Croatia’s largest hospital KBC-Zagreb claimed by LockBit


The University Hospital Centre in Zagreb, Croatia, has been claimed by the LockBit ransomware group barely a week after the healthcare organization announced it was hit by a cyberattack last Thursday.

Located in the capital city of Zagreb, the publicly funded teaching hospital, also known as KBC Zagreb, was back online just 24 hours later according to local news reports, adding that over 100 experts were tasked with restoring IT systems to full functionality.

Hospital officials said the June 27th attack had incapacitated its networks, forcing emergency patients to be diverted to other Zagreb hospitals, taking the facility “back 50 years - to paper and pencil,” reported Croatian Radio.

Patient safety was never in jeopardy, hospital officials had said.

“All tests can be done to some extent, but the radiological system, which is particularly dependent on information support, is perhaps the most severely affected,” said KBC Zagreb’s head of Emergency Admissions, prof. Ph.D. Ivan Gornik, the news station reported.

LockBit University Hospital Centre in Zagreb
LockBit leak site. Image by Cybernews.

Established in 1942, the University Hospital Centre is the largest and most advanced medical facility in Croatia, serving about 10,000 citizens a day across two main campuses and three other city locations, according to its website.

Consisting of 30 clinics and 7 specialized institutes, the hospital has over 2000 beds and over 7500 staff, including close to 1000 doctors, and operates one of the few gamma knife treatment centers in Europe.

LockBit continuously targets critical infrastucture

On Monday, KBC Zagreb appeared on LockBit’s dark leak site, named as the ransomware groups latest victim.

The Russian-affiliated gang claims to have stolen a large cache of files including, “medical records, patient exams and studies; doctors' research papers; surgery, organ and donor data; organ and tissue banks; employee data, addresses phone numbers etc; employee legal documents; data on donations and relationships with private companies; donation book; medication reserve data; personal data breach reports and much more.”

The group uploaded an alleged sample of its stolen wares consisting of 12 documents as its proof of exfiltration.

So far the hospital has not confirmed the data involved, but said proper authorities were notified and the police have begun a criminal investigation to determine the impact.

LockBit Croatia hospital samples
LockBit leak site. Image by Cybernews.

The LockBit cybercriminal gang has been successfully evading law enforcement since its inception in late 2019.

Operating as a Ransomware-as-a-Service (RaaS) model, the cartel is said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.

The gang suffered a major setback this spring when the international Operation Cronos, led by the FBI and Interpol, infiltrated the gang’s network infrastructure, taunting the gang with a seizure notice splashed across the LockBit leak site’s home page.

Still, LockBit was business as usual, creating a new leak site and targeting multiple US hospitals within days.

Last week, LockBit claimed to have hacked the US Federal Reserve, which seemingly appears to have been a false claim by the group, who instead wound up leaking data belonging to the US banking institution Evolve Bank and Trust.

Croatia suffers multiple cyberattacks

The suspected ransomware attack on KBC Zagreb happened to coincide with attacks on multiple Croatian government agencies taking place the day before.

Those attacks were carried out by another established Russian-linked hacktivist group, known as NoNam057(16).

The group, which posts its handiwork on Telegram, consistently targets the critical infrastructure of nations that support Ukraine using distributed denial-of-service attacks (DDoS), which temporarily shut down victim networks by flooding them with traffic requests.

NoName, at first suspected of causing the hospital outage, posted a message on its Telegram, channel June 28th, denying responsibility.

“We are not involved in attacking medical facilities in Croatia or any other country. We have a principle of not touching medical facilities. We are at war with russophobic authorities, not civilians! 🤬,” NoName wrote in the post, slamming Croatian officials for being unable “to protect their internet infrastructure in the medical field.”

NoName Croatia hospital denial
NoName Telegram channel. Image by Cybernews

NoName is said to be behind just over one third of all hacktivist attacks in 2023.

What makes NoName unique – besides the fact that they are not affiliated with any other pro-Russian collective – is that they are supported by a stable of volunteers recruited from the dark web.

The threat actors put out a call for these “hero” hacktivists in January 2023, offering financial incentives paid out in cryptocurrency reportedly worth hundreds, if not thousands of US dollars.

Last year, NoName successfully targeted Italy’s banking system, knocking at least six major banks offline, and disrupting the infrastructure of nearly a dozen Ukrainian banking websites.

Other attacks have targeted critical infrastructure in Poland, Denmark, Lithuania, and the French parliament, as well as nearly a dozen attacks on Switzerland’s financial and aviation sectors last summer, including several European ports in Italy, Germany, Spain, and Bulgaria.