[BreachExchange] €100M HACK HSE failed to detect warning signs as cyber gang inside IT system for 8 weeks before attack, report reveals

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Dec 10 11:23:44 EST 2021 

https://www.thesun.ie/news/8050483/hse-cybercrime-attack-cost-warning-signs-report/

THE cyber gang behind the attack on the HSE were inside the system for
eight weeks and several warnings were raised but no one took action, a new
report reveals.

An independent review of the ransomware attack shows that the gang gained
access through one person’s computer before launching a large-scale attack
that crippled the health system and forced doctors back to using pen and
paper communications.

The attack by the Conti ransomware gang will cost the health service
€100million as they replace 30,000 devices and struggle to catch up with
thousands of cancelled appointments.

The report, compiled by PWC, shows that the attackers gained access to the
system after someone clicked on a Microsoft Excel document attached to a
phishing email on March 18.

The cyber gang then used this computer to gain further access to the HSE’s
IT system over an eight week period before the detonation of the Conti
ransomware on May 14 which locked the entire system.

The criminals explored the HSE’s system with high level access across
hospital networks and stole sensitive data.

The Defence Forces, gardai, a private cyber security firm and the National
Cyber Security Centre were called to assist the HSE and set up a “war room”
at a building on Molesworth Street in Dublin.

The cyber gang left a ransom note on the HSE’s system demanding payment
worth tens of millions of euro to release the codes to decrypt the system.

The criminals then used a dark web chat room to post a series of links to
sensitive data they had stolen from the HSE.

The HSE has filed court orders to prevent anyone publishing stolen data
online and have created a service to monitor both the internet and the dark
web for possible data leaks.

'WARNING SIGNS'
The PwC report shows that there were several warning signs that the HSE had
been hacked in the eight week period before the ransomware was detonated.

However, no action was taken on the back of these warnings to prevent the
attack.

The report says: “There were several detections of the Attacker’s activity
prior to 14 May 2021, but these did not result in a cybersecurity incident
and investigation initiated by the HSE and as a result opportunities to
prevent the successful detonation of the ransomware were missed.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211210/2066e565/attachment.html>

More information about the BreachExchange mailing list