Subscriber OnlyCrime & Law

Garda to target financial assets of HSE cyber attackers

Operation will require co-operation of international partners

The next stage of the investigation will involve the freezing of bank accounts believed to be used by cybercriminals to funnel money from victims. Photograph: iStock

Conor Gallagher Crime Correspondent
Tue Sep 7 2021 - 02:01

Gardaí plan to target the finances of the cybercriminal gang suspected of involvement in the HSE ransomware attack as part of the next stage of their investigation.

Last week the Garda National Cybercrime Bureau (GNCCB) led a successful international operation aimed at seizing the online infrastructure used to target the health service and other victims.

A number of web domains used by the group, known as Conti or Wizard Spider, to send phishing emails and upload ransomware to prospective victims' computers were taken down by law enforcement. Visitors to the sites are now greeted by a Garda-branded splash screen stating the domains have been seized.

The operation is said by gardaí to have prevented more than 750 extortion attempts. “In each instance, the seizure of these domains by the GNCCB investigation team is likely to have prevented a ransomware attack on the connecting ICT system by rendering the initially deployed malware on the victim’s system as ineffective,” it said.

READ MORE

The seizure operation is understood to be one strand of the ongoing investigation into the gang which is believed to be Russian-based or Russian-speaking.

The next stage will involve targeting the criminals’ financial resources, informed sources said. This will involve the freezing of bank accounts believed to be used by cybercriminals to funnel money from victims. Legal proceedings aimed at confiscating these assets are also being examined.

None of these bank accounts are based in Ireland, meaning the Garda will have to rely heavily on international partners. This may prove difficult; while most countries have been happy to assist the Garda in the investigation to date, some have been less forthcoming.

The HSE says more than 95 per cent of its systems have now been restored. However, the attack continues to impact some areas, particularly X-rays and radiotherapy.

Repeat attack

It has taken several steps to guard against a repeat attack, a HSE spokeswoman told The Irish Times on Monday. These include the establishment of a 24/7 Security Operations Centre (SOC), new tools to hunt for ransomware across the network and the “hardening of our network based on external recommendations”.

Gardaí in the GNCCB are understood to be pleased with the pace of the investigation. However, sources warned the possibility of bringing the perpetrators to justice in Ireland remains slim, particularly if the criminals are Russian-based. Russia does not extradite its citizens as a matter of policy.

"Sanctions do not always come in the form of putting handcuffs on someone, there are a number of alternatives that can be attributed to these cybercriminals. I am cautiously optimistic that we will see attribution and sanction against those involved in these cybercriminal gangs," GNCCB Chief Superintendent Paul Cleary told the public policy publication Eolas Magazine last week.

The attack, which crippled the HSE’s computer systems, was an “eye-opener” for gardaí but the subsequent response has been effective, he said.

He said in the 14 weeks since the attack gardaí have made “great progress”.

“We have a very good insight into how these cybercriminals conduct their business. We have seen the modus operandi that they use and know that they are financially motivated, as well as seeking to cause as much disruption as possible to their targets in an effort to encourage them to pay.”

Det Chief Supt Cleary said gardaí had learned a lot of lessons “through this attack which will only make us more prepared in the future”.

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times

LATEST STORIES