While it’s far from uncommon for an organization to announce that it has been hit by a ransomware attack, two in one week is an unusual occurrence. Brazil’s health ministry is considering an extended outage of the system that processes Covid-19 vaccination data as it attempts to recover from this exact situation, in the face of two major attacks that occurred just four days apart. .
It’s still unclear whether the two ransomware attacks came from the same source, but the first may have had an element of activism. A hacking team called Lapsus$Group claimed credit, targeting and deleting vaccination data needed to issue the country’s digital vaccination certificates. The follow-up attack was less successful, but targeted the same data and did enough damage to delay the restoration of Ministry of Health systems.
Health Ministry sends workers home and pulls vaccination data offline after severe attack
The first ransomware attack took place on December 10 and took all Ministry of Health websites offline for a period of time. The Lapsus$ group sent a message to the Ministry of Health claiming credit for the attack, claiming that it had extracted some 50TB of data from the Covid tracking program and then deleted it from the servers of the agency.
As the hackers requested the Ministry of Health to contact them to recover the data, this may be a standard for-profit ransomware attack. But this follows a September attack on Brazil’s Health Regulatory Agency (Anvisa) which came after it was announced that new screening procedures would be applied to international travelers entering the country. The incident was accompanied by Anvisa agents stopping a World Cup qualifier and telling four Argentine players to leave the pitch because they failed to follow the new protocols.
Either way, the Department of Health has had a terrible year for immunization data security. In November, an employee unwittingly leaked the records of 16 million Covid-19 patients on the internet when they uploaded a confidential hospital spreadsheet to a public Github account; the spreadsheet contained usernames, passwords, and private keys to log into various government accounts in addition to patient records. A week later, an additional 243 million patient records were leaked when a web developer left the password to a Department of Health website in the page code.
The Ministry of Health released a statement after the first ransomware attack, saying it had a backup of the stolen vaccination data. This turned out to be rather fortunate, as a second attack followed on December 14, targeting many of the same systems. Although this one does not appear to have ended in data theft or deletion, the ransomware attack took the ConecteSUS app used to track Covid treatments offline for some time. Civil servants were also sent home for at least a day as the system outage prevented them from doing their jobs.
Ransomware Attacks Disrupt Covid Tracking Strategies
The tandem of ransomware attacks has delayed new requirements for international travelers by at least a week. After rejecting the idea of a vaccine passport, the country’s federal government has instead implemented a requirement for international arrivals to self-quarantine for five days and be tested for Covid before being granted free circulation. This plan is largely managed by Anvisa rather than the Department of Health, so the disruption of vaccination data is unlikely to delay it much longer.
For residents of Brazil, the ConecteSUS app targeted by the second ransomware attack is being used for personal tracking of Covid-19 tests and status. The app basically gives access to their medical records related to everything related to Covid treatment: tests, vaccines taken, periods of hospitalization and all the drugs they have been prescribed to treat it. The Ministry of Health indicates that the data feeding this application has been saved, but the application remains unavailable a week after the first attack.
And although the country has decided not to use vaccine passports, the national vaccination certificate available through the app is necessary for things like international travel. Some employers previously had the option of also requiring vaccination data from employees, but this was prohibited by a recent court ruling.
Although ConecteSUS does not appear to have full access to patient medical records, the vaccination data it contains could be dangerous for victims. It provides elements that can be used for identity theft and targeted scams. Hacked medical information is often not used directly, but is added to existing information packages on the dark web called “fullz” which are essentially files of public and private information about individuals that are largely fueled by breaches of data. Once sufficiently complete, these packages can be used for a wide variety of frauds.