State may face ‘wave’ of cyberattacks from same gang, security expert warns

‘I can guarantee you, there are a huge amount of ransoms that don’t go reported’

The Republic could be facing a “wave” of cyberattacks from the same criminal gang that has targeted the HSE, according to a former army intelligence officer and security consultant.

Such attacks tend to come in waves because the technology that works against one IT system, in this case the HSE's, often also works against systems used by other bodies or organisations in the same country, according to security expert Adrian Jacobs.

“There tends to be a wave because when you can get access through one system, the chances are that other systems will be as vulnerable.”

He said the gangs behind criminal cyberattacks that involve ransom demands operate to a “successful” business model.


This included significant advance work to find a weakness before launching their attack. They gangs then often seek to maximise their return on this investment with subsequent attacks on other agencies or bodies in the same country.

State bodies within one country can have similarities in terms of age, how the system was developed and also a level of compatibility between agencies.

“If you get five shots, and you score on two, that’s doubling your return,” he said.


Mr Jacobs also highlighted the speed with which Taoiseach Micheál Martin stated that there would be no ransom paid.

He said this was an attempt to mitigate against not just the attempt to profit from the current attack but also the potential for “multiple dips into the well” in the form of more attacks.

“I wouldn’t expect a victory parade after the HSE attack is contained, because they will be hugely concerned about the exposure that is still there. Because the modelling would suggest that [more attacks] is most likely.”

The most likely location for ransomware gangs was North Korea, China, or Russia, with Russia thought to be the likely location for the gang in the HSE attack, he said.

Whereas state control was likely in North Korea, in China and Russia some gangs are believed to operate in return for occasionally carrying out non-commercial attacks on behalf of the government, he said.

“You would have had attacks that were directly political. For example in the Baltic states there have been state-directed attacks. Moscow would deny this, but the targets have all been national strategic targets.”

He also said there would be no need for any member of the gang to come to Ireland as part of the preparation for the attack.

While larger, richer countries might be expected to pay higher ransoms to protect their health services and therefore a more likely target, they would also be expected to have better resourced protection of critical national IT infrastructure, Mr Jacobs said, which could explain why Ireland was attacked.

Mr Jacobs added it might be precisely because of the pandemic that the HSE was chosen.

“The more vulnerable you are, the more likely you might be considered to pay a ransom.”


In Ireland, the main body involved in the oversight of Ireland's critical IT infrastructure is the National Cyber Security Centre (NCSC), based in the Department of Communications.

It is the national point of contact for cyber security and will be in contact with Europol and the Enisa, the European Union Agency for cybersecurity.

Under the terms of the 2016 Network and Information Systems Directive, the State has responsibility for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in Ireland. The majority of these multinational companies are from the United States.

In other countries, with much larger military infrastructures, there tends to be a greater involvement by military intelligence and the national intelligence services, in respect of cyber warfare and cyber security, Mr Jacobs said.

The success or otherwise with which Ireland deals with the attack on the HSE system, and any subsequent attacks, may have an influence on the State’s ability to continue to attract and maintain foreign direct investment, he added.

“From the Government’s point of view, one of the first calls they would have had to field would have been from the likes of Intel, because identifying how access was gained, whether they are reliant or connected in any way to the same access point, would be a concern.”

While major multinationals and other large businesses based here would have their own IT security systems, they also use the same national infrastructures such as broadband networks used by State agencies.

Not reported

“Without a doubt, and I can guarantee you of this, there are a huge amount of cyber ransoms that don’t go reported.”

However, commercial organisations often do not want to admit that they have been attacked, he said, for fear of prompting further attacks.

Given the speed of technological change Mr Jacobs believes it impossible to completely secure systems against attack.

“The battle goes on. You can never have enough resources . . . It is about risk management.”

In the US last week, the operators of the largest fuel pipeline in the country, Colonial Pipeline, were reported to have paid a ransom of 75 Bitcoin, or approximately €4 million, after a gang called Darkside, based in Russia, closed the pipeline network in a cyberattack.

The attack severely affected fuel deliveries in the US and led to a state of emergency in four states.

On Friday the New York Times reported Darkside had announced it was shutting down, following unspecified “pressure” from the US government.

In a statement in Russian to the newspaper, the criminals said they had lost access to aspects of their system and that money had been withdrawn to an unknown account.

However, the newspaper quoted security experts as saying that the statement from the criminal gang could be a ruse.

Mr Jacobs said the gangs involved in ransom attacks use ransom negotiation tactics, and that initial ransom demands are often “testers.”

In the case of the attack on the HSE, the Taoiseach’s public statement that no ransom would be paid, meant there was now a “stand-off”.

“You are into: ‘do you pull the trigger or don’t you’?”

Colm Keena

Colm Keena

Colm Keena is an Irish Times journalist. He was previously legal-affairs correspondent and public-affairs correspondent