The National Cyber Security Agency is hoping that by next week it will be able to begin to ease the misery of the millions of sick people and their loved ones who have had their lives disrupted, their treatment delayed, their appointments cancelled and their healthcare worries exacerbated by the cruel and callous actions of an organised cyber crime gang.
The State's Cyber Security Response Team along with commercial IT contractors FireEye and international partners have been working 24 hour shifts on a decryption key supplied by the criminal gang so they can use it on the HSE systems. It is complicated and painstaking work.
Criminal gangs spend millions on designing and inserting malware into IT systems all over the world that enables them to encrypt data and steal it for ransom. They don’t spend as much time or money on the decryption key, the result being that while the codes when handed over may work to some extent, they may also contain 'bugs’ which do more damage to the systems and the data they’re supposed to restore.
Colonial Pipeline, the company providing almost half of the fuel for the East Coast of the United States, discovered this to its cost after it was hacked by a criminal gang referred to as ‘Darkside’ on 7 May last. It paid the criminals $4.4m for the key to unlock the encryption and while the code provided was of some use, it didn’t immediately restore the pipeline’s systems.
Timeline of the attack
Six days after the US attack officials at the Department of Health here noticed suspicious activity on their computer systems and contacted the National Cyber Security Agency. Based at the Department of the Environment in Adelaide Road in Dublin and with a staff of about 30 IT specialists, its job is to manage cyber security incidents across Government and provide guidance and advice to citizens and business on these incidents.
The cyber attack first on the Department of Health and then on the HSE turned out to be the most serious ever attack on the State’s critical infrastructure. The health service IT systems here had avoided another ransomware attack four years ago when the WannaCry virus infected a quarter of a million machines in 150 countries including the UK’s NHS.
The National Cyber Security Team activated its crisis response procedures and called in FireEye, a commercial specialist IT incident response company. Investigators found a remote access tool known as ‘cobalt strike Beacon’ on the system, which hackers use to move within computer networks before launching their virus and demanding a ransom - or as it’s known in computer parlance "execution of a ransom payload". Unknown to anyone the hackers had already been in the IT systems before this for at least a week.
The Department of Health acted quickly enough to prevent the cyber criminals from detonating their malware, known as Conti, on its systems. The IT specialists were able to detect, through a combination of anti-virus software and the deployment of tools, an attempt to execute ransomware and stop it. The result is that the systems at the Department of Health have not been as badly damaged and should be up and running again sooner.
The HSE however was not so lucky. They first realised they were under attack in the early hours of Friday morning, 14 May, and by that time it was too late. The criminals had executed their ransom payload and the HSE systems had been disabled.
The attack has badly damaged the HSE and the health services. It has had to shut down its systems and bring in specialists to carefully go through each part of its network, step by step, find the malware, block malicious IPs and domain names, protect privileged accounts, clean, rebuild and update all infected devices, ensure antivirus is up to date on all systems, makes sure all devices are patched and ultimately restore the data.
CEO Paul Reid has admitted he fears all the HSE’s data has been compromised.
A digital ransom note was also left for the HSE. Much like a kidnapper inviting someone to drop the money off, the note contained a link with an invitation to "chat" with the criminals on the ‘darknet’ with a view to paying a ransom to get the data back.
The darknet is equivalent to the criminals’ back alley. The message stated:
"YOU SHOULD BE AWARE! Just in case, if you ignore us. We’ve downloaded your data and are ready to publish."
Such a threat has been made and acted upon before. Hackers attacked a psychiatric hospital in Finland in October of last year and stole the medical records of 40,000 people. In what is known as a ‘double extortion’ they not only sought a ransom from the hospital, they also emailed individual patients and threatened to publish their therapy and mental health treatment records if they weren’t paid.
The organised cyber crime group behind the cyber attacks here is a highly technically proficient gang of criminals known as ‘Wizard Spider’. The criminal gang has been responsible for hundreds of cyber attacks all over the world; since 2019 it has carried out more than 300.
The organised crime group, according to the intelligence agencies, is based in and around St Petersburg in Russia and consists of approximately 80 employees, some of whom are unaware they are working for a criminal organisation.
It employs skilled computer programmers and hackers on a part-time and temporary basis as part of a modus operandi that involves regular changes in staff.
Wizard Spider has for many years been a target of the FBI, the UK National Crime Agency, Interpol, Europol and other international law enforcement agencies. It does not carry out attacks on systems in Russia and the group’s key members do not travel outside Russia.
It specialises in inserting malware into computer systems all over the world and targets government, healthcare, aerospace, agriculture, academic, retail and commercial bodies by encrypting their data and making high ransom demands. It is known to belittle its victims.
Cyber criminals buy and sell their services and capabilities, such as fraud or hacking abilities, on underground websites, but the Wizard Spider group is very security-conscious. It does not openly advertise on the darknet and will only sell access to or work alongside trusted criminals. This has enabled it to continue to operate covertly for years.
The criminal gang first came to the attention of law enforcement seven years ago when key figures were suspected of being involved in cyber attacks in 2014 and 2015 involving malware known as Dyre.
The ‘Dyre’ malware was at the time the pre-eminent virus enabling cyber criminals to steal money online.
In 2018, however, international agencies identified a significant upgrade in the criminal organisation’s technical ability and its primary use of three types of ransomware, Trickbot, Ryuk and Conti. These were used to target large organisations for a high value return in a criminal activity. This is known online as ‘big game hunting’.
Conti is the ransomware that was used to disable the HSE and the Department of Health’s IT systems and law enforcement agencies say there is no known case of success in relation to generating a decryption key for the ransomware.
A document was published online in the aftermath of the cyber attacks here claiming to show that the gang wanted $20m dollars. The figure has been dismissed by security specialists involved but they concede the gang is looking for millions to enable the HSE and the Department of Health to retrieve the data that has been stolen.
However, the Government’s position from the start has remained the same - Ireland will not pay. This was repeated several times this week.
All parties involved insist that no money has changed hands and that no agency, representative, or private individual, directly or by proxy has or will pay any ransom and that none will be paid or disguised in any fees paid to a commercial company. The Government cannot be seen to capitulate to the demands or support the business model of organised crime.
The National Cyber Security Centre and the private IT specialists contractors also say they have not engaged at all with the criminal gang responsible. They are satisfied that this criminal gang knew that it had attacked a health service and that its crime would impact on sick, elderly and vulnerable people including children.
Digital notes left by the hackers were addressed to the Health Service Executive and investigators are satisfied the gang targeted the health system. "This attack," said one of the specialists working to restore the data systems, "was not ‘an accidental discharge’."
The Garda National Cyber Crime Bureau is in charge of the criminal investigation and is liaising with Europol and Interpol. While they may identify individuals within the gang responsible, these people are believed to be in countries beyond the reach of this jurisdiction. They also say that while it’s "probable" that personal information that appeared online this week may be from the HSE’s files, that has not been verified.
The gang members may be put on ‘no fly’ and international watchlists which would confine them to their own countries. They may even be liable to international financial sanctions within their own country and have their accounts and assets frozen. However, these potential sanctions are unlikely to deter them and it’s unlikely that any of them will be brought to justice here.
But in spite of this harsh reality, the prosecution authorities did not stand idly by this week. The State made a pre-emptive strike to limit the gang’s options and devalue their stolen data. The gangsters could not keep the crime out of the Irish courts.
The HSE took the imaginative and proactive step of securing a High Court injunction against the hackers, referred to in the order as "persons unknown". The court order restrains any person or company from sharing, processing, selling or publishing the data stolen from the HSE’s computer systems. The application is unprecedented. The courts don’t usually make orders against "persons unknown".
The main purpose of the ‘super- injunction’ is to put legitimate information service providers such as Google, Twitter, and Facebook on notice of a legal prohibition on the sharing and publication of the HSE information.
The hackers have threatened to publish personal and confidential HSE records if they don’t get paid but the injunction severely limits the effectiveness of such a strategy. It shuts down, to them and others, the main domestic and international platforms for disseminating the stolen data.
The criminals can still put it on the darknet, the marketplace for cyber criminals, but any individual or business who subsequently circulates it on social media potentially faces a large fine and or jail for contempt of court.
Ironically, the hackers have 42 days to enter an appearance to the proceedings after which the matter will return before the court, a civil right they are unlikely to avail of. Mr Justice Kevin Cross referred to their use of blackmail as "particularly heinous" and "always the remedy of a coward".
The National Cyber Security Centre continued working to restore the healthcare systems but it came as a complete surprise to them, the Government, the Gardai, the IT specialists and the HSE that out of the blue and for no apparent reason, last Thursday afternoon, the gang posted a decryption tool online.
The National Cyber Security Agency and the IT specialists from Ireland and abroad immediately examined the decryption key, a complicated algorithm. They established it was "a valid decryptor", "a binary solution" which they validated by programming it into a "sandbox" which is a safe cyber environment in which to ‘open the key’.
IT specialists were then able to use the ‘key’ within that safe environment on a sample of the HSE’s encrypted data. They discovered that the key worked because it decrypted the data. However they also discovered that it was "highly flawed" and needed to be "debugged".
The organised cyber crime gang had spent hundreds of thousands of euro designing and placing the ransomware in the Irish health systems but far less money on the decryption tool which would solve the problem, hence the ‘bugs’.
The criminal gang had inserted "a rolling encryption" as part of its ransomware into the HSE’s systems to capture the data but had also pushed the encryption down through the entire computer system. IT specialists say it is therefore a complicated task to unlock the data even with the algorithm code because the code changes or "reiterates" every time they go into the system.
They must therefore recommence at the exact same place. They say it is a complex procedure which if not done carefully could corrupt the data. And while they have the algorithm, the decryption code, they now need to build "an engine" to "house" the decryption. The "engine" must be compatible with the HSE systems to work. Only then will they be able use the code to unlock the systems and safely restore the stolen data.
"We have the cargo but we now have to build the truck" one specialist said.
The IT specialists also have to undo some of the protections that they had put into the system to protect it against further attacks. They need to take down these protections in order to use the decryption key "a long string code".
As one specialist put it, "we have had to reverse engines and take one step back to move five steps forward".
Why did the gang hand over the key?
Security specialists working to restore the systems have described the decision of the criminal gang to publicly release a decryption key as "highly unusual". It is not clear why they did this and why they did it publicly. Criminal gangs like to operate covertly, make their demands, take their money and move on quietly to the next target.
However one of the problems the gang has created for itself is that it has drawn international attention upon its criminal activities. This is now a global story. Another problem is not just the unwillingness of the Government to pay any ransom, it is the unwillingness of any agency here apart from law enforcement to engage with them.
A third problem is the fact that they have attacked a state agency which has led to the attack becoming a political and diplomatic issue. The Taoiseach has said that diplomatic channels were not used to secure the release of the encryption code but the Minister for Foreign Affairs has raised the matter with his Russian counterpart Sergei Lavrov.
In addition, the Russian Ambassador to Ireland Yuri Filatov has said that the authorities in Russia are looking for this gang, that Russian law enforcement is constantly watching for this kind of activity and that he is pretty sure that this recent incident is being investigated fully. He also disagreed with a suggestion that Russia was a safe haven for cyber criminals, pointing out that cyber crime has no borders and is not exclusively a product of Russia.
All that may have put pressure on the criminal gang but it may not be enough to stop it from dumping the data on the darknet next week to protect its reputation for ruthless extortion.
It has the data and it can also recoup some of its expenses by selling it on to other criminals for fraud and blackmail.
In many ways the offer of the online decryption code following the theft of the data is akin to a burglar handing back the key of a house after he has ransacked it. The burglar may have lost some money because the householder wouldn’t pay to get the key back but the burglar can still sell the television, the jewellery, the laptops, the mobile phones and anything else he stole from the house. He’ll also keep the cash he found in the upstairs bedroom.
It’s not possible to predict what the cyber crime gang will do with the valuable assets they have stolen from the HSE. But much like the burglar, while Wizard Spider may not make as much as they hoped and may have to cut their losses, it’s clear they have other means of making money, primarily by "fencing" the goods stolen from the HSE in the cyber crime marketplace.
It’s not unusual for healthcare to be targeted by cyber crime gangs. Six hospitals in the US were attacked by ransomware last October, another in Germany in November. It is however unprecedented for a criminal gang to target the systems of a national health service.
IT specialists say once the decryption key that can be used on the HSE systems has been built they can begin rolling it out online. They can also put it on USB keys and send officials to hospitals and health clinics where they can use it to restore systems onsite. They are warning however that this will take some time and some systems will take longer to restore than others.
What systems are restored and when will be a matter for the HSE.