What’s going on with the HSE cyberattack?

17 May 2021

Image: © Negro Elkha/Stock.adobe.com

What is Conti ransomware? Who is Wizard Spider? Here’s what you need to know about the HSE cyberattack.

Last Thursday (13 May), the Irish Health Service Executive (HSE) suffered a “significant and serious” cyberattack.

Healthcare services across the country were impacted in what was said to be the most serious cyberattack ever to hit the State’s critical infrastructure. Forced to shut down their IT systems on Friday, hospitals and other HSE services were left without access to electronic health records, causing significant disruption.

Disruption continued through the weekend and the HSE continues to provide updates on the impact of the attack via HSE.ie.

As of today (17 May), most healthcare appointments will continue as planned. However, the HSE said that x-ray appointments in particular are severely affected.

Covid-19 vaccination services continue to operate with no disruption. Emergency health services across the country are also continuing as usual, however there may be delays in service provision.

What happened?

Investigations into the HSE cyberattack are ongoing but what we do know so far is that Cobalt Strike Beacon, a tool that can give remote access to hackers, was found on the HSE’s IT system. This enabled attackers to move within the computer network and execute their malware.

The malware unleashed by the hackers is a form of ransomware known as Conti.

What is Conti ransomware?

“Conti is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack,” said Patrick Wragg, cyber incident response manager at Integrity360.

“Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing and retail,” Wragg added.

Ransomware encrypts the files on a system and demands payment to restore access. The information being held to ransom in this case could include patient data, though this has not yet been confirmed. However, if hackers have gained access to sensitive information such as this via the attack, the HSE could be doubly vulnerable.

Conti is known as ‘double-extortion’ ransomware, meaning that as well as holding access to systems to ransom, the malware might also steal information stored on the system. Hackers can then threaten to release this private information online if a payment is not made.

Has the HSE cyberattack infiltrated other systems?

On Thursday, the National Cyber Security Centre (NCSC) was made aware of the HSE cyberattack as well as an attempted attack on the Department of Health.

The NCSC implemented a response plan that included the suspension of some functions of IT systems as a precautionary measure. In the case of the Department of Health, the attempt to execute the ransomware was detected and prevented by the cybersecurity measures in place.

This attack and the HSE cyberattack are still under investigation by the NCSC, alongside An Garda Síochána, the Office of the Government Chief Information Officer and third-party contractors.

Who is behind the HSE cyberattack?

Wizard Spider, an organised group of cybercriminals based in eastern Europe, is reportedly behind both the HSE cyberattack and the attempted attack on the Department of Health. This group has taken to targeting large organisations with high ransoms in recent years.

“What we’ve seen in our line of work is that the people behind these ransomware attacks are typically organised crime syndicates,” said Smarttech247 CEO and founder Ronan Murphy.

“Some of the high profile attacks on critical infrastructure in Europe and North America in recent times have been carried out by organised crime syndicates coming out of eastern Europe and Russia.”

Why were HSE IT systems shut down?

Shutting down the HSE’s IT systems serves both as a precautionary measure and allows cybersecurity teams to investigate the attack.

“In shutting everything down, it would appear HSE were unable to confidently isolate the problem by switching off just part of the network or even just quarantining the problematic IT assets out of the network,” suggested Amit Serper, associate vice-president of security research at Guardicore Labs.

How long will it take to get HSE services back online?

Currently, specialists are working to clean infected devices and fully restore the HSE’s IT systems. Brooks Wallace, VP of sales for the EMEA branch of Deep Instinct, explained: “Not only will they have to triage the infected machines, but they will also need to stop the lateral spread, likely using multiple tools and consoles but with limited resources.”

There is no quick fix. Unpicking this long route out of a tangled web is what has to be done, as the only alternative is to give in to the attackers’ demands. “The more sensible option is to recover compromised data and rebuild systems from scratch, but in some cases this can take weeks,” said Noel O’Grady, director of Sungard Availability Services Ireland.

Why not just pay the ransom?

Paying ransoms for cyberattacks is not advised. “First instinct may be to just give in to demands, but paying hackers sends the message that an organisation is willing to hand over money and can put a target on them for future attacks,” said O’Grady.

Unfortunately, because some victims of ransomware have shelled out big sums to attackers, this has become big business, which leads to more attacks. In the case of the recent Colonial Pipeline cyberattack, it’s reported that the payment of a $5m ransom has only exasperated this escalating problem.

The HSE, on the other hand, “is absolutely correct in containing the problem”, according to Paul Donegan, Palo Alto Networks country manager for Ireland.

According to a study from Unit 42, the threat intelligence arm of Palo Alto Networks, the average ransom paid more than tripled in 2020 to more than $300,000, while the highest demand from cyber-extortionists reached $30m. This is already heightening in 2021, with average pay-outs almost tripling again and a new record demand of $50m reported by Unit 42.

Should other organisations be on alert for similar attacks?

In a word, yes. The NCSC issued an advisory on the HSE cyberattack, which offers guidance for other organisations to detect and prevent a similar attack. This advisory will be updated as more details are revealed through the investigation.

Brian Honan, CEO and founder of BH Consulting and former special adviser on cybersecurity to Europol, strongly recommended all government agencies and private sector companies follow the NCSC guidance and to check systems for the indicators of compromise in its advisory.

Honan also recommended the DFIR Report’s information on Conti ransomware for more indicators as well as the known tactics, techniques and procedures of this cyber threat.

What can be done to effectively guard against such attacks in future?

In response to the HSE cyberattack, some cybersecurity professionals have pointed to the principle of ‘zero trust’ as a way to deal with these increasing threats from attackers.

“The driving principle of zero trust is ‘trust nothing and verify everything’,” explained Donegan. “It helps those that implement it to defend against all known attack vectors, including malicious insider and phishing attacks, by restricting the attacker’s ability to move through the network and alerting on their activities as they attempt to do so.”

Others have pointed to the dangers that overworked staff present to effective cybersecurity policies. “Given the nature of the industry, healthcare personnel are often severely time constrained, leading them to click, download and rapidly handle email, while possibly falling victim to carefully crafted social engineering-based email attacks,” said Peter Carthew, director of public sector for UK and Ireland at Proofpoint.

“Nearly all targeted attacks rely on human interaction to work. Educating and training workers on what to watch out for, maintaining offline backups, implementing strong password policies, and developing ransomware response playbooks are vital defences against the numerous threats facing the sector today,” he added.

Oz Alashe, CEO and founder of CybSafe, also emphasised this need to focus on the human factors of cybersecurity risk. “It’s crucial that public sector organisations are taking steps to not only raise awareness of such cyber threats, but also provide security training and support that takes this human aspect into consideration in order to help prevent these attacks in future.”

This all-hands approach is one way to alleviate the burden on cybersecurity teams. A recent Proofpoint survey of global chief information security officers (CISOs) suggested that they are feeling overwhelmed by the vast array of threats coming from all angles. With so many threats to protect from, prioritisation becomes an issue, with only 25pc of public sector CISOs listing ransomware in their top three cyber threats.

For further guidance on preventing ransomware, BH Consulting’s whitepaper offers advice on where to start in planning these defences.

Elaine Burke is the editor of Silicon Republic

editorial@siliconrepublic.com