HSE cyberattackers tough to identify and even harder to catch

Strike highlights murky world where organised crime and state interests may merge

The ransomware attackers such as those who targeted the Health Service Executive, often based in Russia and elsewhere in eastern Europe, are highly skilled, extremely difficult to identify and even harder to catch.

For now, cybersecurity experts say the Health Service Executive attack resembles those previously linked to a Russian group known as Wizard Spider, which has helped other criminal gangs in return for a share of ransoms paid.

"They rent out their services too, and will take a profit of proceeds," said James Sullivan, director of cyberresearch at the Royal United Services Institute (Rusi) in London.

“This type of breach is by professional cybercrime gangs. They will work nine-to-five like people in regular jobs, and they have roles and responsibilities much like you would have in a regular business: team leader, network administrators, coders, data miners and money specialists, because they have to launder money,” he told The Irish Times.

Warning that attacks were “spiralling out of control”, Rusi last month said cybersecurity firms had noted a surge in the number launched on healthcare globally during the pandemic.

As has happened in Ireland, they carry out so-called "double extortion" attacks – both encrypting data to make it inaccessible and stealing it, so it can be made public unless a ransom is paid.

These are just the latest malign weapons to be deployed by gangs in eastern Europe, which has a strong tradition of mathematics and computer engineering, and now has a generation of skilled coders and hackers for hire.

Illegal online activity against western targets can be perilous in EU and Nato members like Romania and Bulgaria, but it is less risky in non-aligned countries like Ukraine and Moldova.

In Russia, meanwhile, where the security services use hacking as a weapon or simply ignore it as long as Moscow’s interests are not harmed, the gangs are safe as long as they do not threaten local interests.

“They are acting with impunity, operating in hard-to-reach jurisdictions. It’s extremely hard for western law enforcement to make arrests,” said Sullivan.

“There is also a blurred line between organised-crime activity and state-sponsored cybercrime. The understanding is pretty clear that if you are operating in Russia, as long as you don’t launch attacks on your own government and citizens, then other countries are fair game.”

Hacking institutions

Russian security expert Andrei Soldatov says the Kremlin halted all meaningful cyber co-operation with the West after it was accused of hacking and manipulating social media to sway the 2016 US presidential election.

“The Kremlin got very paranoid about possible leaks, so they decided to shut all doors of co-operation between the West and the Russian cybercommunity. They simply jailed the main contact persons,” he said.

“So if the Irish authorities decided to approach the Russians to ask them to share some information, it would get nowhere because everyone on the Moscow side is afraid to even to talk to the Irish.”

The prospect of hacking institutions in the West finds fertile ground in Russia, explained Soldatov, since the Soviet collapse robbed the country’s vast cohort of engineers of jobs and status, fuelling resentment that still lingers today.

“Their children became skilful and cynical and they had this grudge against the West. Now you have several generations that have been doing the same, but it all started in the late 1990s with the creation of some of the biggest Russian hacking networks,” he said.

“There is also a mythology growing up around it. If you are based in Russia but doing something abroad, there is a sense of impunity. It’s much easier and safer to attack something in the West than in Moscow. This combination of elements gives you this enormous amount of [hacking] talent.”

The attacks last week on the HSE, and Colonial Pipeline in the US (where a ransom is believed to have been paid) are piling pressure on governments to act, since other institutions will fall to attack, if left unchallenged.

“We have to take a look at what governments and businesses can do better. Urgent action needs to be taken to reduce the impact of this threat,” Sullivan said.

International policymakers would take more notice in the wake of attacks on healthcare “particularly during a pandemic”, he added. “This is a national security threat. We’re losing the battle at the moment – the criminals are winning.”