Cyber experts hunt hidden hacking in all Government departments as Russian hackers target Health

IT EXPERTS have begun a widespread audit of Government departments to identify other areas that may have been subjected to a cybersecurity threat.

Minister for eGovernment Ossian Smyth has said HSE back-up servers are intact and accessible, in a major victory for the State and Government over Russian hackers.

But he said the National Cyber Security Centre (NCSC) has kick started an extensive search with all chief information officers (CIOs) in agencies across the State told to hunt for the Russian mole malware from this morning, after being sent secret information on what to search for.

Mr Smyth said: “The NCSC has put out secret information to CIOs to tell them how to search for this activity on their systems.

“My first priority of concern was about (the ransomware attack) spreading to other places, the Department of Finance, for instance. That appears not to have happened. Work has been going on all through the weekend, all through the night in some cases, and will continue today.”

Both the FBI and the UK’s National Crime Agency (NCA) are expected to assist the investigation into the hack of the HSE’s servers.

The ransomware attack led to the health service’s system shutting down.

Wizard Spider, a Russian-based cyber gang, are suspected of being behind the attack in which the HSE servers were compromised weeks before the hack was identified.

The criminal gang have used a similar ‘Conti’ ransomware to infiltrate and extort large organisations in recent months. They are currently under investigation by the FBI for carrying out several attacks on hospitals in the US, and have also come to the attention of the NCA in England.

The two agencies will liaise with the Irish investigation through Interpol because of their previous experience of the hackers and intelligence on them.

Europol is also assisting Irish officials and will analyse digital malware recovered from the attacks on the HSE and Department of Health.

Most specialists in major arms of the State spent the weekend searching for similar hacking attempts — with the Department of Health being identified as a victim yesterday.

After being made aware of the attempt on Thursday, the department suspended some functions of its IT systems as a precautionary measure.

“This attempted attack remains under investigation, however there are indications that this was a ransomware attack similar to that which has affected the HSE,” a spokesman said.

It will also be investigated if an attempt to infiltrate the Department of Social Protection’s systems in recent weeks was also part of the attacks. There have been no further signs of spread.

The department is responsible for social welfare including the Pandemic Unemployment Payment (PUP).

However the attempt, understood to have taken place in the last month, was unsuccessful.

Important patient and employee data has been recovered from back-up servers and three vital areas were still working - the Covid-19 vaccination programme, contact tracing and testing of samples at the National Virus Reference Laboratory.

The testers had “found a way to get their data back to the centre without having to go through HSE systems”, Mr Smyth said, which meant two-day Covid-19 case numbers could be released yesterday.

“That area has been restored very quickly and it’s a promising sign. They are responding and rebuilding very quickly,” he added.

There is no question of the Government paying a ransom. But personal health data of millions of citizens may be sold on the dark web - allowing for future phishing attempts on individuals, or other extortion.

Despite being the focus of international police forces, it is unlikely the hackers will be caught.

A senior source told the Irish Independent: “Security agencies across the world are investigating the activities of this gang.

“Unfortunately, from what has been seen of their methods and experience, the chances of these individuals being arrested and charged for their cyber crimes is very small.”

Wizard Spider are understood to specialise in espionage attacks where sensitive information is stolen, before an agency is extorted in the hope of money being paid over.

The sums demanded are usually in the multi-millions.

The motive of the cyber gang is financial, as opposed to using sensitive information for any other reason.

Concern about the gang and their attacks grew to such a level that the FBI and other US agencies issued a warning about their modus operandi last October.

Digital footprints recovered from the attacks will be sent to specialists at Europol’s Malware Analysis System in the Hague as part of the inquiry.

All systems are now expected to be operational again within days, with Ireland’s fragmentary health system preventing cross-contamination.

Many major hospitals, such as St Vincent’s in Dublin, have remained fully operational with unaffected access to data.