister won’t disclose whether province paid ransom
The Newfoundland and Labrador government says the Hive ransomware group was behind a cyberattack that paralyzed the province's health-care system a year and a half ago.
But top government officials still won't say whether they paid a ransom.
"We can't disclose anything about a request for a ransom, for security purposes," Justice Minister John Hogan told reporters Tuesday afternoon.
"Again, that's advice we get from security agencies, legal instructions, legal advice, and other groups that have had this happen to them."
U.S. law enforcement officials announced in January that they had dismantled the Hive ransomware network.
Hogan said that disclosure cleared the way for officials in Newfoundland and Labrador to finally say who was responsible for the attack that targeted their systems 18 months ago.
"One of the reasons again, I want to stress, that we're able to reveal who the entity is, is because of the work that was done in the States by the Department of Justice there," Hogan said.
"We now know that the threat has been extinguished. So now that that doesn't exist any more, we feel we're safe to disclose it to the public. Doing so any earlier would have still, we felt, put systems at risk."
According to U.S. law enforcement, the Hive ransomware group targeted more than 1,500 victims around the world and received over $100 million in ransom payments, beginning in June 2021.
American officials said the FBI penetrated Hive's computer networks in late July 2022, captured its decryption keys, and then started offering them to victims worldwide — stopping victims from having to pay $130 million in ransom demanded.
Ransomware deployed weeks after system penetrated
The Newfoundland and Labrador government released a 12-page report on the 2021 cyberattack Tuesday, after Hogan spoke with reporters.
A forensic investigation determined that the earliest evidence of attacker activity occurred on Oct. 15 — more than two weeks before the ransomware was deployed.
According to the report, the attacker successfully initiated a VPN connection to the environment managed by the Newfoundland and Labrador Centre for Health Information, using the compromised credentials of a legitimate user account.
Officials still don't know how those credentials were compromised.
Once inside, the attacker moved laterally, escalating their privileges through an account with administrative privileges, and connecting to other systems.
Between Oct. 26 and Oct. 29, hackers "exfiltrated" data — including personal information and personal health information — from the system.
On Oct. 30, the cybercriminals deployed Hive ransomware and encrypted numerous systems. According to the report, that resulted in the IT outage, which caused "widespread system disruption and led to the detection of the attack."
Last May, then health minister John Haggie said expenditures related to the cyberattack were just under $16 million.
Hogan did not have an updated amount on the costs of the attack, when asked by reporters Tuesday.
As of December, the number of patients and employees affected by the breach topped 58,000 — more than one in every 10 people in the province.