James Cox
The effects of the HSE cyberattack are being acutely felt by hospitals and GP practices due to disruption to services but so far there is no evidence of the data leak threatened by hackers after Monday's deadline passed.
The criminal gang behind the hack, believed to be a Russian-based group known as 'Wizard Spider', had threatened to release patient data if a ransom of €16.4 million was not paid, something which the Government has insisted will not happen.
However, despite widespread reports of fraudulent texts and calls, gardaí have said there is still no evidence of a data leak.
Dr Paolo Palmieri, a cyber security lecturer at University College Cork, told breakingnews.ie that it may be days or weeks before individuals are targeted, warning that fraudulent schemes and identity theft could occur if the information is sold on the dark web.
“It’s always hard to predict what cyber criminals or gangs are doing and there are several things they could be doing with the data,” said Dr Palmieri.
Dark web
“They could release it publicly, upload it to a portal on the dark web normally that would be most likely on an anonymisation portal to store it, or even on a regular website.
“They could do the latter, but that wouldn’t do them much good in the sense that they wouldn’t gain any benefit from it other than potentially showing that if a ransom is not paid there are consequences.
“Alternatively they could sell the information they gained through the attack either as a whole or packaged into smaller sets to different buyers.
“We haven’t seen precise information on what they have been able to access through the attack, but we know that it is highly valuable if it contains sensitive information and detailed information on patients. That has commercial value in the cyber crime community, and therefore they could release it in the sense of selling to different actors.”
While the impact of the cyberattack won't be “immediately evident”, Dr Palmieri explained that the likes of fraud and identity theft could follow down the line.
Further attacks
“It will become evident when further attacks including attempted fraud and identity theft start occurring probably on a mass scale on the people whose data was leaked.
“It could take days, or weeks. In the case of identity theft it may be a bank receiving a call from a person who pretends to be the victim of identity theft. It may take months for the real victim to find out, and then it might be too late as they could have loans in their name withdrawn by cyber criminals. This happens a lot unfortunately.”
The HSE hack was made possible by an outdated system of windows, which had been flagged in an internal audit three years ago.
Dr Palmieri said no system is impenetrable, however, he added: “Clearly the attack has shown that the HSE system was weak.”
He said organisations are often reluctant to spend on cyber security, something he feels is highlighted in situations like this.
“It shouldn’t go back to the way it was before, there should be a substantial reconfiguration of the metric of the HSE system.
“There needs to be a plan in place to change the way things were done, that will take more than a few weeks and a significant advancement.
“I always tell my students cybersecurity isn’t something any company, organisation or institution likes to spend on.
Spending
“Let’s take the example of a private manufacturing company, let’s say you have €1 million to spend on something. Now if you’re spending on renovating the plant, investing in new equipment or new machinery, then you would get an output increase or a better quality product, so you will have the return for your investment.
“If you invest the money in cyber security, the return you’re hoping for is that nothing happens, that you won’t be attacked, but until you are attacked that seems like a useless expense.
“Because of the severity of the attacks that are happening organisations are becoming more and more aware of this, and they realise that they need to have some degree of investment in cyber security.”
While there is heightened awareness of cyber security following the incident, Dr Palmieri said there is a long way to go.
“I’m not singling out the HSE here, but there needs to be a significant increase of investment and a realisation that the expertise that cyber criminals have is quite high, and you can only counter that with a similar or higher level of expertise in the organisations that need to protect themselves.”
Decryption tool
The HSE is believed to be making progress with the decryption tool that was mysteriously offered to the Government, but IT experts have warned that their systems are still weeks away from full functionality.
Dr Palmieri said it is impossible to know where it came from, but he said Ireland could well have been assisted by other countries.
“It’s very hard to distinguish the official line from what actually happened in these cases. I can tell you this, although it is a different matter, in the case of older ransoms from criminal or terrorist organisations for the kidnapping of people, certain countries in Europe it is informally known that they tend to pay the ransoms, but they will always deny that very vocally, but it’s sort of known that they paid, although ministers will deny it at all levels, it still does happen.
“In this case considering the severity of the attack and that it targeted critical infrastructure in the health service of Ireland, I would say that it is likely that other countries will help Ireland, so it is possible that the key may have been provided through diplomatic channels.”
While the cyber criminals who hacked the HSE are financially motivated, Dr Palmieri said the current situation could be a lot worse if they had other motives.
“When money is the motivation you wouldn’t damage systems so much that they will stop functioning entirely, but if these attackers were cyberterrorists, rather than cyber criminals motivated by financial gain, and they wanted to pursue destruction then they could have done that.
The complexity of the attack was not incredible. It was certainly a well-organised attack
“The complexity of the attack was not incredible. It was certainly a well-organised attack.
“By the end of the day the Conti ransomware was loaded simply through an email with a link to a Google Drive that somebody clicked on, we’re not talking about very advanced malware. I don’t think we have seen the worst of it yet unfortunately.”
Dr Palmieri said a big factor in organisations being vulnerable to attacks is opting for user-friendly software over the most secure option available.
“There is no system that is perfectly secure. There’s an old saying in the cybersecurity world that the only system that is safe is the one that is shut down and disconnected from the internet.
“What I would like to stress is the decision in many organisations has been simplicity of use, how used the user will be to systems, if the user is not used to a particular interface it’s ‘let’s not change the software’. The software may be more secure, but it may take the worker two or weeks to adjust, ‘we don’t want to disrupt them, they’re already busy doing their job’.
“That attitude is just not sustainable any more, if there are more sustainable systems than Windows for certain parts of the infrastructure then they need to be chosen.
“If there are software that are more secure, they should be used. If the users need training, then it should be provided.
“I’m afraid this wasn’t done for a number of reasons, including maybe the organisation was already stretched so thin that it was impossible to have any additional workload and of course Covid probably played a big role in that.
“In the longer term after the Covid crisis, and this applies to other organisations too, these discussions need to be had, if there is a more secure version of a software then it should be considered over others that may be simply more user-friendly.”
While the Government's stance on not paying a ransom is clear, the leaking of the data looks inevitable.
Dr Palmieri feels this is the case, but, he pointed out that there could be other factors at play such as pressure from fellow hackers or even foreign governments.
He also said the hackers may not have intended to attack the HSE on such a large scale until they launched the attack and realised the weakness in the IT system.
I don’t see a scenario where none of the data is released unless there is an agreement on another level, not necessarily with the Irish State, pressures could come from different sources.
“If the objective is purely financial gain then I would say they cannot prevent it [the data leak] without paying a ransom, but we don’t know the context of how these cyber criminals operate.
“They could be operating with some degree of impunity where they are based on the basis that they do not create too much damage, so if this is perceived as excessive, they could be forced by the community and whoever provides them a level of cover not to be excessive because this could create diplomatic issues.
“We know that many cyber tools will not install malware if they detect that Russian was the first language of the operating systems. Like many cyber criminals, or criminals in general, they tend not to carry out their activities where they live because that would make local law enforcement agencies pursue them aggressively.
Vulnerable
“It’s hard to say, it’s possible that there is some pressure on them due to the severity of the attack, it’s possible this surprised them a bit. Attackers don’t know how easy a target will be until they attack, so they may have set out to do something smaller and ended up doing something much bigger than planned simply because the system was more vulnerable that they thought it would be.
“This may lead to some pushback from a different level for them not to cause too much additional damage by distributing all the files.
“If that was true, they wouldn’t get any financial gain for an operation that cost them time and money, so I don’t see nothing happening, but the scale of what will happen and what will be done will depend on these factors.
“I don’t see a scenario where none of the data is released unless there is an agreement on another level, not necessarily with the Irish State, pressures could come from different sources.”