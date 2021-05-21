On Thursday of last week, the two million Covid jab mark was reached in this country. Micheál Martin tweeted that it was “another important milestone” and paid tribute to the “dedication of vaccine teams”.

But just a few hours after the Taoiseach’s feelgood tweet, the first sign emerged that Ireland’s health service was about to be hit by a fresh crisis of enormous magnitude.

On Thursday afternoon, a warning appeared on the Department of Health’s anti-virus software. Officials immediately sought the advice of the National Cyber Security Centre (NCSC) and a red flag was raised.

It was discovered that a malicious piece of software known as a malware dropper had infected the system and was allowing hackers to gain access.

The NCSC moved quickly. International health agencies were notified and the Health and Safety Executive (HSE) was advised to shut down its IT system. Then, at 6.46am, on Friday, May 14, the HSE alerted the NCSC to yet another attack.

It soon became apparent that the HSE had been hacked on a scale never before seen in this country and it was reported that the criminals who masterminded the attack were seeking a ransom of up to $20m (€16m) in Bitcoin payments.

Ransomware attacks happen with increasing regularity, but this was the first time anywhere in the world that a country’s entire health service had been deliberately targeted.

Experts have been especially concerned that Conti ransomware was employed in the attack: discovered in May 2020, it is human-operated and is referred to as a “double extortion” ransomware that steals and threatens to expose information as well as encrypting it. A website called Conti News has published data stolen from at least 180 victims.

By Thursday of this week hopes were raised that at least part of the problem could be solved when the cybercrime group behind the hack provided a decryption key. It was hoped that this had the potential to unlock data that was disabled by the ransomware.

However, there were still fears that the criminals would still have access to stolen data including confidential patient information.

Concerns about the HSE’s IT system had been flagged three years ago in its annual report. “Internal audits have identified vulnerabilities in the area of security controls across parts of the domain,” it read, “including application password protocols and the management of secure access. Weaknesses have been acknowledged in some of the areas audited in disaster recovery protocols, particularly in relation to older and legacy systems.”

The report promised change, but in January 2020, the scale of the deficiencies in the HSE’s computing system was laid bare. It was reported that 46,000 devices were still using Windows 7 despite the fact that Microsoft was planning to end critical updates to the then 11-year-old operating system on January 14.

The UK’s national cybersecurity organisation had warned all users of Windows 7 to be mindful of cyberattacks once updates — or patches, as they are known in the industry — were halted: “We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device, and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device.”

But when the HSE was hacked, some 37,000 devices were still using Windows 7. This week, a spokesperson denied that the old software had caused the leak: “We know from our initial assessment that this issue did not contribute to this incident.”

The ramifications of the hack were felt immediately. Appointments for hospital procedures were cancelled and payroll issues presented themselves. The daily tally of Covid vaccines administered also could not be given.

As it tried to deal with the cyber attack the HSE was facing a bill of tens of millions of euro, but by Thursday of this week remained adamant that a ransom would not be paid, with Chief Executive Paul Reid insisting earlier that to do so would be “a race to the bottom”. That is despite a reported demand from the criminals that if money is not paid by next Monday “we will start to sell and publish your data”.

Expand Close HSE Chief Executive Paul Reid has insisted that paying any ransom would be “a race to the bottom” / Facebook

Twitter

Email

Whatsapp HSE Chief Executive Paul Reid has insisted that paying any ransom would be “a race to the bottom”

It is thought that the gang behind the attack is an 80-strong team of software specialists based in the area of St Petersburg in Russia. The group is known as Wizard Spider.

It has been reported that the Russian-based hackers avoid carrying out attacks inside their own country, and avoid foreign travel.

They claim to have gained access to the HSE server two weeks before the breach was identified and said they had stolen 700GB of unencrypted files — including patient and employee information, contracts, financial statements, payroll and more.

They reportedly told the HSE: “The good news is that we are businessmen. We want to receive ransom for everything that needs to be kept secret, and we don’t want to ruin your business.”

Staff at the Rotunda Hospital also received a message when they turned on their computers. “It would be better for both of us if you contact us ASAP. We downloaded your data and will publish it.”

For Eoin Goulding, CEO of cybersecurity specialist Integrity360, the HSE is correct to indicated at the outset that it would not entertain the idea of paying the ransomers.

His firm is often called in to help firms who have been the victims of ransomware.

“In 99pc of the stuff we do, they don’t pay up. We have scenarios where people have paid up and then they ask for more money and yet more money.”

$4.4m payment to hackers

Goulding says many of those hit with ransomware attacks don’t go public, and sometimes opt to pay ransoms via insurance policy payouts.

This week, America’s largest fuel pipeline, Colonial Pipeline, admitted it had paid $4.4m to hackers in an effort to restart their business quickly.

Joseph Blount, Colonial Pipeline’s CEO, told the Wall Street Journal he authorised the payment because the corporation did not know the extent of the damage and could not be sure how long it would take to bring the pipeline’s systems back.

“I know that’s a highly controversial decision,” he told the newspaper. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”

Expand Close Motorists queue at a Circle K petrol station in North Carolina after fuel shortages in the area following the Colonial Pipeline hack. / Facebook

Twitter

Email

Whatsapp Motorists queue at a Circle K petrol station in North Carolina after fuel shortages in the area following the Colonial Pipeline hack.

And, earlier this year, the clothing retailer FatFace was moved to pay a $2m ransom after being the victim of a Conti ransomware attack. The firm felt it had no choice after customer and employee information was stolen.

Eoin Goulding says the pandemic and the dominance of remote working has helped the hackers.

“If you’re in the office, you’re sitting behind a perimeter of lots of different security tools and then when you’re working from home, a lot of that isn’t there, but if you make the right investment you can make your business agile — and that will save you money.”

Goulding says many businesses and organisations simply aren’t prepared for the threat posed by hackers.

“We go into really large organisations who’ve been around for a long time but have an immature cybersecurity resilience capability. They might have made the investment in the technology but they haven’t invested in processes or their own people. The best value every company would get is to have their own people doing cybersecurity awareness training.”

Another Irish cybersecurity specialist, Brian Honan, CEO of BH Consulting, says the hacking of the HSE has become a global news story.

“This is one of the biggest, if not the biggest cyberattack against the State,” he says, “especially from an impact point of view — look at the disruption it has caused to hospitals to provide service for patients.

“To recover from this kind of attack is a very time-consuming process. You basically have to examine each individual computer and system and verify that it’s clean and if it has been infected, you have to clean it up.

“And when you bring your data back online, you also have to verify that that has not been contaminated in any way. It’s a very slow, arduous process and there’s a huge cost in terms of human resources time and having to buy new computers and so on.”

Honan believes criminal gangs, such as Wizard Spider, have seen Covid as a boon to their nefarious trade.

“The pandemic has given the criminals a perfect storm to victimise people and companies.

“Many businesses had to rush to get people to work remotely. Some staff may not have had company computers to work on — they were using their own personal devices. Companies suddenly had to increase their capacity for remote workers to connect in with the various different gateway technologies and that has led to some security weaknesses in some companies.

“Typically, criminals send emails that have contaminated links in them, or attachments, and they try to trick people to click on them. Covid-19 has given them lots of good material to click on links, like pretending to be from a delivery company, or a confirmation of an online purchase, or money refunded from an airline ticket.”

Honan says hackers such as the Wizard Spider have become much more savvy about tricking people into inadvertently clicking on links that launch malware and says it is possible that the damage caused to the HSE was initially carried out in such fashion.

Ciaran Martin, a native of Northern Ireland, is one of the UK’s leading experts on cybercrime. He was the founding chief executive at the National Cyber Security Centre and is now professor of practice in the management of public organisations at the University of Oxford.

He says the attack on the HSE is fast becoming “one of the most closely watched extortion cases in the history of cyber extortion”.

‘I cannot think of a parallel’

“In terms of an attack to extort money through blocking access to networks and threatening to release data, it’s very normal — in fact, it’s almost ubiquitous at the moment across the western world,” he says.

“However, in terms of a targeted attack on a state-run healthcare system, I cannot think of a parallel. It’s really baffling and it feels as though there’s a certain amount of bad luck on Ireland’s part.

“Ransomware,” he adds, “is nothing more than extortion and extortion tends to work in private for people who can pay easily and more often than not ransomware is targeted at wealthy private companies who will pay quietly to make it go away.”

Martin says most of the extortion gangs are based in the former Soviet Union.

“The big ransomware groups in recent years have consolidated very much in Russian-speaking areas — not all of them are Russian, but they’re all Russian-speaking.

“They’re not technically brilliant, but they’re all very well organised and they’re run like a business. They even talk about ransomware as a service. They have dark web media profiles and they have stories to tell — they’ve almost got public relations facilities.

“Some of them will say — and will actually appear to mean it — that, ‘We won’t attack healthcare — we’re honourable, we’re just making money so we’ll just attack companies’. But, clearly, these guys [Wizard Spider] feel differently.”

Jude McCorry from Cavan became the chair of the newly formed CyberScotland Partnership this week. Its aim is to ensure organisations are fully supported following attacks or attempted breaches and to make Scotland a more cyber-resilient country.

Expand Close ‘The cyber gang could double-dip’: Jude McCorry, from Cavan, who became the chair of CyberScotland Partnership this week / Facebook

Twitter

Email

Whatsapp ‘The cyber gang could double-dip’: Jude McCorry, from Cavan, who became the chair of CyberScotland Partnership this week

“The really worrying thing about the HSE one is that it shows that some of the cyber gangs are attacking healthcare services and they don’t care about it,” she says, “whereas the Colonial Pipeline attackers, [criminal gang] DarkSide, say they will not cause harm to government agencies or anything to do with human life.” (It’s been reported that DarkSide extorted more than $90m from 47 ransomware victims.)

McCorry believes the HSE was correct when they said at the start that they would not pay the ransom. “They could double-dip, because they are extortionists — they could come back and go, ‘Actually, we didn’t get enough for that’. The cyber gangs know that for some companies their insurance policies will cover ransomware payments, of up to £5m in some cases, and the story was that hackers were hacking into insurance companies to see who was insured and they were going after those companies.”

While McCorry understands why some victims feel they have no option but to pay the ransom, she says that ultimately that helps to fuel crime. But it’s not just government institutions and companies that are in increasing risk of cyber crime. Jess Kelly, presenter of Newstalk’s Tech Talk show, says ordinary members of the public are fair game too.

Expand Close The cyber gangs know that for some companies their insurance policies will cover ransomware payments, of up to £5m in some cases / Facebook

Twitter

Email

Whatsapp The cyber gangs know that for some companies their insurance policies will cover ransomware payments, of up to £5m in some cases

“Cyber attacks happen every single day of the week here in Ireland and have been happening for quite some time,” she says. “People have been receiving phishing attempts, whether that’s on email, text, WhatsApp, and they may not have even realised it.

“Since Christmas, I’ve heard from people saying that they’ve received a text purporting to be from a delivery company and that their delivery is being held as a result of the Brexit import charges and all they have to do is put in their bank details and they pay a small fee to get their packages.

“Those small-time hacks and scams can have a big impact. They’re something that can’t be ignored — and they’re much more plausible and insidious than before.

“It’s come a long way since those emails from a Nigerian prince offering to give you a million euro.”