Hive threat group post Macquarie Health PIIs on dark web

News / Hive threat group post Macquarie Health PIIs on dark web

Hive threat group post Macquarie Health PIIs on dark web

Hive, the threat group apparently responsible for ransomware attack on Macquarie Health Corporation, an Australian healthcare firm which operates a number of private hospitals in Sydney and Melbourne, were discovered bragging on their dark web site about leaking sensitive documents containing patients’ PIIs. 

Macquarie Health Corporation confirmed on their site on Thursday that they had experienced a cyber attack and that their “MHC IT systems have been taken off-line as a precaution”, although stated “The incident has not impacted our ability to deliver patient care”. Today, the Sydney-based company released another statement, saying that they are “still experiencing significant impacts related to the cyber incident”. 

They also thanked their staff “for their hard work continuing to deliver patient-centred care with many of our systems remaining offline” and apologised “for any inconvenience this disruption may cause”. 

Hive, a ransomware double-extortion group known for specifically targeting Microsoft Windows operating systems, claims responsibility, advertising that they have stolen over 225 gigabytes of data from Macquarie Health Corporation cyber attack.  

Scope of data breach 

Hive have claimed on the dark web that they’ve got access to more than 119,000 files from the ransomware attack, totalling 225GB. The exfiltrated data allegedly affects over 6700 people and includes PIIs such as: 

  • Medical records, research and personal data. 
  • Financial documents. 
  • Bank balances. 
  • Tax deductions. 

The threat actors also claim they’ve obtained  “more than 1000” passwords, including for services like Amazon, PayPal and Facebook. This falls in line with what cybersecurity researchers have said about the leaked data including 3rd party companies, as well as possible government agencies. 

According to NCA NewsWire, medical and legal documents containing highly sensitive PIIs have been posted to the dark web. One said document containing the PIIs of a woman from New South Wales, including her medical history, name and birth date. 

This information can be used to facilitate malicious actors in phishing and fraud. 

The wealth of possible information leaked is large, although not unprecedented. Ransomware groups like Hive are known for not only encrypting an organisation’s systems and servers, but also stealing sensitive, valuable data as part of a double-extortion tactic to further pressure their victim into paying the ransom by threatening to sell or outright leak it on the internet. 

Increased attacks on health sector 

The health sector has seen big increases in cyber attacks against the health sector, going up by 45 percent since November 2020. Part of the reason why the health sector is considered such an optimal target for threat actors is because of stretched budgets and low investiture in cybersecurity, as well as outdated systems, making them an easy target for malicious actors. 

Cyber attacks are very devastating for the sector and hospitals who suffer such attacks have been linked to increases in complications and death rates for patients. This makes them an especially egregious target, especially in light of the Covid-19 pandemic, and is why they fall under CISA’s critical infrastructure sectors

A number of prolific threat groups have claimed that they will forgo targeting hospitals and some even say that if a hospital is attacked a decryptor will be offered for free. Despite this supposed honour-among-thieves approach to hacking,  cyber attacks against hospitals and health organisations in general continue to increase. 

Some of these attacks have even come from the very threat groups who have previously claimed the sector wouldn’t be targeted by them, further emphasising that the words and morals of any cybercriminal cannot, in any way, be counted on. 

While Hive is not considered at the moment one of the most major ransomware groups out there, especially in comparison to more sophisticated threat groups like DarkSide, a threat group infamous for its role in the US Colonial Pipeline ransomware attack back in May, they have made a name for themselves in how relentlessly and remorselessly they target the health sector. 

The group has made victims out of 30 organisations so far and the list is still growing. 

This latest attack on the Macquarie Health Corporation continues Hive’s MO of going after the health sector. Back in August, the threat group hit an Ohio-based health system with their ransomware, and more recently, in September, attacked a Missouri Medical Centre. While it’s a high-risk strategy that brings a lot of attention, threat actors know hospitals have the added pressure of their patients' lives to consider when debating on whether or not to pay ransoms. 

At time of publication, Macquarie Health Corporation have not confirmed if the extent of the PIIs breached is what the hackers have claimed, although have said that North South Wales Police have yet to be officially informed of the cyber incident.

How secure is

your business?

Security test

How secure is

your business?

Security test