Hospital admission: why hackers targeted Russian medical institutions
Dozens of medical institutions in Russia have been targeted with malicious mailings, according to cybersecurity experts. At the end of 2025, the attackers sent them emails on behalf of well-known insurance companies or hospitals. A backdoor was hidden in the attachments of such mailings, which allows attackers to control the infected victim's computer. For more information about why hackers targeted Russian medical institutions, what is the danger of this trend and how to deal with it, read the Izvestia article.
What is known about hacker attacks on Russian medical institutions
Kaspersky Lab told Izvestia that dozens of medical institutions in Russia were targeted with malicious mailings at the end of 2025. The letters say that a certain client is dissatisfied with the treatment at the recipient hospital under voluntary medical insurance and submits a claim, and all supporting documents can allegedly be found in the attachment. The organizations propose to "settle the situation peacefully."
"Some messages use a different legend: they are allegedly written on behalf of medical institutions and contain a request to the addressee organization to urgently accept a certain patient for specialized treatment. The attackers will probably continue to come up with new excuses to convince the victim to open the attachment," the company's experts said.
The emails that the attacked receive contain archives with malicious software (software) BrockenDoor. This backdoor was first discovered in cyber attacks in late 2024. After installing the malware on the victim's computer, it can contact the attackers' server and send them various information, such as the username and computer, the operating system version, and a list of files found on the desktop. If they find it interesting, the backdoor receives commands to launch further attack scenarios.
Why are Russian medical institutions interesting to cybercriminals
According to the Solar 4RAYS Cyber Threat Research Center of the Solar Group, in the incomplete year 2025, the share of malware infections in healthcare organizations was 17%. At the same time, in the second and third quarters, almost 20% of all triggers related to infection by miners were recorded in the networks of medical organizations.
Medical institutions are an extremely attractive target for many cybercriminals: from lone hackers to financially motivated groups, Anastasia Osipova, an analyst at the Positive Technologies research group, says in an interview with Izvestia. This is due both to the value of the information being processed and to the specifics of the work of healthcare organizations.
— One of the main reasons is the high value of medical data, which contains information about the state of health, test results and other confidential data, — says the expert. — Having gained access to this information, attackers can use it for fraud or blackmail.
According to Anastasia Osipova, information leaks about mental disorders, addictions and other stigmatized conditions are especially dangerous. Such data leaks undermine the credibility of healthcare digitalization. In addition, medical institutions are an area where, due to their specifics, they are conservative about software updates (since an unsuccessful update can disable medical equipment), and many computers and servers work around the clock, Solar 4RAYS experts say.
These are ideal conditions for the same miners who can quietly parasitize the available computing power for years. Finally, a significant role is played by the high social importance of organizations from this industry, the safety of citizens directly depends on the stability of their work, experts emphasize.
What kind of cyber attacks on medical institutions to expect in 2026
In 2026, hackers will continue DDoS attacks on medical institutions, but they will become more targeted, aimed at disabling specific services, predicts Vitaly Fomin, head of the information security analyst group at the Digital Economy League. A similar trend has previously been recorded in other areas — such incidents are more difficult to detect due to their multilevel structure.
"Medical institutions store large amounts of sensitive information, so attackers are increasingly resorting to extortion programs for blackmail," the source tells Izvestia. — By entering the system through phishing or vulnerability, such a program encrypts data — users lose access to it.
The hackers then demand a ransom so that this information is not published. Such attacks threaten not only the safety of personal information of patients and staff, but also human health, emphasizes Vitaly Fomin. A rapid transition to domestic software and equipment may also lead to a new wave of cyber attacks, adds Irina Dmitrieva, an analyst engineer at Gazinformservice.
According to the expert, in the process of replacing solutions, there is a high risk of making a mistake in the configuration or missing a new vulnerability in the software component. The complexity of this stage, which all critical infrastructure has to go through, is hidden in the need for seamless import substitution, which at a furious pace can lead to failures, errors and misconfigurations.
— At the same time, medical systems are striving to unite, — notes Irina Dmitrieva. — Such large unified databases may be of interest to intruders, since they contain many valuable categories of data quoted for sale and blackmail.
If medicine begins to actively use AI for diagnostics, this may allow hackers to carry out full-fledged attacks on AI models, for example, through data poisoning, the expert warns. All this can lead to a misdiagnosis of the patient if the diagnostician or doctor entrusts the verification of the diagnosis to the system.
In addition, according to Dmitry Tsarev, head of the BI.ZONE cloud cybersecurity solutions department, since the beginning of 2026, BI.ZONE Mail Security records a series of similar mail attacks on medical organizations. The attackers send messages on behalf of technical support, informing them about the alleged blocking of an employee's corporate email and the urgent need to restore access. Such letters mimic official notifications and appeal to a sense of urgency, the expert notes.
How to protect yourself from cyber attacks on medical institutions in Russia
The cyber stability of medical institutions, along with the stability and continuity of the most important functions of the state, must be built comprehensively, says the head of the Innostage public sector cooperation group, Dinar Mulyukov, in an interview with Izvestia. Protection should primarily come from within through employee cyber hygiene tools, ending with advanced tools for continuous assessment of cyber resilience in the form of open cyber tests and Bag Bounty (vulnerability hunting), the expert believes.
"The complex of measures for the protection of medical institutions includes building a full—fledged information security system, implementing incident monitoring and rapid response systems (SOC/SIEM), installing information security equipment (SPI) and carrying out regular work in all similar areas," adds Alexey Korobchenko, Head of the Information Security Department at Security Code..
According to Valeria Vorobey, an expert in cyber intelligence at Angara MTDR, to ensure a basic level of protection, SPI must be used on workstations and servers, as well as comply with the principle of minimum privileges for employee accounts and regularly take inventory and review rights. It is important to perform OS and application software updates in a timely manner, while closing critical vulnerabilities first.
To reduce the risks of phishing attacks, you should set up mail protection and multi-factor authentication for key systems, as well as increase staff awareness in the field of information security. It is recommended to have backups and an infrastructure recovery plan in order to survive incidents without critical consequences, the expert concludes.
Переведено сервисом «Яндекс Переводчик»
