Cyber Incident Victim: Лекардо Клиник
Date:
May 2025
Location:
Russia
Summary
A private hospital in Russia's Chuvashia region experienced a multi-day operational shutdown following a cyberattack claimed by pro-Ukraine hacker group 4B1D, which allegedly compromised the clinic director’s account to infiltrate systems. Attackers wiped servers, deleted backups, encrypted data, disabled over 100 computers, and exfiltrated approximately 52,000 patient and staff records—including personal details and billing information—with some records sold on the dark web. Local authorities confirmed the breach targeted patient management software, suspecting broader compromises across clinics using the same systems, while prosecutors launched an investigation into the hospital’s delayed breach reporting and inadequate data security measures. The incident aligns with heightened regional cyber threats, occurring shortly after Chuvashia’s first Ukrainian drone strike, though any connection remains unverified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2025, Lecardo Clinic, a private hospital in Russia's Chuvashia republic, publicly announced a "technical failure" that resulted in a complete shutdown of its operations. The disruption lasted for three days, significantly impacting the clinic's ability to function. Hospital management stated they were working to restore operations but that the process was taking longer than anticipated, specifically mentioning the need for full software restoration before services could resume. While the hospital itself did not initially confirm a cyberattack as the cause, local authorities subsequently verified that attackers had targeted the software used by the clinic to manage patient records and medical histories. Authorities also expressed suspicion that other private clinics utilizing the same software might have had their data compromised due to the incident. The hospital faced criticism from local media for failing to promptly report the breach to relevant authorities. Reports further indicated that some of the clinic's data had been stored without adequate security measures in place. In response to these security lapses, local prosecutors announced plans to investigate staff compliance with information security regulations. The clinic did not provide immediate comment on these specific allegations.
The pro-Ukraine hacker group 4B1D claimed responsibility for the attack on Lecardo Clinic via Telegram. According to their statement, they gained initial access to the clinic's network by compromising the account belonging to the clinic's director. The group detailed their subsequent actions: wiping the clinic's servers, deleting backup data, encrypting patient information while also exporting it, and disabling more than 100 computers. To substantiate their claims, 4B1D posted samples of the leaked data on their Telegram channel, including an X-ray image of a skull. The group asserted they had obtained personal data belonging to approximately 52,000 individuals, encompassing both patients and medical staff. They further claimed that records for about 2,000 individuals, containing details such as names, phone numbers, service costs, and average bill amounts, had already been sold on the dark web. Neither Lecardo Clinic nor Russian authorities publicly commented on the hackers' specific claims regarding their methods or the data exfiltration. This incident occurred amidst a reported surge in cyber threats targeting Chuvashia, with the republic's digital ministry noting over 2.7 million cyber incidents successfully repelled in 2024 alone. The cyberattack on Lecardo Clinic took place the day after Chuvashia experienced its first Ukrainian drone strike since the onset of the war in Ukraine, which hit an oil terminal in the region; however, no confirmed link between the drone strike and the timing of the cyberattack was established.