Prague, April 21 (CTK) – The malware CoViper that attacked some Czech hospitals in the past week could be created by Russian hackers, the antivirus firm ESET said today.
A trace also leads to Chinese addresses, it added.
“The origin of the attack cannot be determined unequivocally, but the tool MBR Locker, with which it was created, is in Russian. So are the instructions for the use of this tool, available at Russian hacker forums. We have also tracked down a digital trace on Chinese IP addresses,” ESET director for technologies Miroslav Dvořák said.
Referring to two trustworthy sources, the Czech paper Lidové noviny (LN) wrote on Monday that investigators had come to believe that Russia may be behind the cyber attacks on Czech hospitals.
LN writes the information was from a senior member of the investigation team and it was confirmed by a member of the National Security Council.
The Embassy of Russia has denied the allegations, calling them a fable, a dirty anti-Russian attack and an open provocation.
MBR Locker is a tool with which the attackers can easily set the required data and subsequently create an .exe file, which functions as a harmful programme, Dvořák said, adding that this was no sophisticated code.
“Using a retrospective analysis, we found the units of detection in April. It arises from this that the harmful code had been used in a targetted way,” Dvořák said.
“First we came across the code in January, but we do not connect it with any security incident,” he added.
If a user opens the infected addendum to the email with CoViper, the computer is attacked, Dvořák said.
On Thursday, the National Cyber and Security Agency (NUKIB) warned against cyber attacks on the Czech hospital computer systems and further vital targets in the days to come.
Health Minister Adam Vojtěch (for ANO) said on the same day that some hospitals as well as his ministry had faced cyber attacks, but managed to fight them off.
The teaching hospitals in Ostrava and Olomouc, north Moravia, as well as some hospitals in the Pardubice Region became targets of cyber attack several hours later, but their computer system administrators warded them off.