LockBit claims cyberattack on Croatia’s largest hospital


The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies.

The University Hospital Centre in Zagreb, known as KBC Zagreb, suffered the attack last week. More than 100 specialists worked to restore the systems in the aftermath.

According to local media reports, the incident slowed down the work of emergency services, forcing the hospital to send patients to other institutions in Zagreb. The attack “took us back 50 years — to paper and pencil,” said Milivoj Novak, assistant director for health care quality and supervision of KBC Zagreb.

“All tests can be done to some extent, but the radiological system, which is particularly dependent on information support, is perhaps the most severely affected,” said Ivan Gornik, head of the unified emergency hospital admission at KBC Zagreb, which serves about 10,000 people daily.

LockBit’s operations were disrupted in February in an international operation but the group has since resurfaced. 

Its claims have often proven unreliable. It recently claimed to have breached the U.S. Federal Reserve, but an initial batch of leaked documents supposedly linked to the agency in fact reportedly belonged to Evolve Bank & Trust.

Responding to LockBit’s claim, Interior Minister Davor Bozinovic said Tuesday that he doesn’t want to reveal too much information obtained by the investigators, and added that he is not aware of a ransom demand having been made. 

Also on Tuesday, Health Minister Vili Beros said the government will not negotiate with hackers, who he said were likely “looking for money.”

He added that it was not clear if the hackers had stolen any information from Croatian citizens. 

“This will be established forensically and is being investigated by the competent institutions,” Beros said during a press conference. 

Croatia’s police and security services are currently investigating the incident. Prior to the attack on KBC Zagreb, the websites of several local state institutions, including the Ministry of Interior, the tax service, and the local stock exchange, were targeted by distributed denial-of-service (DDoS) attacks, rendering them inaccessible for several hours. Russia-linked hacker group NoName057(16) claimed responsibility for the attacks.

Deputy Prime Minister Tomo Medved, said that Croatian institutions are grappling with a surge in cyberattacks, which began when Russia invaded Ukraine in 2022.

“We witness these attacks almost every day,” he said.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Fintech company Affirm says Evolve Bank attack exposed customer info

Next Post

Stolen credentials could unmask thousands of darknet child abuse website users

Related Posts

Millions of Malicious ‘Imageless’ Containers Planted on Docker Hub Over 5 Years

Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. "Over four million of the repositories in Docker Hub are imageless and have no content except for the repository
Read More