Subscriber OnlyData & Security

How the HSE cyber attack changed the face of online crime globally

The biggest attack on a health system anywhere hastened the demise of the Conti group of hackers

A cyber-security notice at Dr Steevens' Hospital in Dublin in the wake of the ransomware attack on the HSE. Photograph: Dara Mac Dónaill
A cyber-security notice at Dr Steevens' Hospital in Dublin in the wake of the ransomware attack on the HSE. Photograph: Dara Mac Dónaill

Last year, shortly after the invasion of Ukraine, Conti, the Russian-based cybercrime group announced that it fully supported Vladimir Putin and that it would use “all possible resources” to strike at Russia’s enemies.

The announcement was not surprising. It had long been suspected that Conti operated inside Russian borders with the tacit consent of the authorities there, as long as it did not target Russian citizens.

By then Conti had become well known in Ireland following its May 2021 ransomware attack on the Health Service Executive, which led to the forced shutdown of all of its IT systems – the biggest attack on a health system anywhere in the world.

However, the Conti leadership had failed to understand that not all of its members were Russian, and that not all members supported the war. Two days later a Ukrainian, self-described as Contileaks, started publishing masses of internal data about the gang and its leadership.

READ MORE

By May 2022, just a year after it had humiliated the HSE and seized the personal data of tens of thousands of people in the attack, Conti itself was no more, with its own websites that once were used to publish or sell hacked information taken offline.

In effect, Conti fragmented into many smaller groups.

It was a remarkably quick fall for such a feared criminal group. Since appearing on the scene in 2020, Conti’s ransomware had been responsible for hundreds of millions of euro in damage and had made its leaders a small fortune in ransoms.

Irish interests could be hit by ‘scorched earth’ Russian cyber-attacksOpens in new window ]

Conti attacks were two-pronged. Its hackers encrypted a target’s systems, rendering them unusable. At the same time, it stole whatever data it could find and threatened to sell or publish it if a ransom was not forthcoming. In most cases, the victims paid.

Last year the FBI estimated Conti had received more than $150 million (€142 million) in ransomware payments from about 1,000 victims. In response the bureau was offering rewards of up to $15 million for information about the group.

It is tempting to ascribe Conti’s eventual fall to the FBI bounty or the leaks. But security experts believe these factors merely sealed the fate of the gang, which was already dealing with severe internal discord over its tactics.

“We do not believe that Conti’s dissolution was a direct result of the leaks, but rather that the leaks catalysed the dissolution of an already fracturing threat group,” the cybersecurity analysts Recorded Future said in a report last month.

Much of this discord centred around the decision to attack the HSE, according to internal chat logs released as part of the Contileaks, which have been reviewed by The Irish Times.

Following it, some members of the gang complained that they should not be targeting hospitals or any other public infrastructure at all in the wake of the HSE attack in May 2021. It was too big a risk and it brought too much heat, they argued.

Criminals have an inbuilt advantage in the great cyber arms raceOpens in new window ]

It is not surprising the attack on Ireland’s healthcare system caused such controversy in the group. It brought unprecedented attention on the gang’s activities, not just from Ireland but from law enforcement agencies around the world.

Conti had targeted healthcare organisations before, but nothing on this scale. Four-thousand locations, 54 hospitals, and 70,000 computers were affected. About 80 per cent of HSE systems were encrypted by the attackers and 700GB of data, including personal health records, was stolen.

“The HSE was one of the biggest cyberattacks, in terms of end points, in history,” Richard Browne, director of the National Cyber Security Centre (NCSC) tells The Irish Times. “This was an incident of global significance.”

A week after the attack a hacker named Alter raised the matter in an internal Conti chat room.

“Given that many people are asking this question in light of the latest news about the Irish Ministry of Health, I want to say that none of those present here have anything to do with this attack, we DO NOT attack public resources, hospitals, airports and anything like that, and we will not,” they said in a message first reported by Bloomberg.

Alter’s contention that Conti did not target public infrastructure is undermined by previous chat logs detailing attacks on healthcare institutions by the group.

Browne does not explicitly say what many security experts at the time believed: that the Kremlin pressured the hackers to co-operate

“So tomorrow there will be hospitals,” one user told a chat room in October 2020. The same month, a user said “somewhere around 30 clinics and hospitals in the United States have been made”. One of the hackers then requested another to “lock the hospital with your locker”.

The supposed rule against targeting healthcare was discussed in another chat log from 2020. A hacker, realising one of the companies they had targeted was a nursing home in the US, suggests abandoning the attack. “On the other hand, it’s not a hospital,” they muse.

Another hacker tries to justify the attack, arguing nursing homes “steal money ... from old people”. Someone else responds: “They go to hell.”

The rule against attacking hospitals seems to have been taken more seriously in the months after the HSE attack. In June 2021 a hacker named Rashaev said Conti would not touch the health sector again under any circumstances.

But the debate raised its head again in October 2021 when a Conti hacker named Dollar announced in a chat he had stolen 8GB of data from a Florida hospital network. A fellow criminal named Cybergangster was incensed by his behaviour, writing: “Two times I told him that we do not touch the medical sector.”

Opening of email attachment led to HSE cyber attack, report findsOpens in new window ]

Dollar was undeterred and, in February 2022, just before the Russian invasion, he discussed plans to target a cerebral palsy charity.

These fractures quickly became apparent to the National Cyber Security Centre following the HSE attack. “We had information both from sources in industry and elsewhere as to exactly what was happening within the group,” says Browne.

“We could tell from the way they were reacting and the degree of urgency in their comms that they didn’t have a particularly strong hand,” he says. “We were aware there was discord within the group. That was obvious.”

This information informed the NCSC and Government strategy, which boiled down to calling Conti’s bluff. It was decided that then taoiseach Micheál Martin and other officials would clearly and repeatedly state that no ransom will be paid, under any circumstances. In response, Conti published some data online, relating to 520 patients, in an effort to increase the pressure to pay. But it refrained from dumping or selling the main tranche.

“There was no guarantee that what we were doing was going to result in the outcome that it did,” says Browne. “But it was one of the tools that we had at our disposal. So we played it.”

The huge disruption caused by the initial attack, which in all likelihood resulted in avoidable deaths. To give just one example, radiation treatment for more than 500 cancer patients was interrupted by the attack

The biggest indicator that their strategy was working was when Conti unexpectedly handed over the decryption key to allow the HSE to unlock their systems.

Browne believes this was a result of the “drumbeat” of international and diplomatic pressure resulting from hacking a health service during a pandemic.

“Given the nature of the ecosystem in which these guys are operating, that becomes dangerous for them. So this essentially puts pressure on them to do certain things.”

Browne does not explicitly say what many security experts at the time believed: that the Kremlin pressured the hackers to co-operate.

The encryption key did not help the authorities recover the stolen data but it did rapidly speed up the process of unlocking the HSE’s systems. In the end the Government’s strategy was arguably vindicated. No ransom was paid, the publication of personal data was limited and the damage caused by the attack was eventually repaired. Of course, none of that reversed the huge disruption caused by the initial attack, which impacted the healthcare of thousands. To give just one example, radiation treatment for more than 500 cancer patients was interrupted by the attack.

Russian president Vladimir Putin: the Kremlin is suspected of applying pressure on Conti to co-operate. Photograph: ITar-Tass
Russian president Vladimir Putin: the Kremlin is suspected of applying pressure on Conti to co-operate. Photograph: ITar-Tass

Browne and his colleagues know exactly which members of Conti were behind the attack but bringing them to justice remains a remote possibility given current geopolitical conditions.

As well as contributing to the break-up of Conti, the HSE attack also changed the world of cybercrime in other ways. Its biggest impact was serving as a wake-up call for private companies and government agencies internationally.

“The demonstration effect of high-profile incidents like the HSE incident has focused attention on this globally,” says Browne. “When that happens, companies sit up and say, ‘Our business will be hurt, our reputation will be hurt – we have to deal with this.’ ”

As well as strengthening their cybersecurity, companies became better at backing up their data systematically, making any potential ransomware attack a less daunting prospect. “When they have backups [companies] can literally say, “Fine, you’ve encrypted our assets, we don’t care, we’ll burn it to the ground,” says Browne.

According to Joseph Stephens, the NCSC’s head of engagement, this has made “big-game hunting” – the specific targeting of larger companies and agencies – “much more challenging”.

Many cybercriminals, particularly those in leadership roles, have been diverted elsewhere as a result of Russia’s invasion. “In some cases they might be in uniform, sitting in a trench somewhere in eastern Ukraine”

The results of this are clear. After several years of increases, the amount of ransomware payments by companies globally fell significantly in 2022. According to one analysis firm, payments to ransomware groups fell 40 per cent last year, from a high of €766 million in 2021.

Browne and Stephens say similar trends have been noticed in Ireland but cautioned that it is difficult to draw conclusions from such a small data set. They also urged against complacency, noting that the fall in payouts was mainly limited to just the first half of 2022.

Ransomware is still a very real threat, they say. After all, Conti is just one of many cybercrime outfits to emerge in recent years. One of its successor organisations, Blackcat, successfully shut down the campuses of Munster Technical University last month and dumped more than 6GB of internal data online.

On the other hand, many cybercriminals, particularly those in leadership roles, have been diverted elsewhere as a result of Russia’s invasion. “In some cases they might be in uniform, sitting in a trench somewhere in eastern Ukraine,” says Browne.

Cyber security spending remains high on agenda for Irish companiesOpens in new window ]

Domestically, the HSE attack caused Ireland to finally take cybersecurity seriously at a State level. After the attack, the size of the NCSC was almost doubled to 45 personnel, with plans to increase that to 70 by 2026.

Ireland now also has a National Cyber Emergency Response laying out the response to any future attack on critical infrastructure, making it one of a small number of EU countries to have a formal plan in place, says Browne.

The attack has also left Ireland in a position to advise other countries on how to respond to large-scale attacks. “Lots of people have learned from our incident response,” says Browne, adding that it is now held up at EU level as a case study on how to respond to attacks.

But many in the cybersecurity world wonder if these measures are enough, given Ireland’s role as an EU technology hub, dependent on foreign direct investment.

MTU says social media firms have helped prevent publication of stolen dataOpens in new window ]

The NCSC agrees and, according to Browne, is to recommend the implementation of further measures in the upcoming midterm review of the National Cybersecurity Strategy. “There’s more we can do, and there’s more we need to do,” he says.

“The world is a very messy, variegated, multipolar place when you’re dealing with incidents like this, but there’s powers that we need to have to be able to protect everybody else.

“Yes, we need to help the victim get back up and running. But we also need to think of everybody else who could be vulnerable to the same gang tomorrow, or the day after, or the day after that.”