Canadian Nurses Association hit by cyber attack

The Canadian Nurses Association says it has suffered a cybersecurity incident, but isn’t commenting on a report that the attack was ransomware.

“We can confirm having experienced an IT security incident on April 3, 2023 which impacted some of our systems,” Alexandre Bourassa, the association’s public affairs lead, said in an email to IT World Canada. “The incident did not impact our operations.”

He was responding to a query about  a tweet on Sunday by Brett Callow, British Columbia-based threat analyst for Emsisoft, who said the Snatch ransomware gang now lists the CNA as a victim. Bourassa was told about the tweet but didn’t directly answer whether the attack was ransomware.

The CNA represents 460,000 nurses in all categories — registered, nurse practitioners, licensed and registered practical nurses, and registered psychiatric nurses — across the country. Provincial and territorial nurses’ associations represent members in negotiations with their respective governments.

According to researchers at Sophos, the Snatch malware reboots an infected Windows computer into Safe Mode, where most security software doesn’t run. Then it encrypts the victims’ hard drives. Sophos believes the Snatch gang has been operating since 2018.

At the time of the 2019 Sophos report, the gang commonly penetrated enterprise networks by automated brute-force attacks against vulnerable, exposed services such as Windows RDP (remote desktop protocol). In one incident Sophos investigated, the attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, then logged into the server using RDP.

The attackers installed surveillance software on about 200 machines, or roughly five per cent of the organization’s computers, Sophos found. After that, the attackers installed several malware executables, one of which appeared to be designed to give the attackers remote access to the machines without having to rely on the compromised Azure server. The attackers also installed a free Windows utility called Advanced Port Scanner to discover additional machines on the network they could target.

According to an April report by researchers at Gridinsoft, a Ukrainian antimalware provider, those behind Snatch usually don’t steal data before encrypting it.

Besides disabling the third-party antivirus software, the report says Snatch ransomware also suspends Windows Defender in a well-known way – through editing the Group Policies. To prevent any recovery attempts, it also removes the Volume Shadow Copies and the backups which were created with basic Windows functionality. This, the report notes, is a common ransomware tactic.

In his response to IT World Canada, Alexandre Bourassa of the CAN said the association immediately launched an investigation and hired leading third-party experts for assistance efforts. “As a precautionary measure,” he added, “we notified the appropriate law enforcement authorities. We are unable to provide further details while this investigation is ongoing.

“We are working closely with our industry-leading partners to implement enhanced security measures to protect our systems, and to prevent this type of incident in the future.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs