Cyberattack on HSE: Scale of damage on systems will not be known for days

Minister says group responsible has been identified by the State’s cybersecurity apparatus

The HSE confirmed a cyber attack hit all hospital IT systems, with appointments at the Rotunda cancelled on Friday as a result. Photograph: Colin Keegan/ Collins Dublin
The HSE confirmed a cyber attack hit all hospital IT systems, with appointments at the Rotunda cancelled on Friday as a result. Photograph: Colin Keegan/ Collins Dublin

It will be at least three days before the scale of the damage from “possibly the most significant cyber crime attack on the Irish State” is clear, a Government Minister has said.

Green Party Minister of State for Communications Ossian Smyth said the attack, which led to HSE IT systems being taken offline on Friday, was carried out by a "serious international group", and was an "order of magnitude" beyond normal cyber attacks launched on State agencies.

“It was targeted; it requires highly-skilled operatives to control it,” he said.

He said the group responsible has been identified by the State’s cyber security apparatus, as a criminal gang operating in another country.

READ MORE

A ransom demand was made in Bitcoin, he said, which the HSE said on Friday would not be paid.

There were indications on Friday night that the attack had not been confined to the HSE.

Mr Smyth said the Office of the Government chief information officer had identified issues at the Department of Health. There may also have been a “serious breach”, and department systems would be examined over the weekend alongside the HSE systems to assess the extent of any damage done.

Experts will spend the weekend assessing the scale of the impact and bringing the HSE network back online, assessing any damage, and how widely the virus spread through the system before it was shut down to halt its progress.

Backup systems

“It’s a painstaking process, and they don’t know the extent until they go through it all… 72 hours is the general recommendation for how long it takes to go through everything,” Mr Smyth said.

The expectation is that backup systems were not impacted, which would make restoration easier.

It is not known whether patient data has been accessed or breached, Mr Smyth said.

The Garda is liaising with the HSE and the National Cyber Security Centre, as well as sharing information with Europol.

Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019, and some security sources said it appeared to be the successor of Ryuk ransomware, which first surfaced around the middle of 2018.

Ryuk originated in Russia, and appears to be controlled by a cyber crime gang known as Russian Spider. It is suspected of outsourcing the ransomware to other cybercriminals in return for a share of their profits. An Eastern European group known as NC1878 has been behind some Ryuk attacks on healthcare systems and providers.

The main players in Ryuk attacks are believed to have developed Conti – effectively as an upgrade – and were now among the suspects for the HSE attack. However, security sources said definitively tracing the origins of the Irish attack would be “very complex”, and may never be possible.

However, Conti has been reverse engineered by those working in the international cyber security sector since it surfaced about 18 months ago, meaning the security sector was able to overcome it and compile kits to install to guard against future attacks.

Weakness

Mr Smyth said the Government does not believe there was a particular vulnerability to the attack in the Irish system, or that a particular weakness was exploited.

However, experts said Ireland should be aiming to be a world leader in cyber security initiatives and ensuring cyber crime prevention was adequately resourced.

"We're playing catch-up on investment in those areas," said Brian Honan, a cyber security consultant and former adviser on the subject to Europol.

"Given our position as a country that prides itself and wants to promote itself as the data centre of Europe, we should be one of the leaders in Europe if not the world," he said.

Daragh O’Brien, another cyber security consultant, said the attack “looks like a well-planned response to an identified risk to the organisation”.

Mr Smyth said a “kit” is being produced for dissemination to other State agencies to assess whether the ransomware spilled over outside the health system.

Jack Horgan-Jones

Jack Horgan-Jones

Jack Horgan-Jones is a Political Correspondent with The Irish Times

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times