Icon: enlarge
Entrance area of the University Hospital Düsseldorf
Photo: Federico Gambarini / dpa
The hacker attack on the University Hospital Düsseldorf could go down in the history books as the first cyber attack to result in death.
On the night of Thursday last week, the perpetrators encrypted 30 servers in the hospital and thus largely put the clinic out of operation: operations were postponed, treatments canceled, and ambulances could no longer approach the clinic.
A 78-year-old emergency patient who was to be admitted had to be brought to Wuppertal due to the IT failure - and died after the transport.
The Federal Office for Information Security (BSI) fears that other hospitals in Germany could be affected by the current attack.
In a warning letter to 130 hospitals, the authority recommends that the facilities, which, like the clinic in Düsseldorf, are among the "critical infrastructures" in the country, examine their security measures and tighten them where necessary.
In the opinion of the BSI, the security gap harbors "a high risk potential".
According to SPIEGEL information, audits by Bonn had previously shown that numerous public institutions and companies could be susceptible to the same attack - apparently several hundred.
A long-known vulnerability
The background to this is new knowledge about how the attack in Düsseldorf took place.
The perpetrators apparently used a security hole in commercial software for remote access to local networks, which is widespread in companies and public institutions.
The dangerous gateway has been known since December 2019.
The "AG Kritis" had already pointed out in January that this software was also being used in the control centers of the police and fire brigade as well as in hospitals and that there was an imminent danger.
At that time, instructions were circulating online on how to abuse the security hole - in-depth hacking knowledge was not necessary, which made things all the more dangerous.
The BSI also issued a warning at the time and recommended the use of a security update that has been available since January.
However, this does not banish the danger.
For one thing, as usual, not all users of the vulnerable software have installed the security update.
On the other hand, the perpetrators had a few weeks to infiltrate vulnerable systems and leave malware there "as sleepers" - which can now be gradually activated and used, and apparently also used.
"Don't procrastinate or ignore"
"The example of Düsseldorf shows how real the danger is and how seriously operators of critical infrastructures must take the risks," said BSI President Arne Schönbohm to SPIEGEL.
His authority gives users of the affected software specific instructions for immediate action in their warning.
Among other things, it is a matter of segmenting the networks so that possible attackers cannot move freely within them and paralyze the IT infrastructure on a large scale.
It also explains ways in which those affected can find out whether attackers have already established themselves.
"The recommendations for action are in place, the task now is to implement them quickly," said Schönbohm.
He urged everyone responsible not to put off or ignore it.
Operators should monitor their networks closely and watch out for anomalies.
Professional division of labor among the perpetrators
In the Düsseldorf case, it was evidently a widespread criminal "business model" - a so-called ransomware attack using an encryption Trojan.
The perpetrators encrypt the IT systems of companies and public institutions and paralyze them.
For the "keys" that are needed to regain access, they demand a ransom - mostly in the form of crypto currencies such as Bitcoin.
The model is profitable, the perpetrators are becoming more and more professional.
Some groups are now working on a division of labor - one team penetrates the foreign networks, another takes on the actual blackmail.
In the case of the university clinic in Düsseldorf, however, the perpetrators sent their extortion letters to Heinrich Heine University.
When they were told that they had hit and paralyzed a clinic and thereby endangered patients, they sent the necessary digital access keys - without paying a ransom.
That will hardly protect them from prosecution - the public prosecutor's office has now initiated proceedings for negligent homicide.
Icon: The mirror