Decryption tool supply after HSE cyberattack likely gang ‘PR move’

UK cyber security centre head to praise Irish decision not to pay ransom in talk to forum

The cyber criminals who hacked Ireland’s health service IT system over a month ago likely handed over a decryption key as a “public relations move”, according to the head of the UK’s national cyber security centre.

In a speech at the Institute of International and European Affairs (IIEA) in Dublin on Friday, Lindy Cameron will say the Conti ransomware group, which has claimed responsibility for the cyberattack on May 14th, made available the software tool for free in an attempt to “lessen criticism”.

The tool was verified as functional and genuine but Irish officials said the software was “flawed”. There were also concerns the software supplied by the Russian-speaking criminals could contain “backdoors” which may allow for further attacks.

Ms Cameron will also praise the Irish decision not to pay the hackers the $20 million (€16.7million) ransom they demanded, adding the Government “quite rightly” made clear that the ransomware attack “crossed a line”, even by criminal standards.


Criminal model

“Cyber criminals are out to make money; the more times a method is successful, the more times it will be used. It’s important that we do all we can to ensure this is not a criminal model that yields returns.”

Furthermore, the “strong action” taken by the Government will likely deter ransomware operators from further attacks on health sector organisations in Ireland and elsewhere in the future, she says.

Ms Cameron also emphasises the importance of Irish-UK co-operation in countering threats to cybersecurity. In particular, she will discuss how infrastructure shared between the Republic and Northern Ireland, such as the rail link between Belfast and Dublin, are attractive targets for cyber criminals.

She identifies China, Russia, North Korea and Iran as four “hostile state actors” that have been a constant presence in recent years, and collective action must be taken by international partners to develop foreign security priorities.

Meanwhile, Tusla’s National Child Care Information System was activated on Wednesday night in what the agency said was a “major step” in the recovery from the recent cyberattack on IT systems in the health service.

Childcare data

More than 90 per cent of the child and family agency’s IT systems are hosted by or dependent on the Health Service Executive network.

The service rebooted in test mode its childcare information system, which holds in one place highly sensitive information on child protection and welfare cases from all 17 of the State’s social work areas.

In a statement on Thursday, Tusla said that the move marked a “major improvement” and required enormous effort from its staff and partners. It is anticipated that full restoration of the “critical system” will be achieved in the coming days.

Chief executive of the agency Bernard Gloster said the database was “badly damaged” in the cyberattack on the HSE IT systems over a month ago.

“It took enormous skill, hours and dedication from many to restore it,” he said, noting there was still a long way to go.

He reminded the public that Tusla was still taking referrals by phone, as the agency’s email system continues to experience some issues.

Ellen O'Riordan

Ellen O'Riordan

Ellen O'Riordan is an Irish Times reporter