A notorious organized cybercrime gang called Daixin Team has claimed responsibility for stealing millions of records from five southern Ontario hospitals and leaking it online after officials would not submit to ransom demands.
The organization claims to possess large amounts of data it stole from hospitals in Leamington, Windsor, Sarnia, and Chatham-Kent.
The Windsor Star has obtained a purported link to the leaked information, which is posted on the dark web. The link indicates that users can obtain personal information related to patients of the five hospitals.
The hospitals confirmed Thursday that data from the cyberattack was published, though they did not confirm the perpetrators were with Daixin Team, which reportedly has links to China.
But Windsor Regional Hospital CEO David Musyj said the blackmailers are part of well-organized operation.
“The cyberattack is not one person in their basement on a computer,” he said Thursday during a hospital board meeting. “The perpetrators are a sophisticated web of people who extort the healthcare sector. They target us while we are caring for our most critically ill. They attack hospitals while we are emerging from a worldwide pandemic. We are not the first healthcare system to be struck by these bandits and will not be the last.”
Sarnia’s Bluewater Health, Chatham-Kent Health Alliance, the Windsor-Essex hospice, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital are still locked out of some of their systems following the Oct. 23 cyberattack. Even the hospital websites were still down on Thursday.
Along with shutting down digital and technology-based systems at the hospitals, the blackmailers also stole large amounts of personal information about staff and patients. When the hospitals would not bend to ransom demands, the criminals started posting stolen data online.
Local police departments, the Ontario Provincial Police, the FBI, and INTERPOL are all involved in the criminal probe.
Daixin has previously taken credit for many other similar cyberattacks against organizations including a German water metering company, low cost airline AirAsia, Missouri’s Fitzbiggon Hospital, and OakBend Medical Centre in Texas.
“Daixin has been operating since the middle of last year, and has previously targeted multiple other organizations in the healthcare sector,” said Brett Callow, a threat analyst with the international cybersecurity firm Emsisoft Ltd. “The individuals behind it were likely previously involved with other ransomware operations, and still may be. This is not the first time hospitals have been targeted and, unfortunately, it will not be the last. It’s not a matter of if another hospital will be hit, it’s a matter of when.”
After infiltrating the hospitals’ technology systems, hackers blocked their access to Wi-Fi, email, and patient information systems, causing upheaval and stress for thousands of patients across southwestern Ontario.
The attackers locked the hospitals out of their own systems by targeting TransForm Shared Service Organization, which runs technology systems for all five facilities.
Musyj said the hospitals still don’t know how much data was taken. But he added that an investigation is underway and they hope to have more information on that soon.
“The bad actors have published some of the data they stole,” he said. “They did this because we would not succumb to their ransom demands. We closely examined whether to pay, but we knew, and our experts and law enforcement, all confirmed, that we cannot trust the promise of criminals to delete this information. We learned that payment would not speed up the safe restoration of our network, and so we did not pay.”
Musyj said that decision falls in line with a joint statement issued Wednesday by the 50 members of the International Counter Ransomware Initiative, including Canada, that have pledged never to pay ransom to cybercriminals.
Despite that pledge, Callow said governments around the globe have failed to do enough to stop cybercriminals.
“Governments have failed to get a handle on ransomware and the situation is now as bad as it’s ever been, perhaps worse,” he said. “We desperately need new strategies to counter the problem as the current ones very clearly are not working. I believe the time has come for governments to seriously consider banning ransom payments or, at least, imposing significant restrictions on the circumstances in which they can be paid. The attackers are financially motivated, and less money would mean less attacks.”
Given their willingness to shut down vital hospital systems and expose patient data, Callow said the hackers have the ability to devastate the healthcare system.
“The most concerning aspect of these incidents is the potential for patient care to suffer, perhaps with fatal consequences,” he said. “If doctors are without access to critical systems and patient information, it’s likely that the quality of care will suffer. And not necessarily only at the affected hospitals. Nearby hospitals may also be impacted, as they may need to take on additional patients at a time when their resources are already stretched very thin.”
The U.S. government’s Cybersecurity and Infrastructure Security Agency issued an advisory about Daixin Team last year.
The agency said Daixin is a cybercrime group that is actively targeting businesses, predominantly in the Healthcare and Public Health (HPH) sector, with ransomware and data extortion operations.
The U.S. agency said Daixin works by deploying ransomware to encrypt servers responsible for healthcare, including electronic records, diagnostics services, imaging services, and intranet services.
The gang has also “exfiltrated” personal identifiable information and patient health information, and threatened to release the information if a ransom is not paid, the agency said.
“The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022,” the agency said. “Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH (Healthcare and Public Health) Sector organizations.”
Callow said hackers in these cases often upload the stolen information to a URL that is difficult to download due to its size, so that might limit the number of people who can access it.
“Hopefully the actual impact to individuals may not be too bad,” he said. “That said, hope for the best and plan for the worst. You should assume that information may be misused by cyber criminals, so strategize accordingly.”
— with files from Madeline Mazak