IT IS the stuff of a spy thriller – only the bad guys are miles ahead and James Bond is not going to save the day for the HSE.
A successful ransomware attack on the HSE, or any Government entity here, was always a real danger but now the nightmare has truly begun.
Think of the smartest person you know, then imagine they’re a malevolent thief who does not care who or what they kill or hurt along the way to get what they want.
Now imagine teams of these relentless technical wizards working for predatory, criminal mafia groups often with the tacit support of regimes in places such as Russia, China and North Korea.
Their malware has names like Maze, Egregor, Ryuk, NotPetya, Locky – and Conti, in the case of the HSE’s attacker this week.
One of the most prominent attacks in recent years involved ransomware known as Wannacry, launched by North Korea.
An organisation that felt the brunt of Wannacry was the NHS in Britain, which saw 70,000 devices impacted.
That cyberattack back in 2017 used a leaked hacking tool called Eternalblue that was developed by the US National Security Agency (NSA).
Eternalblue focused on older Windows systems and was originally stolen by a group called the Shadow Brokers.
Just this week, US firm Colonial Pipeline had to deal with a major ransomware attack that shut down a pipeline supplying nearly half the fuel for America’s east coast, causing panic at the gasoline pumps.
The company said yesterday it had returned to ‘normal operations’ after six days of disruption. That attack was linked to a criminal group called Darkside, which was reportedly paid a ransom of $5m (€4.1m) by Colonial Pipeline, who refused to comment.
Behind these monikers stand shadowy criminals: the modern-day equivalent of highwaymen lurking in the ether of the internet ready to pounce – or mafia goons demanding protection money as they hold a threatening match to a can of petrol.
As escalating attacks in the past year have shown (the list would fill these two pages and more) these gangs are ruthless and they just don’t care.
They are also hugely successful, as successful money-making attacks on NUI Maynooth and NUI Galway showed last summer.
In that instance the attack was targeted at Blackbaud, a firm providing software and cloud management systems to third-level institutions.
Ultimately Blackbaud succumbed to paying a ransom to prevent student and staff data being published online.
But cybercrime like this is now everywhere and amounts to an illicit industry worth trillions. It is as much a reality as the drugs trade with just as little prospect of being quashed.
US-based firm Cybersecurity Ventures estimates global cyberattacks are now being recorded every 11 seconds. Last year, the average ransom amount paid is understood to have been in the region of $300,000 and the value of these ruthless online hold-ups is expected to reach $6trn in 2021.
That means that if cybercrime was a country it would have the third largest economy in the world after the US and China.
Consequently, billionaire philanthropist Warren Buffet has called the issue mankind’s No.1 problem – a bigger threat to humanity than nuclear weapons.
For years security experts have been warning of vulnerabilities in Ireland’s State infrastructures with some putting the likelihood of a successful attack on the HSE as a dead certainty.
Now the inevitable has happened.
The latest ransomware used by hacking extortionists, and the one used against the HSE this week, is known as Conti.
The Conti Gang not only directs its own attacks but also sells its malware services on the dark web to other gangs.
These include the Trickbot Gang, which has ditched its use of other ransomware known as Ryuk in favour of the Conti product.
In existence for just a year, Conti lists its 150-plus victims to date on its ‘Conti news’ website and has released updated versions of its malware three times in recent months, improving it each time.
Conti is to an IT network what an infectious virus is to the human body. But it does not spread like Covid. It’s more serious than that – it’s the Ebola of malware.
It can encrypt and lock all the files on a computer in seconds while simultane- ously seeking to connect to every other computer on the same network. The process is very difficult to stop once it gets going.
That’s why the first thing the HSE did in the early hours of Thursday morning was to unplug everything it could. But the night-time attack was no coincidence. It was likely timed to ensure the intruders had as much time as possible before the HSE could act across all its systems.
And as the HSE was scrambling to wake up its emergency IT teams, the Conti malware was busily stealing and exfiltrating files to cloud storage while concealing the locations from which the attack and associated downloads were being directed.
Many of the world’s brightest military, government intelligence and IT security minds are watching the Conti gang intently right now.
But none has laid a finger on those responsible and the Conti attacks keep coming – and they keep succeeding.
Once this vicious behemoth turned its attention to the HSE it was always likely to find a way in given the use of often outdated IT hardware, sometimes running obsolete software.
In December, for example, it was revealed, in response to a Parliamentary Question by Labour leader Alan Kelly, that the HSE was relying on close to 40,000 computers running on out-of-date Windows 7 software.
Think of tens of thousands of workers all accessing a precarious hodgepodge of IT systems from work computers and, thanks to Covid, personal machines and networks at home as well as on smartphones and tablets while on the move.
Increasingly cyber experts have been warning of the danger of mobile devices linked to company networks.
A phishing attack on a phone is more difficult to spot and many employees are not trained to look for the red flags they are used to noticing for on a desktop computer.
A phone can also be targeted at a time when a person is likely to be intoxicated or otherwise distracted out of normal work hours.
In the most disturbing scenario an agent can befriend an employee and directly access their device to which the malware attachment has been sent and click on download.
The access points don’t stop there.
Just days ago, international cybersecurity experts in a report by USbased Forescout Research Labs and Israeli cyber security firm JSOF warned of the threat of hackers using the ‘internet of things’ to gain access to wider IT networks via internet-enabled devices, especially in health facilities.
But the most likely route taken by the HSE hackers is one of human manipulation.
All the cyber thief with a new malicious code needs is one person to open a phishing email and click on the link attached Experts believe a Conti attack would likely focus on one or more target employees to con them into downloading an email attachment to a device.
In previous attacks the attachment has purported to be a Google Docs file which, when opened, unleashes the attack.
Imagine, for example, a faked email purporting to be from a HSE colleague containing what appears to be an urgent list regarding vaccinations for the next day.
Or an email that looks like it came from payroll saying there’s been a problem with this month’s wages.
There are any number of scenarios likely to succeed with persistence and targeting.
Once its work is done the Conti malware does not hide away. Every file it has stolen will be re-placed with a prominent message when someone tries to open that file.
‘All of your files are currently encrypted by Conti ransomware,’ the message reads before going on to offer samples to prove this is the case. ‘We’ve downloaded your data and are ready to publish it on our news website if you do not respond.’
Then the nightmare really begins. The first stage of those attacked is usually denial, a refusal to countenance a grotesque and unfair blackmail demand.
‘It’s Government policy that we don’t pay ransoms and we have no intention of doing so here. It would open up a Pandora’s Box,’ HSE chief information officer Fran Thompson, said on Friday.
But – barring a miracle involving an overnight raid on the hackers who graciously hand over encryption keys – there is really no other way out.
There is no James Bond about to save the HSE. The bad guys are going to win as many have already learned.
The alternative, allowing the healthcare data of Ireland’s population and the HSE’s every internal file be published or sold on the dark web – is unthinkable.
The only question now is how much Bitcoin will have to be paid to the criminals, who have robbed every single one of us.
To date the Conti gang has communicated with victims through secret, untraceable Proton email addresses as they negotiate a final price.
A flavour of how those negotiations tend to go was revealed last June when the BBC eavesdropped on a deep web message exchange between the University of California San Francisco and ransomware hackers known as the Netwalker gang.
‘How can I accept $780,000. Is like I worked for nothing,’ a gang member who had asked for $3m told the university negotiator.
Noting that the university has a turnover of ‘4-5 billions per year’ the hacker said; ‘Keep that $780,000 to buy McDonalds for your employees. Is very small amount for us.’
In the end the university, unable to access its own encrypted data, agreed a fee of $1,140,895 which was transferred in Bitcoin the next day.
In return it regained access to its data and a promise that the stolen data had been deleted from the gang’s systems.
‘Now you can sleep well,’ the hackers told the university.
As if. It’s unlikely a ruthless criminal gang would honour any such promise. The situation is not akin to a kidnapper releasing a hostage unharmed.
Should the HSE pay out there can be no guarantee the Conti gang – or another party who gets its hands on the stolen data – won’t seek to monetise this asset again in the future.
That’s the reason law enforcement agencies such as Europol and the FBI advise against paying out.
Ultimately though the HSE doesn’t have any good options at all.
