Timeline to a cyberattack: the signs missed before State’s health service crippled

HSE did not respond appropriately to ‘noisy and unstealthy actions’ by criminal gang

The Department of Health and an unidentified hospital (hospital A) successfully protected themselves against last May’s devastating cyberattack on the health service.

However, the HSE did not invoke the appropriate responses to warnings it received, according to a report published on Friday.

Had the HSE responded in a similar fashion to the Department of Health and hospital A, “then it is likely that the widespread encryption of the HSE [IT network] would have been prevented.”

The criminal group that carried out the attack, in pursuit of a ransom payment, infected the workstation of a HSE employee on March 18th, after the employee opened a malicious Microsoft Excel file attached to a phishing email.

Eight weeks later, on May 14th, ransomware that had been introduced into the HSE IT system was “detonated”, causing a massive crisis across the health service as a large amount of data suddenly became encrypted.

The attack on the HSE system was carried out by a foreign criminal organisation that was seeking a ransom payment.

A timeline in a report commissioned by the HSE, from PwC, into how the attack happened details how:

On March 25th, the criminals created a persistence mechanism on the infected HSE workstation (the “patient zero” station) that allowed access to the HSE’s IT even if the workstation was rebooted or powered off.

On March 31st, the HSE’s antivirus software detected two tools frequently used by ransomware groups, Cobalt Strike and Mimikatz, on the “patient zero” station.

The HSE software was set to monitor mode but no incident was identified up to May 6th.

Additional malware installed

On May 7th, the criminals installed additional malware on the patient zero station, and compromised other HSE systems.

On the three following days, the attackers compromised the systems in hospitals K, D, J, C and L, according to the report.

On May 11th, Hospital A’s antivirus software detected and deleted malware on several systems.

The next day, May 12th, the criminals browsed folders and opened files within hospitals A, B and D. Hospital A told the HSE’s Office of the Chief Information Officer about alerts of suspicious activity.

Also, according to the report, “the HSE’s cybersecurity solutions provider emailed the HSE’s security operations team to escalate alerts on two servers and requested a full on-demand scan be completed.” The HSE confirmed the scans had been completed.

The following day, May 13th, the criminals accessed HSE systems and browsed and opened files.

“The HSE’s cybersecurity solutions provider emailed the HSE security operations team and outlined that there were unhandled threat events since May 7th, 2021, on at least 16 systems; the HSE security operations team requested that the server team restart servers.”

On May 14th, the ransomware was “executed” on systems within the HSE, and in hospitals C, K, D, L, J and B, causing an emergency response and the disconnection of the National Healthcare Network from the internet.

Resetting of 4,500 passwords

Meanwhile, action had been taken by the Department of Health, and hospital A, that largely prevented the execution of the ransomware on their systems.

On May 12th hospital A had asked its incident response provider to investigate alerts, leading to the resetting of 4,500 passwords and other actions. It also made contact with the HSE to request information on two IP addresses.

On May 13th the HSE identified the IP addresses as related to two servers within its domain, but “incorrectly concluded” in an email between HSE teams that the suspicious activity originated within hospital A, “rather than the other way round”.

Because of this mistake, the HSE did not seek additional external expert help or contact the National Cyber Security Centre (NCSC).

The same day, the Department of Health’s cybersecurity solutions provider alerted the department about suspicious activity.

The department contacted the NCSC, and took actions that blocked the criminals’ Conti ransomware affecting the majority of the department’s infrastructure.

In its report, PwC said the attack on the health service network was not contained prior to the ransomware execution “despite the attacker performing noisy and unstealthy actions”.

The HSE’s antivirus tool did detect the attacker’s actions but “they were not actively identified or thoroughly investigated.”

A commonly used ransomware tool, Cobalt Strike, was identified by the HSE’s antivirus software on six servers on May 7th, but the alerts were “not appropriatly actioned.”

The HSE had “insufficient cybersecurity expertise to understand the significance of these detections”, the report said.