Gardaí seize infrastructure from HSE cyber attack gang

Operation led by Garda believed to have prevented more than 750 ransomware hacks

Gardaí have seized cyber infrastructure used by the gang involved in the HSE cyber attack earlier this year after an international operation, which is believed to have prevented more than 750 ransomware attacks.

The operation, which targeted websites, domain names and servers used in the attacks, has been led by An Garda Síochána but also involved other international law enforcement agencies, including Interpol and Europol.

Garda Headquarters, in Phoenix Park, Dublin, on Sunday released information about the operation, saying it has been run by the Garda National Cyber Crime Bureau (GNCCB) and that it would also assist victims against whom attacks were already partially under way.

“This is a crime prevention operation and to date a total of 753 attempts were made by ICT systems across the world to connect to the seized domains,” the Garda said. “In each instance, the seizure of these domains by the GNCCB investigation team is likely to have prevented a ransomware attack on the connecting ICT system by rendering the initially deployed malware on the victims system as ineffective.”



It added information on the IT infrastructure lost by the gang and secured by the Garda was being shared internationally. This would enable the “decontamination” of computers or wider systems that had already been comprised.

The gangs’ infrastructure now under the control of the Garda is initially used to send phishing emails to unsuspecting victims. When they click on links in the emails that allows the attackers’ malware on to a computer and then a wider IT system, as was the case with the HSE ransomware attack.

Once the criminals gain access to a system or computer in that way, they can then copy vast quantities of information and send that data back to sites and domain names they control. The stolen information is then used as leverage to blackmail their victims. The gangs also shut down computers and wider IT systems during their attacks, crippling organisations in a manner that can also put pressure on victims to pay a ransom.

The operation the Garda has led in recent weeks specifically targeted the infrastructure used by the HSE attack gang to access and steal information. It prevents a victim’s computer reaching out to the gangs’ malware and also stops the gangs sending stolen information back to themselves. That infrastructure, including servers all over the world, is now under the control of the Garda and other law enforcement agencies.


Gardaí have also used a splash screen, bearing the Garda logo and an information message, which is visible when the seized domain names or websites are accessed. That message makes it clear to the criminals they have lost the infrastructure and also informs victims that the infrastructure used to attack them is now under the control of law enforcement.

The Garda said the message would warn people their systems had been comprised by ransomware and would “enable them to take appropriate security measures”.

Separately, Det Insp Brian Halligan of the GNCCB told RTÉ his unit was making "steady" progress in its investigation into the cyber criminals that attacked the HSE. That gang is believed to be a Russian-speaking gang, or hackers using their infrastructure.

Det Insp Halligan said the Garda had "learned a lot" since the HSE attack and during the course of its investigations into that major incident in May.

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times