LockBit claims cyberattack on Croatia’s largest hospital

The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies.

The University Hospital Centre in Zagreb, known as KBC Zagreb, suffered the attack last week. More than 100 specialists worked to restore the systems in the aftermath.

According to local media reports, the incident slowed down the work of emergency services, forcing the hospital to send patients to other institutions in Zagreb. The attack “took us back 50 years — to paper and pencil,” said Milivoj Novak, assistant director for health care quality and supervision of KBC Zagreb.

“All tests can be done to some extent, but the radiological system, which is particularly dependent on information support, is perhaps the most severely affected,” said Ivan Gornik, head of the unified emergency hospital admission at KBC Zagreb, which serves about 10,000 people daily.

LockBit’s operations were disrupted in February in an international operation but the group has since resurfaced. 

Its claims have often proven unreliable. It recently claimed to have breached the U.S. Federal Reserve, but an initial batch of leaked documents supposedly linked to the agency in fact reportedly belonged to Evolve Bank & Trust.

Responding to LockBit’s claim, Interior Minister Davor Bozinovic said Tuesday that he doesn’t want to reveal too much information obtained by the investigators, and added that he is not aware of a ransom demand having been made. 

Also on Tuesday, Health Minister Vili Beros said the government will not negotiate with hackers, who he said were likely “looking for money.”

He added that it was not clear if the hackers had stolen any information from Croatian citizens. 

“This will be established forensically and is being investigated by the competent institutions,” Beros said during a press conference. 

Croatia’s police and security services are currently investigating the incident. Prior to the attack on KBC Zagreb, the websites of several local state institutions, including the Ministry of Interior, the tax service, and the local stock exchange, were targeted by distributed denial-of-service (DDoS) attacks, rendering them inaccessible for several hours. Russia-linked hacker group NoName057(16) claimed responsibility for the attacks.

Deputy Prime Minister Tomo Medved, said that Croatian institutions are grappling with a surge in cyberattacks, which began when Russia invaded Ukraine in 2022.

“We witness these attacks almost every day,” he said.