Hacker attack on Düsseldorf University Hospital – cyber criminals got in through the VPN interface

SAST Blog: Hacker attack on Düsseldorf University Hospital – cyber criminals got in through the VPN interfaceIn September 2020, the attack made headlines:

  • Hackers responsible for IT disruption at Düsseldorf University Hospital.
  • Hackers under investigation: Woman dead after attack on University Hospital.
  • Hacker attack on Düsseldorf University Hospital: Investigation into involuntary homicide opened.

A hacker attack can be fatal. Data, goods and assets aren’t the only things to consider: Human lives are at stake where public spaces, in particular public health, is concerned.


After the fact and while the case is being worked, calls for digital “safe rooms” are increasing. Hospitals and clinics are assets – critical infrastructure – requiring particular protection (KRITIS). This means software must be up to date and IT staff must be specialized to be able provide this higher level of IT security.

What happened at Düsseldorf University Hospital

The IT outage at Düsseldorf University Hospital has been proven to be the result of a hacker attack. The perpetrators left a ransom note on a Düsseldorf Heinrich-Heine University server. In the note, the criminals demanded that the university make contact –allegedly, no ransom money was demanded.

The University Hospital was unable to function for days: Contingency planning was unable to be put into practice, meaning emergency and rescue services could no longer use the hospital. And the most fatal consequence of this was that one patient with an emergency could not be brought in. Instead, she was taken to the hospital in Wuppertal, much further away. There, she died because she was unable to be treated sooner. The German public prosecutor has opened an investigation against any hacker or hackers involved.

The perpetrators took advantage of a vulnerability in the Citrix VPN software for which a solution had actually already been made available.

Düsseldorf University Hospital detected the security issues in that application in December 2019 and did take it seriously. The security patch provided was imported on the same day it became available. The university hospital thus believed there to be no indication of a threat. But hackers had already gained access long before the loophole was closed.

BSI President Arne Schönbohm published a statement about this. “We warned about this vulnerability back in January and provided information about the consequences of such an exploit. Attackers gain unauthorized access to internal networks and systems, and may wait several months before crippling them. Yet again, this incident demonstrates just how seriously this threat must be taken.”

This is why the German Federal Office for Information Security (BSI) has made an urgent call for organizations to import the Citrix updates that have been available since January 2020, as these will close the loophole. However, cyber criminals can still access any internal networks and IT systems which were compromised before installation of the Citrix updates!

What solutions are available to improve your IT system security against a hacker attack like this?

Every time hacker attacks like this become public, the question arises as to how well the IT systems were secured, whether personal data was affected and whether there was unauthorized access to personal data. Where the highly sensitive data in patient records is concerned, it is truly the worst case scenario. For this reason, the German Federal Minister of Health decided on Sep. 18, 2020, to free up an additional EUR 3 billion for improving and protecting their IT systems against cybercrime. And it is crucial to take immediate action here because even just one unsecured interface can be used in a cyberattack to gain access to the sensitive data found in SAP systems.

We consider it the duty of those charge of IT departments to learn what can be learned from yet another incident and to regularly review the existing measures protecting IT and SAP landscapes. The BSI agrees: It advises validating network infrastructures and IT systems again right now to check for anomalies and take appropriate protective measures. In addition, it also suggests involving an external provider specialized in IT security, as needed.

Our recommendation, in turn, is that the sooner you start with an end-to-end strategy, the better a position you will be in to protect your systems against internal and external threats. As a rule, every system is vulnerable. With the right threat-intelligence solution, you make your company a more difficult, more time-consuming and therefore less attractive target. Because attackers are always seeking to perfect their tactics, internal security systems must always be up to date, allowing you to react to threats as they arise in real time. All too often, both internal resources and the required, highly specialized security expertise are lacking.

Success in three steps:

  1. Begin by analyzing your vulnerabilities.
  2. Next, close loopholes by priority.
  3. Finally, prevent no new vulnerabilities from arising.

This may appear complex. But when compared with the damage incurred by a cyberattack, this effort required is no longer a valid objection.

Are you interested in learning more about data security in SAP landscapes? Feel free to visit our SAST SOLUTIONS website or just get in touch.

Matthias Anstötz (SAST SOLUTIONS)
Matthias Anstötz (SAP Security Consultant, SAST SOLUTIONS)


This might also be of interest:

SAP security: Rest easy with a threat intelligence solution

SAP home goes rogue – preventable attack vectors through the SAP GUI