Canadian Nurses Association hit by cyber attack

Share post:

The Canadian Nurses Association says it has suffered a cybersecurity incident, but isn’t commenting on a report that the attack was ransomware.

“We can confirm having experienced an IT security incident on April 3, 2023 which impacted some of our systems,” Alexandre Bourassa, the association’s public affairs lead, said in an email to IT World Canada. “The incident did not impact our operations.”

He was responding to a query about  a tweet on Sunday by Brett Callow, British Columbia-based threat analyst for Emsisoft, who said the Snatch ransomware gang now lists the CNA as a victim. Bourassa was told about the tweet but didn’t directly answer whether the attack was ransomware.

The CNA represents 460,000 nurses in all categories — registered, nurse practitioners, licensed and registered practical nurses, and registered psychiatric nurses — across the country. Provincial and territorial nurses’ associations represent members in negotiations with their respective governments.

According to researchers at Sophos, the Snatch malware reboots an infected Windows computer into Safe Mode, where most security software doesn’t run. Then it encrypts the victims’ hard drives. Sophos believes the Snatch gang has been operating since 2018.

At the time of the 2019 Sophos report, the gang commonly penetrated enterprise networks by automated brute-force attacks against vulnerable, exposed services such as Windows RDP (remote desktop protocol). In one incident Sophos investigated, the attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, then logged into the server using RDP.

The attackers installed surveillance software on about 200 machines, or roughly five per cent of the organization’s computers, Sophos found. After that, the attackers installed several malware executables, one of which appeared to be designed to give the attackers remote access to the machines without having to rely on the compromised Azure server. The attackers also installed a free Windows utility called Advanced Port Scanner to discover additional machines on the network they could target.

According to an April report by researchers at Gridinsoft, a Ukrainian antimalware provider, those behind Snatch usually don’t steal data before encrypting it.

Besides disabling the third-party antivirus software, the report says Snatch ransomware also suspends Windows Defender in a well-known way – through editing the Group Policies. To prevent any recovery attempts, it also removes the Volume Shadow Copies and the backups which were created with basic Windows functionality. This, the report notes, is a common ransomware tactic.

In his response to IT World Canada, Alexandre Bourassa of the CAN said the association immediately launched an investigation and hired leading third-party experts for assistance efforts. “As a precautionary measure,” he added, “we notified the appropriate law enforcement authorities. We are unable to provide further details while this investigation is ongoing.

“We are working closely with our industry-leading partners to implement enhanced security measures to protect our systems, and to prevent this type of incident in the future.”

The post Canadian Nurses Association hit by cyber attack first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways