A cyberattack occurred on Friday, November 15, 2019 at the University Hospital Center (CHU) of Rouen. Two weeks later, things seem to be slowly lightening up on this event that required "stopping all computer systems", without "endanger the lives of patients".
The computer attack of the CHU would be well of criminal origin. For the moment, the responsibility of the State is therefore excluded. "The software that has blocked all systems is software whose purpose is criminal. It has spread in the classic office automation of the hospital, but also in systems allowing to make medical imaging, analyzes", said Guillaume Poupard, director of the National Agency for Security Information Systems (ANSSI), on the airwaves France Culture November 24, 2019.
At issue: THE "CLOP" RANÇONGICIEL
ANSSI was able to provide more details on this cyberattack. "These attacks appear to be the result of a large phishing campaign that took place around November 16, 2019 and related to cybercrime group TA505", revealed the agency in a report published on November 22, 2019. This ransomware has paralyzed the system by encrypting all the files contained therein. It touched the applications used for block management, pharmacies and prescriptions, patient admissions and emergency department follow-up. He then proposes to the victim to provide him with the key which will make it possible to decipher his data for a ransom payable in bitcoins (and thus impossible to cancel once paid).
This group has been on the web since 2014. It mainly targets the finance, distribution, government institutions and more recently, the energy, research, aviation and health sectors. His favorite tool: ransomware "Clop". It encrypts the documents stored on the information system and adds the extension ".CIop". It does not encrypt right away but a few days after the intrusion. During this time, the attackers manually take care of the propagation of the malware within the victim network. Clop is most often deployed early or on the eve of a weekend, at a time when teams are necessarily less responsive.
An investigation in progress
Authorities lack information about these cybercriminals. According to the ANSSI, they would have important capacities of action, which questions on "the group structure, which could include several sub-groups or involve collaboration with otherThe only information that the authorities are sure is: "they speak Russian", said Chris Dawson, threat intelligence officer for Proofpoint, a company interviewed by The world. Many points still remain to be clarified, but the investigation opened by the parquet of Paris, November 18, 2019, should be able to help. This procedure was entrusted to the specialized cybercrime unit of the National Police and to the Regional Criminal Investigation Department of Rouen.