Anatomy of a cybercrime: the HSE attack one month on

Just over a month has passed since Ireland was rocked by the callous actions of an organised cybercrime gang. Their cyberattack, first on the Department of Health and then on the HSE, is the most serious ever on the state’s critical infrastructure.

The Department of Health acted quickly enough to prevent the criminals from detonating their ransomware, known as Conti, in its systems. The HSE, however, was not so lucky.

The HSE first realised they were under attack in the early hours of Friday morning, 14 May. By then, it was too late—the criminals had executed their ransom payload and the HSE systems were disabled. The attack has badly damaged the HSE and health services across Ireland.

The HSE has had to shut down its systems and bring in specialists to carefully go through each part of its network step by step, find the malware, block malicious IPs and domain names, protect privileged accounts, clean, rebuild, and update all infected devices, ensure antivirus is up to date on all systems, makes sure all devices are patched, and ultimately restore the data.

One month on, only a third of the HSE systems have been restored, while up to 30,000 laptops will need to be procured to replace permanently corrupted hardware.

Admirable communications

The group behind the attacks is a highly technically proficient gang of criminals known as ‘Wizard Spider’. In the aftermath of the attack, Wizard Spider sought a ransom of $20 million in exchange for a decryption key that would, allegedly, enable the HSE and the Department of Health to retrieve the stolen data.

However, the Government’s position from the start has remained the same—Ireland will not pay. This has been repeated since the attack occurred.

In fact, the HSE’s communications response has been admirable. From the outset, they have delivered information in a quick, clear, and transparent manner. They have openly shared what they do not know about the attack as much as what they do know.

They have communicated that they will not pay any ransom, broadly, repeatedly, and through multiple channels. In its efforts to communicate in a crisis, the HSE, in particular its Director-General Paul Reid, should receive top marks.

All sides involved insist that no money has changed hands and that no agency, representative, or private individual, directly or by proxy, has or will pay any ransom, and that none will be paid or disguised in any fees paid to a commercial company. The Government cannot be seen to capitulate to the demands or support the business model of organised crime.

Furthermore, the state made a pre-emptive strike to limit the gang’s options and devalue their stolen data through the courts. The HSE took the imaginative and proactive step of securing a High Court injunction against the hackers.

The main purpose of the ‘super-injunction’ is to put legitimate information service providers such as Google, Twitter, and Facebook on notice of a legal prohibition on the sharing and publication of the HSE information.

Has the cyberattack backfired?

Amid work to repair the damage and repeated statements that no ransom would be paid, it came as a surprise to all to when Wizard Spider released a decryption tool for the HSE data. While the tool is highly flawed, meaning decryption is far from complete (if it is even possible at all), the act has raised many questions.

It is not clear why Wizard Spider released the tool or why it did so publicly. Gangs like to operate covertly, make their demands, take their money, and move on quietly to the next target.

However, one of the problems Wizard Spider has created for itself is that it has drawn international attention to its criminal activities; the HSE hack is now a global story. Another problem is not just the unwillingness of the Government to pay any ransom, but the unwillingness of any agency apart from law enforcement to engage with them.

A third problem is that Wizard Spider has attacked a state agency, which has made the attack a political and diplomatic issue. The Taoiseach has said diplomatic channels were not used to secure the release of the decryption tool, but that statement alone does not hold up under scrutiny.

Russia has long been associated with cyberwarfare, and while there have been no claims of espionage in this attack, it is worth noting that Russia is also widely considered a harbourer of many cybercrime groups. These groups operate within Russia without interference, sparing Russia’s own infrastructure.

An attack on another nation’s state agency, though, prompted a response. Not long after Minister for Foreign Affairs Simon Coveney raised the issue with his Russian counterpart Sergey Lavrov and the Russian Ambassador to Ireland, Yuri Filatov, the decryption tool was made available online. Perhaps the hackers thought twice about biting the hand that feeds them?

Defending against future attacks

This attack has highlighted the severe shortcomings of the Government’s cyber capabilities, as well as its under-investment in critical technological infrastructure.

The vacant role of director of the National Cyber Security Centre is advertised at €87,000 per annum; experts feel this role should be set at up to €290,000 in order to attract the right talent. Rumours abound that the attack was successful, in part, due to the HSE’s continued use of outdated operating systems like Windows 7, which Microsoft no longer supports with security updates.

Ireland, home to many of the largest tech multinationals, fell victim to a cyberattack all too easily. To ensure the health service is never victimised again, and to safeguard Ireland Inc’s reputation as a secure place to do business, the state now has no choice but to invest properly in cyber and develop and communicate a comprehensive defence plan. Failing to do so is no longer an option.