During 2021 the number of cyber-attacks toward the Italian healthcare sector increased by 24.8% compared to 2020 figures, making it 13% of all targets hit by attackers during 2021.
From the infamous combination of phishing emails and ransomware (the following examples were all carried out with these techniques) to the falsification of Green Pass documentation. For the last case, the CLUSIT 2022 report pointed out the stealing of pharmacists credentials from six regions in Italy with the aim of using those credentials to access the web portals of said regions. From there, attackers used lateral movements in order to generate false documentation robust enough to trick the official Italian app for checking vaccination documentation.
Following the Healthcare Cybersecurity paper, written by Bitdefender for the Healthcare Security Summit of 2021, the lack of resources, training and attention towards the topic is clear; in May 2021 93% of healthcare companies (both public and private) reported to have been hit by at least low impact attacks. This number isn’t surprising when compared to other sensible sectors, but the lack of response toward the issue is another story. Following some figures from the paper:
Three exemplary attacks during last year – The Lazio’s region portal
The attack was deployed on the 1st of August. It was carried out using the terminal of an employee of a sub-contractor of regione Lazio, in particular of Laziocrea SPA, (company managed by regione Lazio). The subcontractor Engineering Ingegneria Informatica Spa was hit by another attack on the 30th of July of the same year, from which attackers could have stolen VPN passwords in order to be recognized by Laziocrea as a legitimate user. The uncertainty remains even 9 months after the attack with little to no effort by Regione Lazio to shed light on the incident. The elevation of privileges from the stolen credentials of the mentioned employee was possible due to a vulnerability known in windows “bug print server windows” or thanks to an error in designing the security infrastructure.
The object of the attack was a bundle of 10 years of regional documentation lost forever (unless the ransom has been paid), as a result of no backup plan being carried out by the regional entity. The personal healthcare data of citizens was not affected due to being stored in another server unit not touched by the attack.
Three exemplary attacks during last year – The Ulss 6 Euganea of Padua
On the 3rd of December 2021, an attack was carried out against the Ulss 6 Euganea of Padua, the ransomware used was lockbit 2.0 and therefore all personal data of citizens of Ulss were stolen. On the 20th of January, 2022 Regione Veneto made a press release stating that the blog of the ransom gang was deleted. This was the last notice from the regione Veneto about the incident. The way in which the aftermath of the incident was carried out by authorities was definitely better and more in-line with the GDPR and NIS directives compared to the incident in regione Lazio. The healthcare facility had a backup system which allowed the systems to be rebuilt up to 100%. Despite the efforts, the way in which intruders got access to the system was not disclosed, simply marked as unknown. Speculation can be made about the most popular techniques (usually, but not always relying on basic social engineering techniques).
After the incident, a plan for strengthening all the regionally managed cyber infrastructures was announced, following the national commitment in tackling most common cyber threats and in increasing awareness about said threats by public employees.
Three exemplary attacks during last year – The Asl 3 of South Naples
On the 8th of January 2022 Asl 3 of south Naples released a message about the suspension of the booking service for swabs and Covid vaccines. The communication released by the public entity was not definitive and from there no further details on how intruders entered the system were released. The aim of the attackers was to install ransomware, which has been claimed by the Ransom gang Sabbath. The malware was able to encrypt 42 Hyper-V servers which virtualized 240 servers; these statements were released by criminals with evidence of them, not by the regional or national authority.
In this case, contrary to the Padua one, transparency on the breach was not carried out. Cascade effects were seen on the public entity employees who did not receive their paycheck in time the month after the attack. This event suggests that at least the employee’s working data were stolen, and no backups were present.
Currently the situation in the Italian public sector entities is definitely jeopardized, thanks to these cases and others similar for the way of dealing with the incident. Proper transparency and disclosure seem to take place only when virtuous public managers decide to do so. Despite claims by the Italian government to increase attention on their local entities, no changes in laws and in policies have been released.
Author: Francesco Citti
Leave a Reply