Cyberattack against a hospital group in Rennes: a former IT security manager arrested

After more than two months of research, investigators were finally able to trace the alleged perpetrator of the major cyberattack which targeted the Groupe Hospitalier Grand Ouest in early October. Aged 26 and living in Rennes, the man was arrested at his home on December 17. If no data was stolen, the cybercriminal demanded a ransom of 650,741 dollars (626,045 euros), “but the rapid technical investigation makes it possible to put an end to this threat“, underlines the gendarmerie in a press release published Monday December 23.

The investigation, carried out by specialists from the National Cyber ​​Unit (UNC) and their Rennes branch, made it possible to quickly trace the origin of the attack. “Analysis of the data quickly revealed indications of internal compromise, directing research towards a former information systems security manager (CISO) of the group. […] Key technical elements, including the suspect's IP address, helped identify him as being behind the attack“, detail the investigators.

The suspect faces five years in prison and a fine of 150,000 euros

The alleged perpetrator of the attack, who was in charge of the hospital group's IT security, operated from the inside. “The fact that the attack came from someone who knew this information system perfectly was obviously a facilitator. But it is also a mode of attack which leaves many more traces, in any case traces of a different nature than external attacks.“, underlines Colonel Bertrand Michel, second in command of the National Cyber ​​Unit of the National Gendarmerie, in the TF1 news video to see at the top of this article.

Placed under judicial supervision, the alleged perpetrator of the cyberattack will appear on February 6 before the Paris judicial court, competent for this type of offense. He faces a maximum sentence of five years in prison and a fine of 150,000 euros. “It will be up to him to explain the author's motivations in court. It is not at the level of the judicial investigation that we work on this aspect of things“, continues the officer. Contacted by the TF1 editorial staff, the management of the clinic where the man worked did not wish to comment.

14 interventions had to be postponed

Within the establishment, we especially remember the consequences of the attack. The devices allowing patients to check in no longer worked, for example. “We have redeployed our administrative service to welcome patients in person. Our IT being cut off, our administrative services no longer had anything to work with.“, explains John Charriat, administrative and financial director (DAF) at the mutualist clinic La Sagesse, in Rennes. As in nine other establishments in the west of France, the information systems had to be cut off for several weeks.

“Luckily, our healthcare equipment worked, because it was not dependent on IT.. Here you can see the paper files of our patients which allowed us to best manage this cyberattack. We were in the process of going paperless at the clinic. These copies allowed us to resume the old method“, explains this manager. Without this information system, delays in the operating room accumulate. In total“14 patient interventions“ not having “no loss of luck“ have been postponed “from a few days to a few weeks“, explains a doctor in our report.

• Read also

  Computer threat: thirty French hospitals affected in two years, cyberattacks better managed

Today, the Breton clinic is operating normally again. But according to Colonel Bertrand Michel, it could again be the target of a cyberattack. “The question is not whether a company or healthcare establishment will be the victim of a cyberattack, but when“, underlines this specialist. In 2022 and 2023, thirty hospitals were the target of a ransomware attack. The latter makes it possible to paralyze the IT infrastructure of a company or an institution and then demand a ransom.