HSE cyberattack: Hackers’ servers, websites seized by Gardaí

7 Oct 2021

Image: © Oleksii/Stock.adobe.com

Detective chief superintendent Paul Cleary said Garda signs were posted on the hackers’ websites to warn potential cyberattack victims.

The Garda National Cyber Crime Bureau has seized servers and websites of the gang responsible for the HSE cyberattack in a crackdown operation in the past two weeks.

Speaking to RTÉ Radio’s News at One yesterday (6 October), head of the bureau and detective chief superintendent Paul Cleary said that technology from the gang was taken over and potential victims were warned.

“In the last two weeks, we launched a disruption takedown operation where the Garda National Cybercrime Bureau seized the technical infrastructure of this gang,” Cleary said.

“We effectively took their servers, the mains and websites and we put up our own alert splash screen with the Garda insignia – basically warning any potential new victims that they should check their networks that may be compromised.”

The operation was revealed in a discussion around European Cybersecurity Month – an annual campaign in October to promote online safety to EU citizens and organisations.

Central Statistics Office figures suggest that there has been a 40pc increase in fraud offences in the first half of 2021, which Cleary said was driven by “cyber-enabled crime”.

HSE attack

In May, healthcare services across the country were impacted in what was said to be the most serious cyberattack ever to hit the State’s critical infrastructure. Forced to shut down their IT systems, hospitals and other HSE services were left without access to electronic health records, causing significant disruption.

Cobalt Strike Beacon, a tool that can give remote access to hackers, was found on the HSE’s IT system. This enabled attackers to move within the computer network and execute their malware. The hackers deployed a form of ransomware known as Conti.

By June, 75pc of the HSE’s servers had been decrypted and 70pc of end-user devices were back online. At the time, HSE CEO Paul Reid said the immediate financial costs of the ransomware attack were “well over €100m”.

Seven-country collaboration

In the lead-up to the crackdown, Cleary said that his team had been gathering evidence and closely engaging with seven different countries and international law enforcement partners.

“We’ve gathered significant intelligence on the infrastructure surrounding the gang we believe to be behind the attack in May, including the finances and the tools the group use for these offences, info on how they target victims, as well as their interactions with other cyber gangs.”

He added that 753 potential new victims saw the website screen with Garda information that warned them their networks may have been compromised – potentially preventing more cyberattacks.

“[The operation] was successful and we have more of those operations planned in the future,” Cleary said.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic