The Ministry of Labor continues to suffer the consequences of the cyberattack it suffered on June 9. As explained by several of its officials to elDiario.es, the Labor Inspectorate, the National Institute for Safety and Health at Work and the Salary Guarantee Fund (Fogasa) have been completely paralyzed since then, while common tools of the Ministry such as the email service also have not been restored yet. The Labor Inspectorate is the unit most affected and the one that the technicians believe was the entry point of the infection, the same sources detail.
Why old threats like Ryuk can paralyze public entities like SEPE for days
The method used in the cyberattack was a variant of Ryuk, the same type of virus that took down the State Public Employment Service (SEPE) for several weeks in March. It’s about a ransomware (of English ransom, ransom), which encrypts all the victim’s files and asks for a ransom in exchange for the key to decrypt them. However, the version of Ryuk used against Trabajo had been updated to be able to break through the defenses that were introduced in the computer equipment as a result of the offensive against the SEPE.
This situation has been an added problem when recovering the affected equipment and forced the technicians to “vaccinate them one by one”, a process in which members of the National Cryptological Center are collaborating, the agency dependent on the CNI that is in charge cybersecurity of public administrations. “Right now, 80% of the computer equipment of the central services of the Ministry is unused,” says Josetxo Gándara, head of Union Action for the CCOO General State Administration sector. “The affectation continues to be brutal,” he warns.
Right now, 80% of the IT equipment of the central services of the Ministry is unused
From the department directed by Yolanda Díaz, which moments after the infection reported that it had not had a “great reach”, they trust that in the next few hours a notable reestablishment of the activity can be carried out thanks to an update of all the units. Specialists from his technical department put it in doubt: “In three or four days we could start working. Completely? No,” explains an official with knowledge of the recovery work who asks not to be identified.
Right now, the priority of these workers is that “the workstations can start to start up and connect to access their files. To do this, an independent and external network will be set up, to work internally. When that is done, the first thing is What we are going to do is lift all the Labor Inspection systems we can. We believe that we are going to have to give up the laptops of many inspectors because their hard drives are going to be encrypted and crushed, “he continues.
Inspectors’ laptops are the most likely infection vector at this time. Ryuk’s way of entry into the Ministry of Labor would have been a fraudulent email sent to an inspector, these sources explain to elDiario.es. According to the hypotheses that the technical team is considering, the virus could have spent several weeks in hiding, analyzing the behavior of officials in search of the most efficient method to penetrate the main network and quickly disable it. Despite the “sophistication” of the attack, it is not confirmed that the cybercriminals targeted directly the department headed by Yolanda Díaz.
“We have backup of everything. If what they intended [los ciberdelincuentes] is to blackmail, they will not succeed “
The positive point, explain the same sources, is that the technicians trust that there has been little loss of information due to the backup policy. “We have backup of everything. If what they intended [los ciberdelincuentes] It is blackmail, they will not succeed. The problem is the time. If you want to be sure that it will not affect you again, first you have to catch all the agents who have intervened and neutralize them. “The rush already played a trick on the Ministry at first, expose the same sources, since the order was given to retrieve the e-mail as quickly as possible and he had to lie down again to prevent him from spreading the infection to other units.
Apart from the Labor Inspection, the rest of the affected departments remain unemployed due to the same precaution. “Fogasa, for example, has not been attacked, it has been affected because its communication goes through the Ministry and it is necessary to reinforce all security before reconnecting it, for that reason it has been delayed. But they are already beginning to reconnect everything. They do not have no data loss, in his case security is only being reinforced, as usual after each attack, “official sources say in this case.
The cyberattack against the Ministry of Labor took place just a few days after the Government approved a “crash plan” with “emergency measures” in the face of the avalanche of hacks that public institutions are suffering. Only in 2021 have the Ministry of Economic Affairs, the Ministry of Industry, the Ministry of Education, the Ministry of Justice, the Ministry of Science or important public bodies such as the Nuclear Safety Council, the Court of Accounts been affected. The SEPE was the most serious of all of them, whose workers had to return to pen and paper to maintain at least part of their activity.