While it is far from uncommon for an organization to announce that it has been hit by a ransomware attack, two in one week is an unusual event. Brazil’s Health Ministry is looking at extended downtime for the system that processes Covid-19 vaccination data as it attempts to recover from this exact situation, dealing with two major attacks that came just four days apart.
It is still unclear if the two ransomware attacks came from the same source, but the first may have had an element of activism to it. A hacking outfit called Lapsus$ Group claimed credit, targeting and deleting the vaccination data needed to issue the country’s digital inoculation certificates. The follow-up attack was less successful, but targeted the same data and did enough damage to delay the restoration of Health Ministry systems.
Health Ministry sends workers home, pulls vaccination data offline after serious attack
The first ransomware attack came on December 10 and took all of the Health Ministry’s websites offline for some time. Lapsus$ Group sent the Health Ministry a message taking credit for the attack, claiming that they extracted some 50 TB of data from the Covid-tracking program and subsequently deleted it from the agency’s servers.
As the hackers asked the Health Ministry to contact them to recover the data, this may have been a standard ransomware attack for profit. But it follows a September attack on the Brazilian Health Regulatory Agency (Anvisa) that came after an announcement that new screening procedures would be applied to international travelers entering the country. The incident was famously accompanied by Anvisa agents stopping a World Cup qualifier match and telling four players from Argentina to leave the pitch due to not following the new protocols.
Whatever the case, the Health Ministry has had a terrible year for security related to vaccination data. In November, an employee unwittingly leaked the records of 16 million Covid-19 patients to the internet when they uploaded a confidential hospital spreadsheet to a public Github account; the spreadsheet contained usernames, passwords and private keys for logging into various government accounts in addition to the patient records. A week later, 243 million more patient records were leaked when a web developer left the password to a Health Ministry website inside of the page’s code.
The Health Ministry issued a statement after the first ransomware attack, saying that it had a backup of the stolen vaccination data. That turned out to be quite fortunate, as a second attack followed on December 14 that targeted many of the same systems. While this one does not appear to have ended in data theft or removal, the ransomware attack did take the ConecteSUS app used to track Covid treatments offline for some time. Civil servants were also sent home for at least a day as the system outage made it impossible to do their jobs.
The tandem of ransomware attacks has delayed the new requirements for international travellers for at least a week. After rejecting the idea of a vaccine passport, the nation’s federal government instead implemented a requirement for international arrivals to quarantine for five days and be tested for Covid before being granted free movement. This plan is largely being handled by Anvisa rather than the Health Ministry, so it is unlikely that the disruption to vaccination data will delay it much longer.
For Brazil’s residents, the ConecteSUS app that the second ransomware attack targeted is used for personal tracking of Covid-19 testing and status. The app essentially provides access to their medical records related to anything involving Covid treatment: tests, vaccines taken, periods of hospitalization and any medicines they have been prescribed to treat it. The Health Ministry says that the data feeding this app has been backed up, but the app remains unavailable a week after the first attack.
And though the country has decided against the use of vaccine passports, the National Certificate of Vaccination available through the app is needed for things like international travel. Certain employers had previously been able to require vaccination data from employees as well, but this was prohibited by a recent court ruling.
Though ConecteSUS does not appear to have complete access to patient medical records, the vaccination data it does contain could be dangerous to victims. It provides elements that can be used for identity theft and for targeted scams. Hacked medical information is often not used directly, but is added to existing packages of information on the dark web called “fullz” that are essentially dossiers of public and private information on individuals that are largely fed by data breaches. Once complete enough, these packages can be used for a broad variety of fraud.