Ransomware group behind 2021 cyberattack on Newfoundland and Labrador health network

ST. JOHN'S, N.L. — The Hive ransomware group was behind the cyberattack that brought Newfoundland and Labrador’s health-care system to its knees in October 2021, officials said Tuesday.

The revelation was the first appreciable bit of information officials have provided about who or what was behind the attack since systems first crashed nearly a year and a half ago.

Justice Minister John Hogan said he was able to reveal the perpetrators because the United States Department of Justice announced in late January that it had dismantled the Hive group, meaning it no longer poses a threat to the province. But he would not say if they demanded a ransom or if a ransom was paid.

"The advice we have from security agencies and from legal authorities and from other groups that have experienced this ... is not to discuss about whether requests have been made, whether payments have been made," Hogan told reporters.

The attack caused widespread outages beginning Oct. 30, 2021, particularly in the Eastern Health authority, which is the province's largest health authority and serves St. John's. Thousands of appointments from imaging to cancer care were cancelled while doctors and nurses resorted to pen and paper to keep track of their patients' care.

The hackers broke into the Newfoundland and Labrador Centre for Health Information's system on Oct. 15, 2021, through a virtual private network which they accessed with stolen login information from a legitimate account, Hogan said. It's not known how they got the login details. From there, they gained administrative access and connected to other systems, according to a summary from the Justice Department.

Five days later, the hacker unleashed Hive ransomware and encrypted several systems, which led to the sweeping IT outages, the summary says. There's no evidence that the province's health-care system, nor its centre for health information, was specifically targeted, but the Hive group was known for going after the health sector.

The province has since implemented mandatory multi-factor authentication for all remote connections to all domains managed by the centre for health information.

The province's information and privacy commissioner is also preparing a report about the attack.

The FBI began infiltrating Hive's computer networks in July in order to steal its decryption keys and give them to those who had been targeted by the group, according to a Jan. 26 press release from the U.S. Justice Department.

The release said the group had targeted more than 1,500 victims and received over $100 million in ransom payments since June 2021.

This report by The Canadian Press was first published March 14, 2023.

The Canadian Press