Full Report
The Times of Israel reports: The Assaf Harofeh Medical Center in the central city of Beer Yaakov was targeted by a cyberattack over Yom Kippur, according to a joint announcement from the hospital, the Health Ministry and the National Cyber Directorate. Authorities were investigating the possibility of a leak as a result of the attack.... Source
Analysis Summary
# Incident Report: Cyberattack and Ransom Demand at Israeli Hospital
## Executive Summary
The Assaf Harofeh Medical Center (Shamir Medical Center) in Israel was targeted by a cyberattack attributed to the Russian-speaking cybercrime group Qilin over Yom Kippur. Although the attack was reportedly "blocked in its initial stages," it caused a brief shutdown of a critical medical records system used across Israel and resulted in a ransomware demand of $700,000. Authorities are investigating the potential exfiltration of sensitive patient data.
## Incident Details
- Discovery Date: Occurred over Yom Kippur (Date of discovery not explicitly stated, but implied shortly after or during the holiday period, leading to a public announcement on Oct 2, 2025).
- Incident Date: Over Yom Kippur (October 2025).
- Affected Organization: Assaf Harofeh Medical Center (also known as Shamir Medical Center).
- Sector: Healthcare.
- Geography: Israel (Central city of Beer Yaakov).
## Timeline of Events
### Initial Access
- Date/Time: During Yom Kippur (October 2025).
- Vector: Cyberattack, potentially involving malware, attributed to the Qilin group.
- Details: The attack was publicized via a joint announcement from the hospital, the Health Ministry, and the National Cyber Directorate.
### Lateral Movement
- Details: The report states the attack was "blocked in its initial stages," suggesting limited internal propagation, though this is contradicted by an impact on shared medical records systems.
### Data Exfiltration/Impact
- Details: The Russian-speaking group threatened to publish patient data. A shared medical records system used by various Israeli hospitals, including Assaf Harofeh, was briefly shut down.
### Detection & Response
- Details: The incident was detected and confirmed by the hospital, the Health Ministry, and the National Cyber Directorate. Authorities initiated an investigation into potential data leaks.
- Response actions taken: The attack was reportedly "blocked in its initial stages."
## Attack Methodology
- Initial Access: Cyberattack, attributed to Qilin group (specific technique not detailed).
- Persistence: Not specified, though a ransom demand implies an attempt at long-term unauthorized access.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: The attack briefly affected a shared medical records system used across Israel.
- Collection: Threat of publishing patient data suggests the intent to collect sensitive records.
- Exfiltration: Threatened publication of patient data.
- Impact: Brief shutdown of a shared critical medical records system.
## Impact Assessment
- Financial: Ransom demand of $700,000.
- Data Breach: Fear of patient records leak (PHI). Specific volume unknown.
- Operational: Brief shutdown of a shared medical records system; however, the hospital's core operations reportedly remained uninterrupted and returned to normal.
- Reputational: Potential damage due to the threat of patient data leakage.
## Indicators of Compromise
- Network indicators: None listed (defanged).
- File indicators: None explicitly listed, but malware was involved.
- Behavioral indicators: Ransom demand signature matching the Qilin group.
## Response Actions
- Containment measures: The attack was "blocked in its initial stages."
- Eradication steps: Not specified.
- Recovery actions: The hospital’s core operations are reported to be "back to normal."
## Lessons Learned
- Key takeaways: Reliance on shared critical infrastructure (medical records system) makes multiple organizations vulnerable to a single successful attack.
- What could have been done better: The initial stages of compromise were reportedly successful enough to warrant a ransom demand and system disruption.
## Recommendations
- Prevention measures for similar incidents: Enhance segmentation between clinical operations and shared IT infrastructure; increase monitoring specifically around critical shared medical record systems; strengthen early-stage detection capabilities against known threat actors like Qilin.