After the hacker attack on the university hospital in dusseldorf, a possible trail of the perpetrators leads to russia, according to the ministry of justice.
The hackers had introduced a malware called "doppelpaymer" into the system. This so-called encryption trojan had already been used in numerous other cases worldwide against companies and institutions by a hacker group which, according to private security companies, is said to be based in the russian federation. This was announced by the ministry of north rhine-westphalia in a report to the legal committee.
According to the report, the investigators now know that the hackers first smuggled a so-called "loader" into the university hospital’s system to reload the actual malware. It remained open in the report, when that was. The federal office for information security (BSI) announced last week that the corresponding security hole in a widely used program from the company citrix had already been known since the turn of the year.
The U.S. Software maker reportedly sent a digital key to the hospital on 17. December 2019 warned of a vulnerability in several products. The BSI reported this in january. According to its own statements, the university hospital reacted immediately at the time. Two specialist companies had checked the system again – with no indication of any danger from the now closed security hole.
Apparently, the "loader" was already dormant on a server of the university hospital. The actual attack by the reloaded encryption software happened only on the night of 10. On the 11. September. 30 servers of the university hospital were encrypted by the malware – although the hackers probably actually wanted to attack the university in dusseldorf. To which they had addressed a digital blackmail letter. When the police informed the hackers of their suspected error, the perpetrators sent a digital key to get the hospital up and running again.
Investigators suspect, according to the report to the state parliament, that the uni clinic could have been the victim of a "worldwide commercial malware campaign". A spokesman for the prosecutor’s office at the central and contact point for cybercrime (ZAC) did not provide further details on tuesday. According to statistics from the U.S. Temple university, the frequency of attacks with extortion software this year is at its highest level since 2013. However, only the publicly known hacker attacks were paid for. Investigators assume that there is a high number of unreported cases in which, for example, companies respond to the extortionists’ demands.
Meanwhile, the investigation into the suspected involuntary manslaughter of a patient continues, according to the ZAC spokesman. The woman had been taken to a hospital in wuppertal instead of the nearby uni-clinic and had died. For the accusation of involuntary manslaughter is among other things decisive, whether the woman had had a chance of survival, if she had come to the uni hospital.
Meanwhile, the hospital’s IT is still not fully operational. According to a spokesman, the state capital’s gross hospital expects that the central emergency room may be able to resume its services this week. However, not all of the corresponding systems have been rebooted yet.