Cyber Incident Victim: Lithuanian National Center for Public Health
Date:
Dec 2020
Location:
Lithuania
Summary
The Lithuanian National Center for Public Health (NVSC) and multiple municipalities experienced a network compromise via Emotet malware delivered through malicious email replies mimicking prior legitimate correspondence. Attackers used password-protected archive attachments to evade detection, leading to infected systems distributing additional malware and fraudulent emails across institutional networks. The NVSC temporarily disabled its email systems to contain the infection while collaborating with national cybersecurity agencies to remediate affected infrastructure and restore services. This incident marked the second major Emotet campaign targeting Lithuanian state entities within months, following similar tactics observed in earlier attacks leveraging reply-chain hijacking to enhance credibility.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2020, Lithuania's National Center for Public Health (NVSC) and multiple municipal networks experienced a significant cybersecurity incident involving Emotet malware. The infection originated from a large-scale campaign targeting Lithuanian state institutions, where attackers sent malicious emails disguised as replies to prior legitimate communications. These emails contained password-protected archive attachments, with passwords included in the message body to bypass anti-malware detection. When recipients opened these attachments, the Emotet malware infiltrated internal networks, subsequently downloading additional malicious files. Compromised systems began sending fraudulent emails and conducting other malicious activities, primarily targeting Lithuanian government officials, ministry representatives, and epidemiological diagnostics experts who had previous email correspondence with NVSC personnel. The Lithuanian National Cyber Security Center (NKSC) identified the attack vector as leveraging stolen email reply chains, a known Emotet tactic previously employed by other malware families like Qbot and URSNIF to enhance credibility.
The NVSC temporarily disabled its email systems on December 29, 2020, to contain the malware’s spread. Response efforts involved NVSC IT specialists collaborating with Lithuania’s Central State Telecommunications Center and the NKSC to disinfect affected systems, restore email functionality, and recover communications data. This marked Lithuania’s second major Emotet incident in 2020, following an October campaign that prompted the NKSC to issue advisories recommending Sender Policy Framework (SPF) email authentication. The malware, operated by the TA542 threat group, delivered secondary payloads including QakBot and Trickbot trojans—both associated with ransomware deployment. The disruption occurred amid Emotet’s global resurgence after a six-week hiatus, with Microsoft documenting similar tactics in concurrent campaigns using forged reply-chain emails and macro-enabled document payloads. The incident impaired NVSC’s operational communications during a critical period of public health engagement.