Full Report
„Late last night, we received information from the head of the State Accreditation Service for Health Care Activities regarding a cyber incident that had been contained in the information subsystem they manage,“ Jakubauskienė said at a press conference in the Seimas on Wednesday. „According to preliminary data, an unauthorised login was performed by exploiting a vulnerability in the third-party open-source tool ‘Apache Superset.’ This is not the central e-health system where sensitive patient data is stored,“ she emphasised. According to the minister, during the incident, the attackers accessed the professional and contact information of specialists, more than 62,000 records, data on institution administrators, hierarchical competencies, and system technical metadata.
Analysis Summary
# Incident Report: Unauthorized Access via Apache Superset Vulnerability
## Executive Summary
A cyber incident targeted the State Accreditation Service for Health Care Activities (Lithuania), resulting in the unauthorized access of over 62,000 specialist records. The attackers exploited a vulnerability in the third-party open-source tool "Apache Superset" to bypass security controls. The incident was contained within 41 hours, and sensitive patient data in the central e-health system remained unaffected.
## Incident Details
- **Discovery Date:** Overnight, June 8–9, 2026
- **Incident Date:** June 7–8, 2026
- **Affected Organization:** State Accreditation Service for Health Care Activities (under the Ministry of Health)
- **Sector:** Healthcare/Government
- **Geography:** Lithuania
## Timeline of Events
### Initial Access
- **Date/Time:** June 7, 2026
- **Vector:** Exploitation of a software vulnerability.
- **Details:** Attackers exploited a known or zero-day vulnerability in **Apache Superset**, a third-party data visualization tool, to perform an unauthorized login.
### Lateral Movement
- **Details:** Information restricted. The report notes the system was accessed via the e-government gateway rather than directly, suggesting the attackers moved from the vulnerable tool into the subsystem managing specialist data.
### Data Exfiltration/Impact
- **Details:** Access and potential exfiltration of over 62,000 records containing:
- Professional and contact information of specialists.
- Data on institution administrators.
- Hierarchical competencies.
- System technical metadata.
### Detection & Response
- **June 8-9 (Night):** Incident detected by system monitors/providers.
- **June 9 (Evening):** Minister of Health notified; Prime Minister informed.
- **Within 41 Hours:** Incident fully contained.
- **Within 72 Hours:** Formal reporting to the State Agency for Digital Solutions and regulatory bodies completed.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerability in the third-party tool "Apache Superset."
- **Persistence:** Not disclosed; containment suggests access was severed via blocking the breach point.
- **Credential Access:** Unauthorized login performed by bypassing/exploiting software logic.
- **Discovery:** Access to system technical metadata and hierarchical competencies.
- **Collection:** Gathering of 62,000+ specialist and administrator records.
- **Exfiltration:** Unauthorized access to contact and professional data.
- **Impact:** Data breach of healthcare specialist information.
## Impact Assessment
- **Financial:** Specific costs not disclosed for this incident (Note: Related RC incident cited damages of €111,000).
- **Data Breach:** High volume (62,000+ records); includes PII (contact information) and technical metadata.
- **Operational:** System remained functional but required emergency patching and containment within a 41-hour window.
- **Reputational:** Significant; follows a string of incidents at other Lithuanian institutions (Centre of Registers and MIA).
## Indicators of Compromise
- **Network indicators:** Information not provided in the public statement.
- **File indicators:** Information not provided.
- **Behavioral indicators:** Unauthorized login events originating from the Apache Superset service.
## Response Actions
- **Containment:** Provider blocked the breach within a few hours of detection.
- **Eradication:** Vulnerability patching/isolation of the Apache Superset instance.
- **Recovery:** Continuous monitoring established to ensure no persistent backdoors remain.
- **Legal:** Contacted the Prosecutor General’s Office for a criminal investigation.
## Lessons Learned
- **Third-Party Risk:** Even systems that pass cybersecurity tests and are accessed via "e-government gateways" are vulnerable if third-party open-source tools (Apache Superset) are not strictly hardened or patched.
- **Response Speed:** Containment within 41 hours and notification within 72 hours meets regulatory requirements, but the initial 24-hour gap between the start of the attack and detection highlights a need for better real-time alerting.
## Recommendations
- **Patch Management:** Immediate audit of all open-source third-party tools (especially Apache Superset) for known vulnerabilities (e.g., default SECRET_KEY issues or CVE-2023-27524).
- **Software Supply Chain:** Implement stricter vulnerability scanning for integrated third-party subsystems.
- **Zero Trust:** Even if a system is behind an e-government gateway, internal tools should require secondary authentication and restricted network access.