Cyber Incident Victim: ASL 1 Abruzzo
Date:
May 2023
Location:
Italy
Summary
The ASL 1 Abruzzo was compromised in a ransomware attack claimed by the Monti group, which exfiltrated sensitive patient data. The threat actors asserted they had stolen medical information, including data related to patients with HIV, and threatened to publish it unless a ransom was paid. While the health authority stated its core data archive remained intact and no sensitive information was lost or stolen, the attackers publicized the breach of this highly sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 2, 2023, the Azienda Sanitaria Locale 1 Abruzzo, Avezzano Sulmona L’Aquila (ASL 1 Abruzzo), was victimized by a significant ransomware attack. The incident was first publicly disclosed by the criminal ransomware group known as Monti, which claimed responsibility for the breach. Initial local media reports had described the event as a disruption causing server blockages that prevented patients from booking medical services through the central booking offices (Cup), forcing dozens of users to be turned away. The criminal group’s public claim of the attack and data theft directly contradicted these earlier reports that had focused solely on the service disruption.
The Monti group asserted that it had successfully exfiltrated a large quantity of sensitive data from the healthcare provider's infrastructure. The stolen data allegedly included highly sensitive patient health information. The group specifically claimed to possess data related to patients suffering from HIV, indicating the deeply personal and sensitive nature of the information involved. Furthermore, the attackers claimed to have discovered and exploited significant vulnerabilities within the ASL 1 Abruzzo's IT infrastructure, which they stated had allowed for a massive data exfiltration operation to be carried out successfully.
In response to the attack, the leadership of ASL 1 Abruzzo issued public reassurances concerning the integrity of their data archives. They stated that their technical staff, alongside experts from a cybersecurity task force, had immediately begun working to address the incident. These teams conducted a technical analysis on the corporate servers to determine the origin point of the malware that had infected the systems. The direction from ASL 1 Abruzzo emphatically stated that no sensitive or health data had been stolen or lost, asserting that the digital archive remained intact. This claim was attributed to the presence of a backup system that had apparently preserved the primary data repository from encryption or destruction.
Despite the organization's assurances regarding the integrity of their primary data archive, the criminal group's claims pointed to a separate and severe impact: the theft of patient data. The Monti group threatened to publish the stolen information online, making it available to anyone, should the demanded ransom not be paid. This created a significant threat of the exposed data being misused for criminal purposes, given that it contained details of patient illnesses, including severe conditions. The potential exposure of such sensitive health information represents a grave consequence, as individuals lose all control over their personal data once it is in the hands of unauthorized third parties.
The incident highlighted the dual nature of modern ransomware attacks, where the primary impact extends beyond the encryption of systems and service disruption to include the theft of data. The service disruption initially reported caused tangible operational problems, preventing patients from scheduling medical appointments and accessing services. However, the potential long-term consequences of the data theft were assessed as having an even greater severity. The public exposure of medical conditions could have profound implications for the affected patients, constituting a major privacy violation and a source of potential harm.
The response actions involved a concerted effort by internal IT technicians and external cybersecurity experts focused on forensic analysis to understand the attack's scope and origin. The work aimed to contain the incident and restore normal operations as quickly as possible. While the organization expressed hope for a swift resolution to the technical problems, the situation remained dynamic as investigations continued. The contradiction between the official statements from the ASL, which denied any data loss, and the claims of the attackers, who stated they had exfiltrated sensitive data, defined the public understanding of the event. The gravity of the attack was considered substantial due to the nature of the data involved and the potential for its public release, which would make the information available to any malicious actor. The incident underscored the critical importance of protecting personal data, especially sensitive health information, and the severe repercussions that can arise from its failure to be secured.