Largest Croatian hospital under cyberattack

The University Hospital Centre Zagreb (KBC Zagreb) is under cyberattack that started on Wednesday night, the Croatian Radiotelevision has reported.

Croatian hospital cyberattack

Because of the attack, the hospital has shut down its information system and will be switching parts of it online once they are sure it’s safe to do so.

All services are working, but the processing of patients is slower than usual, Milivoj Novak, Assistant Director at the hospital, has said in a press conference.

The hospital’s emergency service and medical laboratories are functioning normally, he said. The slowdown is due to the current impossibility to print out medical reports and staff having to write them by hand. It’s also possible that some patients will be redirected to other hospitals.

Novak has said that patients’ information hasn’t been leaked/exfiltrated – though this is likely a preliminary finding.

DDoS on Croatian institutions

It is currently unknown whether the cyberattack against the hospital involved the deployment of ransomware, and whether it’s connected to yesterday’s DDoS attacks on the websites of several Croatian government and financial institutions: the Ministry of Finance, the Tax Administration, the Croatian National Bank (HNB), the Economic Bank of Zagreb (PBZ), and the Zagreb Stock Exchange (ZSE).

The attacks have been claimed by the pro-Russian NoName057(16) hacker group and have resulted in a temporary unavailability of the institutions’ websites and online portals. The sites are back online now.

Both DDoS attacks and ransomware attacks are sometimes performed as a diversion from the main goal (often: data theft).

Given the current geopolitic situation, it’s also possible that the cyberattack against the hospital is part of the recent Russian sabotage operations targeting European and NATO countries.

Vlatko Košturjak, CTO at Croatian infosec outfit Diverto, says that they have observed a slight increase in DDoS attacks on Croatian infrastructure since their decline in 2021.

“Despite being an older and well-known attack technique, DDoS remains a simple and cost-effective method for attackers to disrupt organizational operations. This uptick highlights the ongoing effectiveness of DDoS attacks, as defending against them requires a systematic approach and close coordination between internet service providers and organizations,” he added.

“New DDoS techniques, such as HTTP/2 rapid reset, are also discovered regularly, adding to the complexity of defense. Moreover, robust DDoS defenses need regular testing to ensure their effectiveness, yet only a few organizations conduct these tests comprehensively and on a regular basis.”

UPDATE (June 28, 2024, 03:10 a.m. ET):

Novak has said that the information system should be back online and working normally on Friday morning.

The nature of the attack has not yet been officially confirmed.

UPDATE (July 2, 2024, 04:15 a.m. ET):

LockBit has claimed the University Hospital Centre Zagreb (KBC Zagreb) as its victim.

The RaaS group say they have exfiltrated:

  • Medical records
  • Patient exams and studies
  • Doctors’ research papers
  • Surgery records
  • Organ, donor and tissue banks data
  • Employee data (addresses, phone numbers, legal documents)
  • Data on donations and relationships with private companies
  • Medication reserve data
  • Personal data breach reports

They threaten to make it public by July 18, 2024, if the ransom isn’t paid. They did not release any data as proof of their claim.



Don't miss