Department of Health hit by cyberattack similar to that on HSE
Gardaí strongly suspect the same criminal gang is involved in both ransomware attacks
The offices of the Department of Health on Lower Baggot Street in Dubliny. File photograph: Bryan James Brophy/The Irish Times.
Garda sources said the attack appeared to be financially motivated and, like the HSE attack, appeared to be from a gang using ransomware to encrypt files until a ransom was paid.
Gardaí said the manner of and infrastructure used in the attack was being reviewed by the Garda force and also by international policing agencies via Europol.
It is understood the first signs of an attack on the Department’s systems emerged late last week but became more obvious on Saturday, with systems closed as a precaution.
While no new Covid-19 case number data was issued on Saturday evening, it was not immediately clear whether that was linked to the cyberattack on the Department.
Garda sources said it was strongly suspected the same criminal gang involved in the ransomware attack on the HSE was also behind the attack on the Department of Health.
A ransom note purporting to come from the criminal gang cyber attacking both the HSE and Department of Health has been published in the US media and threatens the release of detailed patient information unless a ransom of $20 million is paid.
The site where the note has been published, Bleeping Computer, is part of Europol’s NoMoreRansom project, which offers tools to victims of cyber hacking to help them gain control of files they have been locked out of.
Bleeping Computer says the ransom note was obtained by it from a cyber security researcher*. It claims the attackers have been inside the HSE system for two weeks and encrypted a downloaded a very significant portion of data relating the HSE activities and also about patients.
There has been no confirmation from the Government or the HSE of the size of the ransom demand, which Taoiseach Micheál Martin has said will not be paid.
A spokesperson for the Department of the Environment, Climate and Communications said that the National Cyber Security Centre (NCSC) became aware on Thursday of an attempted cyber attack on the Department of Health.
“The Department of Health has implemented its response plan including the suspension some functions of its IT system as a precautionary measure.
“This attempted attack remains under investigation, however there are indications that this was a ransomware attack similar to that which has affected the HSE. As the investigations into both incidents are ongoing, it is not possible to make further comment on the nature of these attacks at this time.
“The NCSC has issued an advisory notice to other Government Departments and agencies in relation to this attempted cyber attack. The NCSC is in ongoing contact with the OGCIO and our Government stakeholders to provide appropriate advice and guidance.”
In a report late on Sunday night, the NCSC said the cyber-attacks “are believed to be part of the same campaign” targeting the State’s health sector. The centre is monitoring other networks to address the risk of further attacks.
“There are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans,” it said.
Although the coronavirus vaccination programme was not affected by the attacks, the centre said the HSE has curbed network connectivity with other healthcare providers as a precautionary measure.
Malicious activity was detected on the Department of Health’s network early on Friday morning, but an attempt to execute ransomware was “detected and stopped” due to anti-virus software and the deployment of anti-attack tools early in the investigation process.
The NCSC had been made aware on Thursday afternoon of potential suspicious activity on the Department’s network. “Preliminary investigations indicated suspected presence of cobalt strike Beacon, which is a remote access tool,” it said.
“Cobalt strike is often used by malicious actors in order to move laterally within an environment prior to execution of a ransomware payload.”
At about 7am on Friday morning, the centre was made aware of a “significant incident” affecting HSE systems.
“Initial reports indicated a human-operated ‘Conti’ ransomware attack that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems.
“The HSE took the decision to shut down all of its IT systems as a precaution in
order to assess and limit the impact.”
The NCSC said it had circulated advice to constituent organisations after further analysis of the cyber attack.
Former army intelligence officer and security consultant Adrian Jacobs had warned on Saturday that the Republic could be facing a “wave” of cyberattacks from the same criminal gang.
He said such attacks tend to come in waves because the technology that works against one IT system, in this case the HSE’s, often also works against systems used by other bodies or organisations in the same country.
Minister for Foreign Affairs Simon Coveney said the HSE has set up a “war room” to handle the cyberattack across its IT system.
Speaking on RTÉ’s The Week in Politics programme, he said: “We are taking all the international advice we can.”
Pressed about whether the State would pay a ransom, Mr Coveney said there are real consequences to be willing to pay ransoms to criminals.
He said, “Let’s wait and see how that’s managed,” adding that there are a lot of “very smart people” both from the public and private sectors working with a Government team to try to protect private information.
Mr Coveney said his understanding is that “we’re not speaking to criminals, but [we are] speaking to many people who are used to dealing with criminals, in these kinds of situations”.
In reply to queries, Garda Headquarters in Phoenix Park, Dublin, said: “In this matter the NCSC is the lead agency. An Garda Síochána is liaising with the Department of Health and the NCSC. An Garda Síochána is not making any further comment at this time.”
The Department of Health said in a statement that it “can confirm that late last week it was subject to a ransomware attack similar to the attack on the HSE. Since Thursday we have been working to respond to this incident.
“We continue to work closely with all relevant authorities, including the National Cyber Security Centre, Garda Síochána and the HSE. We continue to assess the impact across all our systems and our focus is on protecting our data.”
On Friday, Minister of State at the Department of Public Expenditure and Reform Ossian Smyth said the office of the Government chief information officer had identified issues at the Department of Health.
He said there may also have been a “serious breach” and that Department systems would be examined over the weekend alongside the HSE systems to assess the extent of any damage done.
Meanwhile, the HSE’s chief operations officer has said the biggest risk the HSE is facing at present as a result of the cyberattack is that its core patient management system and core radiology system are both out of action.
Anne O’Connor said on Sunday that radiology services had been particularly badly hit across the country and that the radiation oncology system for patients with cancer has been compromised across the board.
Speaking on Newstalk’s On the Record with Gavan Reilly, she said in some cases hospitals have reverted to paper-based, manual systems.
Minister of State Jack Chambers said the Commission on the Future of the Defence Forces was considering cyber security, after Independent TD Cathal Berry told RTÉ’s The Week in Politics that the State did not have the capacity to strike back at the criminals behind the cyberattack because the NCSC has no dedicated premises and limited staff.
Mr Chambers said the HSE was working with the Garda, Defence Forces, NCSC and international experts on the cyberattack, and insisted “we won’t be paying a ransom”. He would not comment on the amount being sought.
Mr Chambers said “the State has to strengthen cyber security” for both State and private organisations, adding that the current attacks “will go into next week, at least”.
*This article was amended on May 17th 2021