How did the HSE get hacked?

The ransomware event currently affecting the HSE has been extremely disruptive. But how did it happen?

How did the ransomware get into the HSE systems?

At this early stage, no one knows exactly how ransomware got into the IT systems of the HSE. However, it is possible that the malware got into their systems via a phishing email. If we look at similar cases which have been hit with the same family of ransomware, patterns begins to emerge. For example, in October 2020, several American hospitals were hit with ransomware. These attacks started with a phishing email sent to employees in the form of a Google Drive link. In some of these cases, clicking on the document link would deliver Ryuk directly to their computers. In other cases, C2-enabled (command-and-control) malware (such as Trickbot, Emotet or Cobaltstrike) would be downloaded onto their systems which subsequently downloaded Ryuk. According to security research agency Coveware, 34% of Conti ransomware attacks start with a phishing email. Another security research oganisation, Advintel, estimates that 91% of ransomware attacks begin with a phishing email.
 
Has this strain of ransomware been in circulation long?

The strain of Conti ransomware developed by Wizard Spider has only been in circulation since August 2020. However, its precursor Ryuk (also developed by Wizard Spider) has been in circulation since mid-2018.

Has anything like this happened before?

Yes, the precursor to Conti ransomware, Ryuk has infected hospitals, schools, companies, councils and government agencies across the world. In fact, in October 2020, the FBI issued an urgent warning about Ryuk it was wreaking such havoc. Victims of Ryuk have included Baltimore Public Schools, hospitals in France (Dax and Villefrance-sur-Saone) and hospitals in Oregon, New York, Michigan and Wisconsin. In terms of government agencies, in January 2021, the Scottish Environmental Protection Agency got hit with Conti ransomware knocking out most of their systems. They refused to pay the ransom.

Would anti-virus software not have detected this?

No, the suite of malware which Ryuk and Conti use, has the ability to disable endpoint security software. (Normally a Windows PowerShell command is executed which disables the AV protection instantly)  

Surely, the firewalls of an organisation like the HSE would have detected this?

Conti and Ryuk ransomware are very stealthy. Both use highly sophisticated packers, crypters and protectors. In a nutshell, these are software tools which make malicious files harder to detect. “Packers” make malicious files smaller. “Crypters” obfuscate malicious files, making them harder to detect using signature-based detection tools like anti-virus and firewalls. While “protectors”, make reverse engineering the malware very difficult. Moreover, before Conti propagates throughout a network, it reads the ARP cache on the infected machine. This is clever because it tells the cyber criminal’s software what other computer systems the infected machine often communicates with. (The ARP cache is like the recently dialed numbers list found on your smartphone). A small tweak like this means that the Intrusion Detection System used by the HSE would have been less likely to trigger an alert. After all, a computer sending data to a computer it always sends to. What’s so suspicious about that!
 
Why are medical records of interest to hackers anyway?

Medical records are valuable to hackers because they tend to contain a lot of evergreen data i.e. data which does not go out of date quickly. They are likely to contain your date-of-birth, your PPS number, your medical insurance number, phone number and your address. All of this information can be valuable in carrying out criminal activities. This might include opening a banking account, taking out a loan, applying for a passport or acquiring prescription drugs. Moreover, if you’re a celebrity or imminent business person or politician, you could be blackmailed. Cyber criminals can threaten to release this personal information about you into the public domain. This is also known as doxing.    
 
Why do so many hackers come from Russia, anyway?

Former communist countries placed a heavy emphasis on mathematics and computer science in their education systems. They also made substantial investments in their (signal) intelligence communities. This had led to a large number of well-educated and well-trained people who have found that they can make a good living from nefarious online activities. Moreover, there are several legal loopholes in Russia which make hacking not entirely illegal but in a grey area. This can be mean if a cyber-criminal is caught, they might not even get punished. In some cases, they might even get recruited by the government! (And this does happen a lot..). The cost of operations in Russia is much lower than in Western Europe or North America. So, taking into account the legal environment, the plentiful supply of skilled labour and low-cost, it’s no surprise why so many cyber-criminals emanate from Russia.
 
Was Russia always involved in hacking organisations in the West?

The hacking of Western organisations goes back as far as the Cold War. Some would even argue further. However, this type of hacking was often motivated by political reasons. In the mid-1990s, security agencies (such as the CIA and MI6) started to notice a shift from political hacking by state actors to commercially motivated hacking. 1995 proved a key year when cyber-criminal group leader Vladimir Levin was arrested at Stansted Airport (on behest of the US government) for hacking into the corporate customers of Citibank. His group had managed to find a vulnerability in the x.25 data packet communication protocol as used by Citibank’s WAN network. This enabled them to siphon off thousands of dollars. Today, while the X.25 protocol has long since been deprecated, cyber criminals exploit network protocols such as RDP and SMB to infiltrate and move laterally across modern IT networks.
 
Implications for your organisation and how to lower the risk of a similar attack occuring in your organisation
 
1) Many employees have a misplaced trust in technological defences such firewalls and anti-virus solutions. They need to be informed that such defences cannot detect everything. In fact, many employees don’t think that IT security is their responsibility. A SecureClick survey conducted in March 2021 found that 39% of remote workers in Ireland believe IT security is the responsibility of their IT department. Employees need to be informed that IT security is a collaborative process. Because so many cyber-attacks now start with a phishing email, they need to be reminded of the pivotal role they play in keeping their organisation secure. 

2)Your employees should be drilled in the social-engineering tricks employed by cyber criminals to persuade them to open up malicious links or attachments. Phishing scams based on themes such as curiosity, loss aversion, shock, greed, urgency and chain-of-command keep on working. Employees should be trained to spot these psychological tricks. For example, during our interactive training sessions, we use a collection of real-life phishing campaigns and we get participants to tell us which trick is being used. Helping users understand the mind of the hacker can sometimes be more effective than getting them to click 100 multiple choice questions! 

3) Employees need to be instructed on how false trust cues are often exploited by hackers. Many users assume that just because a link or document is on a Google Drive or One Drive (Microsoft) link that it’s safe to click on. Users often make the erroneous assumption that Google or Microsoft would have already scanned the document for nasty files! 

4) Your employees should be trained to spot anomalies on their computer system indicating that their device might have been compromised. In the case of ransomware, end-point security or anti-virus software which, all of a sudden, stops working should be a massive red flag. In such cases, employees need to be given clear instructions on what to do or reminded of the importance of incident reporting. 

5) Simulated phishing exercises can test the effectiveness of your IT security awareness program. Good phishing exercises are authentic but never predictable. Continually sending users easy-to-spot phishing emails can be counterproductive. Likewise, simulated phishing emails which have too much inside-information in them just tend to annoy users. According to 2021 State of the Phish report, 80% of organisations say security awareness training has reduced phishing their susceptibility. 

6) Sometimes the best IT security training is a program which is “drip-fed” to your employees over a sustained period. It can be delivered via your LMS, our fully managed e-learning platform or in some cases done by SMS messages to your users’ phones. 

7) And finally, you can have the best content in the world but your security awareness training program must engage users. Let’s be frank about this. When most employees hear about IT training, it’s not exactly a topic which excites them. Boring your users means participants will be just going through the motions. Numerous studies have shown that there is a very strong correlation between participant engagement and learning which is stored in long-term memory. 
 
Lower the cyber-risk in your organisation today. SecureClick, Dublin, Ireland offers a fully managed turnkey IT security awareness programs for your organisation. We help organisations across a broad spectrum of sectors including manufacturing, professional services, education, logistics, construction, healthcare, pharma and government agencies.Our engaging training is highly customised to your industry sector and according to job title.  Call us on 01 254 9702.