Cryptomining botnet on MR/CT devices at a 300-bed hospital · ICU monitors protected
At a 300-bed public hospital, IT noticed packet delay on ICU monitors from the medical device network. 47 devices (MR, CT, biochemistry) were cryptomining with a Mirai variant + Monero miner. DSET isolated the medical device VLAN, secured the ICU; after IEC 80001 + ISO 27799 compliance, 24 months clean, and the Ministry of Health awarded a "model hospital" title.
01 The Challenge
An IT analyst saw in Wireshark that the medical device VLAN was generating 78% CPU (normal 15%). Packet delay on the ICU monitors = a vital monitoring risk. 47 devices infected (Hikvision firmware exploit + Monero miner XMRig). Attack vector: device default credentials (admin/12345) + a medical VLAN ↔ IT VLAN bridge. One patient in critical condition experienced a monitoring problem (was saved).
02 DSET's Approach
T+0 · VLAN isolation
The medical device VLAN was isolated immediately, the network split. ICU monitor packet delay recovered and patient safety was ensured.
T+4h · USOM coordination
Ministry of Health notification + USOM coordination. Within 4 hours 3 other hospitals were diagnosed with a similar situation and national coordination began.
T+24h · Manufacturer support
Coordination with GE Healthcare + Siemens + Hikvision. Firmware reset per device 90 min × 47 devices = 70 hours of workload.