A plastic surgery clinic in Lithuania has been penetrated by hackers believed to be from Russia. The cyberattack has resulted in the theft of 25,000 private photos taken before, during, and after plastic surgery.

Due to the nature of the work, Grozio Chirurgija clinics often have to take naked photos of patients in order to finalize decisions in advance of procedures. According to police, those sensitive photos are among the images that are now making their way onto the internet.

The attack is evidence of a brand new cyber-ransom technique. It differs somewhat from the ransomware attacks that we have become accustomed to, such as the recent WannaCry attack.

Nude Photos

Among the photos leaked by the hackers (known as Tsar Team) are images of patients not only from Lithuania but from the UK, Germany, Norway, Denmark, and other countries. The reason for the international clientele is that Grozio Chirurgija clinics are well known for outstanding results and low costs. The Grozio Chirurgija website states,

“The professional plastic surgeons in Lithuania are ready to do everything for affordable prices.”

In addition, Grozio Chirurgija clinics are willing to consider performing enhancements and alterations that other clinics may have already refused.

For some international customers who have traveled to Lithuania to have affordable surgery, the result has been ransom.

In this redacted image of a victim database leaked by Tsar Team, a ransom fee can be seen next to a rating of ‘moderate,’ ‘high,’ or ‘critical’.


The victims (who are named in the un-redacted database) are being given the option to pay a sum of money in order to stop their photos from being released online.

Ransom Without Malware

The cunning ransom attack differs from the usual form of monetizing hacking by praying on image-conscious patients. So far, it is unknown how many people have paid their ransom. However, it is known that the first 150 photos were published in March, in order to frighten other patients into paying up.

Now, three months later, the rest of the photos have been dumped on the internet – presumably because those victims failed to pay the sum that was demanded from them.

Deputy Chief of Lithuania’s Criminal Police Bureau, Andzejus Raginskis, said that many people have come forward saying that they have been blackmailed for their photos:

“It’s extortion. We’re talking about a serious crime.”

The Lithuanian television channel Lrytas TV confirmed yesterday that the Tsar Team hackers had indeed stolen before and after photos of plastic surgery patients. Unfortunately for victims of the cybercrime, however, those photos are perhaps the least of their worries. Hackers also made off with documents including photocopies of passports, social security numbers, and other highly sensitive data. Some victims were asked to pay up to €2,000 ($2,238) in order to stop their data from going public.

plastic-surgeon.jpg
Grozio Chirugija clinic photo from Instagram

The €344,000 Get Out Clause

Sadly for their extorted customers, the Lithuanian plastic surgery clinic decided not to pay the €344,000 ($385,000) fee that the Tsar Team hackers promised would be enough for them to delete all of the patient data they had stolen. Instead, the budget hack shop decided to let every man fend for himself.

This is what Jonas Staikunas, the managing director of Grozio Chirurgija, had to say:

“Cyber-criminals are blackmailers. They are blackmailing our clients with inappropriate text messages.

“Clients, of course, are in shock. Once again, I would like to apologize.”

The Tsar Team Hackers

The Tsar Team hackers said to be responsible for this attack are believed to be from Russia. One reason for this is that they have often been implicated in hacking Russian adversaries.

The well-known hacking collective is also sometimes called APT28, Sednit, Fancy Bear, Sofacy, and Operation Pawn Storm, by various different cybersecurity firms. The hackers primarily use an attack vector that involves spear phishing in order to gain access to machines.

Previously, FireEye/Mandiant had expressed their belief that the hackers may have official connections to the Russian government. This attack, however, stands out from the hackers’ past endeavors. Up to now, Tsar Team (actually better known as APT28), has targeted NATO, the governments and militaries of Eastern European countries, and other high profile targets.

The same hackers are believed to have carried out last year’s penetration of the World Anti-Doping Agency (WADA). The attached was believed to be a stand against Russian athletes (including the Paralympic team) being banned from competing in the Rio Olympics.

Lithuanian police are working closely with police from across Europe and have warned that even people who download and store the stolen database of photos and private data could be prosecuted.

Grozio Chirurgija clinic has urged its former patients not to open the messages and emails that hackers send them, and to inform the police right away instead.


As such, it is possible that this attack was perpetrated using similar techniques and tools as those employed by APT28 – but not actually by the same hackers. For now, this side of the attack remains a mystery. We will have to wait and see what cybersecurity firms like iSIGHT, Fire Eye, and CrowdStrike have to say, but something certainly seems to be amiss. Furthermore, as the Wikileaks ‘Vault 7’ leaks about the CIA prove, it is possible for hackers to use tools to make attacks appear to have come from elsewhere.



BestVPN