icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
15 Dec, 2021 19:37

Notorious HelloKitty hackers tracked to unexpected country

Notorious HelloKitty hackers tracked to unexpected country

In disclosing their files had been hacked by HelloKitty, an Oregon medical outfit let it slip that the FBI calls them “a Ukrainian hacking group,” the first such revelation about the previously mysterious miscreants.

The Oregon Anesthesiology Group (OAG) came under cyber attack in July, with the hackers gaining access to the information of 522 current and former employees and some 750,000 patients. The FBI has since seized a HelloKitty account that contained some of the files, the OAG said in a breach disclosure statement.

While the statement itself was made public on December 6, it was only noticed by the media on Wednesday, and only because it contained the revelation that the FBI considered the hackers Ukrainian.

According to the cybersecurity publication The Record, none of the previous alerts about the group, whether by US government organizations or private security firms, contained any hint about the gang’s location.

The HelloKitty ransomware, also known as FiveHands, was first noticed in January this year. Its most notable attack was against the Polish game developer CD Projekt Red – the studio behind ‘The Witcher’ series and ‘Cyberpunk 2077’ – in February.

In the note sent to OAG on October 21, the FBI said the hackers most likely exploited a vulnerability in the third-party firewall to gain access to the network. The ransomware attack reportedly forced OAG to restore their systems from backups and rebuild their entire infrastructure from scratch.

According to OAG, the hackers potentially made off with patient names, addresses, appointment dates, medical record numbers, insurance ID numbers, and diagnosis and procedure codes. They also potentially accessed current and former employee data, including names, addresses, Social Security numbers and tax information on file.