Cyber Autopsy Series: The Covid Vaccination Registration Portal of Italy

Editor’s Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re adding several new cases to our Cyber Autopsy file, which could have been prevented had there been better defenses in place. Join us every Friday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just keep your name off the list.

Cyber Victim:

The Vaccination Registration Portal for COVID-19-in Italy. Hosted on the website of the Rome region in Italy and considered one of the largest online booking sites, it was used by thousands of Italians to get vaccinated. This attack echoes other operations related to the Covid-19 vaccine or the European health pass.

Case Details: 

This attack against the government and in the context of the health crisis is considered the most important cyber attack against Italian public administration institutions. By breaking into the platform, the hackers managed to block its services and used a ransomware to demand payment in return for data. “This is a very powerful hacking attack, very serious, and everything failed,” stressed Lazio’s health director Alessio d’Amato. The hackers gained access to the personal data of Italian citizens who were waiting for their vaccination appointments, but the authorities said no data was stolen.

Cyber History: 

Previously, the vaccination registration portal had never been attacked, but according to data from the Italian Cybersecurity Association, there were about 1,900 serious cyber attacks against the Italian public domain in 2020, 10% of which were related to COVID-19. Worldwide, there was an explosion of these types of attacks on data and platforms related to vaccination or health passes in 2021. This was the case for Walgreen’s, a group of American pharmacies, whose database containing lists of people who have been vaccinated was hacked. There was also the more recent hacking of past health sales in Europe.

Descriptions of Events: 

The vaccine portal attack took place on the night of July 31, 2021. Citizens who wanted to log on to the Salute Lazio (Lazio Health) site after midnight were presented with the message “Bad Gateway.” Computer experts immediately realised that a ransomware virus, usually designed to obtain a ransom from the company they had infected, had been launched. To make matters worse, there was some evidence that the virus belonged to the “cryptolocker” family, which is considered one of the most powerful. As a result, the hackers were able to encrypt files and block all system activity, including the Covid-19 vaccine booking centre. The infected site was immediately isolated.

Systems/Parties Impacted: 

The damage caused by the attack was immediate. For several days, the region was unable to hold vaccination appointments, even though Rome had hoped to vaccinate 80% of 12-18 year olds before the start of the school year. The activities of 80 centres decreased and many people who had been vaccinated a few days before the attack were unable to obtain the famous “health pass” allowing them to travel. But the damage goes far beyond that, as the website contained the private data and medical records of 5.8 million Italians. However, the authorities said no data was stolen.

Mode of Entry: 

According to sources reported by BleepingComputer, a cyber group known as RansomeXX planned the attack. According to reports, in the extortion letter, the attacker provided Lazio with a link to a Dark Web page in order to communicate with the cyber crooks. The hacker used the access code of one of the system administrators to break into the platform, making all data on the website difficult to understand. Officials in the region shut down the system, fearing that the “lock code” would attack the remaining backups. 

The RansomeXX ransomware-as-a-service (RaaS) operation, formerly known as Defray777, has been active since 2018 but came to prominence in 2020 after attacks on large organisations, including the Texas Department of Transportation.  RansomeXX began as a Windows variant, but a Linux variant was discovered in January 2021. The ransomware is usually delivered as a secondary payload in memory without ever hitting the disk, making it harder to detect and very evasive. In February 2021, the RansomeXX ransomware hit the Mutuelle Nationale des Hospitaliers (MNH), a French health insurance company, severely disrupting its operations.

What is most curious and worrying about this attack is that it does not appear to be isolated. According to Chuck Everette, Director of Cyber Security Defence at cyber security firm Deep Instinct Ltd, “the attack on the Lazio vaccine portal appears to be part of a supply chain attack and is therefore not an isolated incident. As this attack is part of a wider campaign, it is likely to cause further concern to other government agencies and health organisations around the world.”

Final diagnosis: 

So, ransomware? Political terrorism? Authorities are wondering. Cybercrime is a growing scourge. According to the European cybersecurity agency, 10 billion euros in ransom was paid out worldwide by companies in 2019. Dozens of hospitals around the world, in Australia, France, Ireland or the United States, have been held to ransom and the main networks located in Ukraine, Russia, Taiwan or Vietnam are known. 

However, the case of Lazio is intriguing. By attacking the health system in the midst of the Covid pandemic, the hackers put themselves in the spotlight. Negotiations to obtain a ransom need discretion, as no institution wants to give the impression of submitting to the offenders. In addition, the attack took place five days before the mandatory “green pass” for enclosed public spaces and for travel came into force. The political battle is raging: the “no vax” and the “no green pass” movements are demonstrating every day. The attack on the Salute Lazio platform could therefore be an act of political terrorism carried out with the collaboration of cybercriminal mercenaries recruited on the Dark Web.

We may never know the full story but the warning signs for public healthcare institutions are clear.