Cyberattack: Years of fraud, extortion attempts could follow if HSE data published, gardaí fear

Publication of data on darknet as threatened by gang appears inevitable, gardaí say

HSE offices in Dublin. The State’s Cyber Security Incident Response Team, IT teams from the HSE and FireEye, the State’s security contractor, are to work through the weekend. Photograph: Gareth Chaney/Collins

HSE offices in Dublin. The State’s Cyber Security Incident Response Team, IT teams from the HSE and FireEye, the State’s security contractor, are to work through the weekend. Photograph: Gareth Chaney/Collins

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.

 

Gardaí are concerned a protracted wave of scam attacks could follow if data potentially relating to millions of people, which may have been stolen in an attack on the Health Service Executive, is published or sold on to other criminals.

Sources said fraud and extortion attempts could follow over a period of years. Garda Headquarters last night said the Garda National Cyber Crime Bureau was “continuing its criminal investigation into the cyber attack on the HSE”. It issued a warning to people to never supply personal or banking details, even if those callers appeared to have their personal information.

Senior gardaí told The Irish Times it looked inevitable the stolen HSE data would be published on the darknet or sold, or a mixture of both. They added some of it may have already been sold and that other material may be published on Monday.

Gardaí were fearful personal details such as names, addresses and phone numbers could be harvested by criminals for years and used in scams.

Gardaí said documents relating to sensitive health matters could be used in extortion, as was the case late last year for thousands of psychotherapy patients in Finland. They were blackmailed via email under threat that the notes from their therapy sessions would be published. One Garda source said the type of crimes some of the data could be used for was “only limited by the imaginations of the fraudsters”.

Threat

Minister of State for Communications Ossian Smyth said the threat to publish data on Monday was being taken as genuine. “That deadline about Monday did appear on the same [dark web site] as where the decryptor appeared, so it can be assumed it is a genuine threat.”

The State’s Cyber Security Incident Response Team, part of the National Cyber Security Centre, IT teams from the HSE and FireEye, the State’s security contractor, are to work through the weekend. There is optimism that progress can be made on debugging a decryption key sent by the cybercriminals, which can be used to make a digital tool to help decrypt systems.

However, all systems will still need to be checked and cleaned before being restarted, and there may be technical hitches. In all circumstances, it is anticipated that it will be a period of weeks between technical solutions being deployed and a wider resumption of services. “I think there’s a gap between what they’re doing internally and the time when the patients and staff will see systems working again,” Mr Smyth said.

Ransom note

A ransom note was part of the Conti ransomware used in the attack. The ransom note was attached to encrypted files. It warned a ransom-based attack was under way and included instructions about how the HSE should contact the gang.

The Irish Times understands at least one party among the large team of people dealing with the hack and its fallout in the Republic moved to examine the contact method supplied by the gang. The attackers later sent messages via that messaging system, one of which contained a demand for $20 million. Informed sources said the manner in which the messaging facility supplied by the gang was interacted with was being reviewed. While nothing criminal arose, there was some concern in Government circles it may have unintentionally given the gang the impression formal contact was being made with it and negotiations were being opened.

It’s understood at least one other third party – with no connection to the team dealing with the attack – had sought to connect with the messaging infrastructure. It was unclear who that person was and whether their actions were sinister or if they were possibly a malware enthusiast or researcher acting out of curiosity.

The Taoiseach Micheál Martin reiterated on Friday that no money had changed hands with the Russian-speaking criminals behind the attack, nor would it. Asked why the decryption key had been offered to the State, he said it had not come via diplomatic channels.