Major revelation in hack on critical South African healthcare service

The BlackSuit hacking group that attacked South Africa’s National Health Laboratory Service (NHLS) reportedly stole around 1.2 terabytes of data, including third-party, client, and patient information.

This is according to Check Point workspace solutions architect Shayimamba Conco, who said situations like these can force institutions like the NHLS into a corner to give in to a ransom.

Speaking to 702, Conco said ransomware attacks in today’s age can have far more significant consequences than “traditional ransomware attacks”.

“You’ll find the main focus will be the financial incentive,” he said.

“When it comes to ransomware attacks, it’s no longer traditional ransomware attacks whereby data is just encrypted.”

“You’ll find now you’ve got double extortion or even to the level of triple extortion,” added Conco.

Ransomware attacks typically involve encrypting the victim’s data and extorting them for a decryption key.

Attackers also often exfiltrate sensitive data and threaten to leak it online unless you pay.

Conco said roughly 1.2 terabytes of data was stolen in the NHLS ransomware attack.

“All this data, you’ve got third-party information, your customers, your clients, your patients, and so forth,” said Conco.

“You’ll find that the institutions are pushed into a corner to essentially give in to the ransom.”

The NHLS shut down its IT systems on Monday, 24 June 2024, following a breach of its systems the weekend before.

The shutdown affected its emails, website, and system for retrieving and storing patients’ lab test results.

NHLS CEO Koleka Mlisana said the organisation’s Incident Response Team had been deployed to handle the issue.

“This team is working around the clock to determine the scope of the intrusion and deploy the required safeguards to secure our systems and data,” she said.

“Fortunately, our Oracle environment and Trakcare database are not affected, but the entire environment has been shut down to prevent further damage.”

The website was still unreachable as of 10:00 on Thursday, 11 July 2024.

Mlisana revealed the name of the hacking group responsible for the attack a week after it happened.

She said the attackers had left behind a message in which they identified themselves. Mlisana emphasised that her organisation has not and will not communicate with them.

The CEO added that cyber specialists were working to stabilise the system and clear it of harmful viruses. They are also adding further layers of security to prevent further damage.

In addition to stealing data, Mlisana said the group had erased large portions of data, including backups. However, she noted that there was no evidence that patient data had been erased.

She added that there are indications that the group could still be active within the NHLS’s systems.

The attack could have significant implications for the South African healthcare industry, as the NHLS has a network of 265 diagnostic pathology labs servicing local healthcare facilities.

Mlisana informed staff about the ransomware attack in a memo shortly after it happened.

“I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend,” she said.

“This incident compromised the security of our IT infrastructure. We are treating this matter with extreme urgency and concern.”

She explained that the organisation had implemented its “Downtime Protocol” to address the attack.

“I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” she said.

MyBroadand asked the National Department of Health — which the NHLS falls under — about the attack. A spokesperson said they were aware of the incident.

“They are working around the clock to address it and have called for patience as they are working to resolve this,” they said.