Cyber Incident Victim: Brazil Ministry of Health
Date:
Dec 2021
Location:
Brazil
Summary
A ransomware attack targeted Brazil's Ministry of Health, causing widespread disruption to its digital health services, including systems managing COVID-19 vaccination certificates and public healthcare data. The Lapsus$ Group claimed responsibility, alleging extraction and deletion of approximately 50TB of data while demanding contact for its return. Critical platforms like ConecteSUS became inaccessible, though officials asserted backup availability for the compromised information. Authorities including the National Data Protection Authority, Institutional Security Office, and Federal Police initiated investigations. This incident followed prior security failures involving massive leaks of citizens' personal and health data due to credential mismanagement, occurring amid heightened demands for vaccination verification protocols in response to emerging COVID-19 variants.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 10, 2021, Brazil's Ministry of Health experienced a significant ransomware attack that disrupted critical healthcare services nationwide. The incident began around 1:00 AM local time when threat actors compromised multiple government health systems, including the ConecteSUS platform used for tracking COVID-19 vaccination records and public healthcare interactions. Attackers affiliated with the Lapsus$ Group claimed responsibility, leaving a message stating they had extracted approximately 50TB of data from ministry systems before deleting it. The message included contact details and a demand for negotiation to restore the stolen information. By 7:00 AM, authorities had removed the hackers' message from affected systems, but all Ministry of Health websites and the ConecteSUS mobile application remained inaccessible, paralyzing access to digital vaccination certificates and public health records. The attack occurred amid heightened political pressure on Brazil's government to implement COVID-19 vaccination certificate requirements for international travelers, a policy response to the emerging omicron variant.
Brazilian Health Minister Marcelo Queiroga publicly confirmed the ministry maintained backups of the compromised data, though the operational impact persisted due to system unavailability. The National Data Protection Authority (ANPD) initiated an investigation, coordinating with the Institutional Security Office and Federal Police to assess the breach. This incident followed a September 2021 attack on Brazil's Health Regulatory Agency (Anvisa) that targeted traveler health declarations, which had occurred shortly after a controversial interruption of a Brazil-Argentina World Cup qualifier match over COVID-19 protocol violations. The Ministry of Health had previously experienced multiple major security failures, including a November 2020 leak of personal and health data for 16 million COVID-19 patients through a GitHub exposure, and a subsequent incident exposing sensitive information of 243 million Brazilians due to credentials being embedded in a government website's source code for six months. System restoration efforts and forensic investigations continued following the December ransomware attack, with no immediate resolution timeline provided by authorities.