Canadian Nurses Association hit by cyber attack

Share post:

The Canadian Nurses Association says it has suffered a cybersecurity incident, but isn’t commenting on a report that the attack was ransomware.

“We can confirm having experienced an IT security incident on April 3, 2023 which impacted some of our systems,” Alexandre Bourassa, the association’s public affairs lead, said in an email to IT World Canada. “The incident did not impact our operations.”

He was responding to a query about  a tweet on Sunday by Brett Callow, British Columbia-based threat analyst for Emsisoft, who said the Snatch ransomware gang now lists the CNA as a victim. Bourassa was told about the tweet but didn’t directly answer whether the attack was ransomware.

The CNA represents 460,000 nurses in all categories — registered, nurse practitioners, licensed and registered practical nurses, and registered psychiatric nurses — across the country. Provincial and territorial nurses’ associations represent members in negotiations with their respective governments.

According to researchers at Sophos, the Snatch malware reboots an infected Windows computer into Safe Mode, where most security software doesn’t run. Then it encrypts the victims’ hard drives. Sophos believes the Snatch gang has been operating since 2018.

At the time of the 2019 Sophos report, the gang commonly penetrated enterprise networks by automated brute-force attacks against vulnerable, exposed services such as Windows RDP (remote desktop protocol). In one incident Sophos investigated, the attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, then logged into the server using RDP.

The attackers installed surveillance software on about 200 machines, or roughly five per cent of the organization’s computers, Sophos found. After that, the attackers installed several malware executables, one of which appeared to be designed to give the attackers remote access to the machines without having to rely on the compromised Azure server. The attackers also installed a free Windows utility called Advanced Port Scanner to discover additional machines on the network they could target.

According to an April report by researchers at Gridinsoft, a Ukrainian antimalware provider, those behind Snatch usually don’t steal data before encrypting it.

Besides disabling the third-party antivirus software, the report says Snatch ransomware also suspends Windows Defender in a well-known way – through editing the Group Policies. To prevent any recovery attempts, it also removes the Volume Shadow Copies and the backups which were created with basic Windows functionality. This, the report notes, is a common ransomware tactic.

In his response to IT World Canada, Alexandre Bourassa of the CAN said the association immediately launched an investigation and hired leading third-party experts for assistance efforts. “As a precautionary measure,” he added, “we notified the appropriate law enforcement authorities. We are unable to provide further details while this investigation is ongoing.

“We are working closely with our industry-leading partners to implement enhanced security measures to protect our systems, and to prevent this type of incident in the future.”

The post Canadian Nurses Association hit by cyber attack first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways