Cyber Incident Victim: Mutuelle Nationale des Hospitaliers et des professionnels de la santé et du social
Date:
Feb 2021
Location:
France
Summary
MNH experienced a cyberattack attributed to the RansomExx threat actor, prompting the organization to disconnect its systems to contain the incident. The attack caused widespread service disruptions, including unavailability of websites, member portals, and telephone platforms, leading to extended processing delays for customer requests. External data analysis suggested potential prior exploitation of a critical Citrix/Netscaler vulnerability (CVE-2019-19781), though the mutual did not confirm the specific breach vector. Management acknowledged operational impacts and committed to transparent communication during recovery efforts to restore affected services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 5, 2021, the Mutuelle Nationale des Hospitaliers et des professionnels de la santé et du social (MNH) experienced a cyberattack that disrupted its operations. The organization publicly disclosed the incident, confirming that its computer systems had been disconnected as a security precaution. This action resulted in the immediate unavailability of critical services, including the primary website (mnh.fr), the members’ area portal, correspondent and elected official extranets, and the telephone support platform (3031). The disruption caused extended processing delays for member requests and inquiries. MNH leadership, including Chairman Gérard Vuidepot and CEO Médéric Monestier, acknowledged the inconvenience to stakeholders and committed to providing transparent updates via their website. Internal teams prioritized restoration efforts, though no specific timeline for service recovery was provided in the initial statement. The organization did not initially disclose the nature of the attack or whether data exfiltration occurred.
Technical analysis by LeMagIT suggested potential exploitation of a known vulnerability in Citrix/Netscaler Gateway systems (CVE-2019-19781), commonly referred to as "Shitrix," which had been patched by Citrix in January 2020. Evidence from internet scanning data indicated MNH’s systems might have remained vulnerable until at least January 15, 2020, creating a potential attack vector. LeMagIT noted that MNH’s email systems utilized Proofpoint protections, reducing the likelihood of email compromise as the initial entry point. The analysis drew parallels to the Dassault Falcon Jet incident, where attackers reportedly exploited the same vulnerability months after initial access was established. BleepingComputer subsequently attributed the attack to the RansomExx ransomware group, though MNH did not confirm this attribution or disclose whether ransomware deployment occurred. The article also referenced a contemporaneous ransomware attack against polling firm BVA, though no direct connection to the MNH incident was established. Service restoration progress and any confirmed data compromise remained unverified in the available reporting.