Notorious HelloKitty hackers tracked to unexpected country — Analysis
In disclosing their files had been hacked by HelloKitty, an Oregon medical outfit let it slip that the FBI calls them “a Ukrainian hacking group,” the first such revelation about the previously mysterious miscreants.
Cyberattacks on the Oregon Anesthesiology Group in July led to hackers having access to information about 522 employees, and 750,000 patients. According to a disclosure statement by the OAG, some files were found in an account owned HelloKitty that was seized by the FBI.
An Oregon healthcare organization appears to have accidentally revealed in a breach disclosure that the FBI believes that the HelloKitty (FiveHands) ransomware gang operates out of Ukraine https://t.co/pcfbiky8W6
— The Record by Recorded Future (@TheRecord_Media) December 15, 2021
Although the original statement was published on December 6th, it was not seen by media until Wednesday due to the fact that it revealed that the FBI considers the hackers Ukrainian.
According to the cybersecurity publication The Record, none of the previous alerts about the group, whether by US government organizations or private security firms, contained any hint about the gang’s location.
HelloKitty’s ransomware was also called FiveHands and first became known in January. Its most notable attack was against the Polish game developer CD Projekt Red – the studio behind ‘The Witcher’ series and ‘Cyberpunk 2077’ – in February.
OAG was informed by the FBI that hackers used a third-party firewall vulnerability to gain entry to their network. OAG had to restore all backups in order to recover their network and rebuild the entire infrastructure.
OAG reports that hackers could have accessed patient information, including addresses and appointment times, as well as medical ID numbers and codes, diagnosis codes, and insurance ID numbers. The hackers could also have accessed the files of former employees including their names, addresses and Social Security numbers.