With malware attacks becoming more sophisticated and concerning, and critical infrastructure increasingly targeted, it was inevitable a major Irish public entity would be hit eventually.
On Friday morning, it was the Health Service Executive.
The attack on the HSE uses Conti, a type of ransomware that first emerged this time last year. It's human-operated and appears to have been developed by a cyber crime group based in Eastern Europe called Wizard Spider.
Having infiltrated the target network through phishing emails, a firewall vulnerability, or by gaining remote access to a desktop, the attackers gain admin rights, and map the system.
Often they identify key accounts, data, and servers. Up until this point, their operations are hidden.
Then, typically overnight when less attention is paid to the operations of the network, they launch the Conti ransomware. The data targeted on the network is copied and locked by encryption. It becomes clear to the controllers of the network that the attack is happening.
The attackers promise to unlock the encrypted data when the ransom is paid, while threatening to release the copied data if it isn’t. That's why it’s called a "double-extortion": the threat isn’t simply to cripple the system, but also to release the data.
In the meantime, they may continue to monitor the network to observe the response. Emails between individuals may be used to identify other important data. The only reaction – as seen from the HSE – is to shut down all internet-linked devices.
After that, you’ve got to hope you have a recent back-up to reinstall. You regroup, assess the damage, and consider your next steps. Whether you pay the ransom or not, the damage is significant.
HSE chief executive Paul Reid told Morning Ireland on Monday that the attack will cost the HSE "tens of millions" – and that’s even without paying the ransom.
'It's a heinous attack, it's a shocking attack on a health service but fundamentally on the patients and the Irish public' Taoiseach @MichealMartinTD says work is ongoing to ensure services return as soon as possible after the cyber attack on the HSE | https://t.co/J7sPBG0Vy2 pic.twitter.com/LzhPvU4kxS— RTÉ News (@rtenews) May 18, 2021
Yet the concern is now not simply about the impact on the health system to deliver care, but about data from the general public being released online. Personal information for millions of us is held by the HSE. We don’t know how much of it has been copied by the attackers.
Wizard Spider has been known to dump data onto a website when it says ransom payment has been refused. Other groups sell the data, which can be used by separate attackers to try to impersonate individuals online, or access financial accounts.
At least 150 organisations have been targeted using Conti in the last year. Millions has been paid in ransom. The attacks have made Wizard Spider a target of the FBI, Interpol, and Europol.
Since it first developed the ransomware, the group has been tweaking and evolving Conti to avoid detection on targeted networks, as cybersecurity experts try to work out ways to keep them out.
The HSE will not be their last victim. In fact, it seems they may already have another.
Wizard Spider is just one group. Before deploying Conti, they used a different type of malware against victims. They’ve come to prominence now in Ireland, but appear to have been operating internationally since at least 2016.
Around then, ransomware was becoming big business. The first big international issue would emerge in April 2017, one which has echoes of Friday’s attack on the HSE.
That month, 200,000 computers across 150 countries were infected by with Wannacry ransomware.
Wannacry exploited the security vulnerability in older Microsoft operating systems. If you hadn’t updated certain computers in the six weeks prior you were open to being attacked – and required to paid a ransom in cryptocurrency to unlock the network.
In the UK, the National Health Service was crippled for days. Up to 70,000 devices, including key hospital equipment, were infected with Wannacry. It was a national security issue.
Across the world, governments and companies rushed to close the security hole Wannacry was designed to enter through. It spread through companies and organisations for a week, until a researcher happened on a weakness in its design, allowing him to pull a what amounted to a kill switch.
The attack wasn’t the first use of ransomware – far from it – but it was a wake-up call for governments about the potential damage such an attack could inflict their countries.
Then a month later, energy companies and banks in Ukraine were hit by similar malware attack. The same exploit was used to enter systems. Dubbed "NotPetya", the attack programme appeared designed to cripple organisations, rather than generate profit.
Radiation monitoring at the Chernobyl Nuclear Power Plant went offline, Ukrainian ministries couldn’t function, banks went down, and the country’s transport system was partially shut.
The malware infected one computer and could then spread rapidly to any linked network. It resulted in several multinational companies with offices in Ukraine being hit.
Russian-Ukrainian tension was running high, and the attack coincided with anniversary of the Ukrainian constitution. Industry analysts said NotPetya originated from Russia, blaming Russian military intelligence.
In the US, emergency meetings were held to devise a defence, due to concern malware could be used against American infrastructure.
A few months later, in February 2018, top intelligence officials would tell a Senate hearing that preventing such attacks was a top priority.
The US now lists cyber attacks as one of its key threats, alongside the Covid-19 pandemic, and global terrorism.
And yet, with technology constantly developing, such attacks have continued. Just two weeks ago, the company responsible for ensuring the gas supply of large parts of the US East Coast was shutdown by a ransomware attack.
The attack on the Colonial pipeline company was, according to Reuters, "one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable US energy infrastructure is to hackers."
A Russian group called "DarkSide" is believed to be behind the attack.
This time, they were criminals, not spies. The HSE says it was the same here, this time.