Notorious HelloKitty hackers tracked to unexpected country

In disclosing their files had been hacked by HelloKitty, an Oregon medical outfit let it slip that the FBI calls them “a Ukrainian hacking group,” the first such revelation about the previously mysterious miscreants.

The Oregon Anesthesiology Group (OAG) came under cyber attack in July, with the hackers gaining access to the information of 522 current and former employees and some 750,000 patients. The FBI has since seized a HelloKitty account that contained some of the files, the OAG said in a breach disclosure statement.

While the statement itself was made public on December 6, it was only noticed by the media on Wednesday, and only because it contained the revelation that the FBI considered the hackers Ukrainian.

According to the cybersecurity publication The Record, none of the previous alerts about the group, whether by US government organizations or private security firms, contained any hint about the gang’s location.

READ MORE: Cyberpunk hackers ‘sell off’ CD Projekt Red’s stolen source code after ransomware attack

The HelloKitty ransomware, also known as FiveHands, was first noticed in January this year. Its most notable attack was against the Polish game developer CD Projekt Red – the studio behind ‘The Witcher’ series and ‘Cyberpunk 2077’ – in February.

In the note sent to OAG on October 21, the FBI said the hackers most likely exploited a vulnerability in the third-party firewall to gain access to the network. The ransomware attack reportedly forced OAG to restore their systems from backups and rebuild their entire infrastructure from scratch.

According to OAG, the hackers potentially made off with patient names, addresses, appointment dates, medical record numbers, insurance ID numbers, and diagnosis and procedure codes. They also potentially accessed current and former employee data, including names, addresses, Social Security numbers and tax information on file.