Editing Ireland’s Health Service Executive ransomware attack (2021)

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
 
{| class="wikitable"
 
{| class="wikitable"
 
! scope="row"|Date
 
! scope="row"|Date
| On 13 May 2021, Ireland’s National Cyber Security Centre (NCSC) was made aware of potential suspicious activity on the Department of Health (DoH) network<ref name=":0">National Cyber Security Centre, “[https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf Ransomware Attack on Health Sector - UPDATE 2021-05-16]”, 16 May 2021.</ref> and in the morning of 14 May 2021 an attempt to run ransomware was reportedly prevented, with DoH IT systems shut down as a precaution.<ref>C. Lally, J. Horgan-Jones, A. Beesley, “[https://www.irishtimes.com/news/health/department-of-health-hit-by-cyberattack-similar-to-that-on-hse-1.4566541 Department of Health hit by cyberattack similar to that on HSE]”, 17 May 2021, ''The Irish Times''.</ref>
+
| 14 May 2021 (The Health Service Executive was alerted to the attack at 4am).<ref>“[https://www.rte.ie/news/health/2021/0514/1221537-hse-cyber-attack/ What we know so far about the HSE cyber attack]”, 15 May 2021, ''RTÉ''.</ref> Unknown to anyone the hackers had already been in the IT systems for at least a week before they were discovered.<ref>P Reynolds, “[https://www.rte.ie/news/analysis-and-comment/2021/0523/1223337-cyber-attack-hse/ The anatomy of the health service cyber attack]”, 23 May 2021, ''RTÉ''.</ref>
At 4 a.m. on 14 May 2021, Ireland’s Health Service Executive was alerted to a separate cyber incident.<ref>“[https://www.rte.ie/news/health/2021/0514/1221537-hse-cyber-attack/ What we know so far about the HSE cyber attack]”, 15 May 2021, ''RTÉ''.</ref> It was later reported that the hackers had already been in the IT systems for at least a week before they were discovered.<ref>P Reynolds, “[https://www.rte.ie/news/analysis-and-comment/2021/0523/1223337-cyber-attack-hse/ The anatomy of the health service cyber attack]”, 23 May 2021, ''RTÉ''.</ref>
+
One day earlier (13 May 2021), the National Cyber Security Centre (NCSC) was made aware of potential suspicious activity on the Ireland’s Department of Health (DoH) network<ref name=":0">National Cyber Security Centre, “[https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf Ransomware Attack on Health Sector - UPDATE 2021-05-16]”, 16 May 2021.</ref> and in the morning of 14 May 2021 an attempt to run ransomware was prevented, with DoH IT systems shut down as a precaution.<ref>C. Lally, J. Horgan-Jones, A. Beesley, “[https://www.irishtimes.com/news/health/department-of-health-hit-by-cyberattack-similar-to-that-on-hse-1.4566541 Department of Health hit by cyberattack similar to that on HSE]”, 17 May 2021, ''The Irish Times''.</ref>
  +
  +
The same cybercrime group is believed to be behind both incidents thanks to a similar digital note left at the DoH and the Health Service Executive systems.<ref>P Reynolds, “[https://www.rte.ie/news/ireland/2021/0516/1221933-dept-of-health/ 'No sense' other agencies affected by attack - Ryan]”, 17 May 2021, ''RTÉ''.</ref>
 
|-
 
|-
 
! scope="row"|Suspected actor
 
! scope="row"|Suspected actor
|The same cybercrime group is believed to be behind both incidents given that a similar digital note was left on the DoH and the Health Service Executive systems.<ref>P Reynolds, “[https://www.rte.ie/news/ireland/2021/0516/1221933-dept-of-health/ 'No sense' other agencies affected by attack - Ryan]”, 17 May 2021, ''RTÉ''.</ref> The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.<ref>P Reynolds,“[https://www.rte.ie/news/crime/2021/0518/1222349-ransomware-crime-group/ 'Wizard Spider': Who are they and how do they operate?]”, 19 May 2021, ''RTÉ''.</ref>
+
|The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.<ref>P Reynolds,“[https://www.rte.ie/news/crime/2021/0518/1222349-ransomware-crime-group/ 'Wizard Spider': Who are they and how do they operate?]”, 19 May 2021, ''RTÉ''.</ref>
 
|-
 
|-
 
! scope="row"|Target
 
! scope="row"|Target
|The Health Service Executive (HSE) – the publicly funded healthcare system in the Republic of Ireland, responsible for the provision of Ireland’s public health services in hospitals and communities across the country.<ref>“[https://www.hse.ie/eng/about/ Who We Are, What We Do]”, ''HSE.ie''.</ref> The attack has impacted all of the HSE’s national and local systems, which are involved in all core services.<ref>“[https://www.rte.ie/news/health/2021/0514/1221537-hse-cyber-attack/ What we know so far about the HSE cyber attack]”, 15 May 2021, ''RTÉ''.</ref>
+
|The Health Service Executive (HSE) – the publicly funded healthcare system in the Republic of Ireland, responsible for the provision of all Ireland's public health services in hospitals and communities across the country.<ref>“[https://www.hse.ie/eng/about/ Who We Are, What We Do]”, ''HSE.ie''.</ref> The attack has impacted all of the HSE national and local systems, which are involved in all core services.<ref>“[https://www.rte.ie/news/health/2021/0514/1221537-hse-cyber-attack/ What we know so far about the HSE cyber attack]”, 15 May 2021, ''RTÉ''.</ref>
 
|-
 
|-
 
! scope="row"|Target systems
 
! scope="row"|Target systems
Line 14: Line 16:
 
|-
 
|-
 
! scope="row"|Method
 
! scope="row"|Method
|A remote access tool known as Cobalt Strike Beacon was detected on the infected systems, suggesting that it was used to move laterally within the environment prior to executing the Conti ransomware payload.<ref name=":0" /> The attack started when a single computer stopped working, causing its user (an HSE worker) to reach out for help by clicking on an infected link.<ref>N O'Connor, “[https://www.thejournal.ie/hse-cyber-attack-ransonware-started-5443370-May2021/ HSE ransomware attack began on a single computer when an employee clicked on a link]”, 20 May 2021, ''TheJournal.ie''.</ref>
+
|Cobalt Strike Beacon was detected on infected systems, suggesting that it was used to move laterally within the environment prior to executing the Conti ransomware payload.<ref name=":0" /> The attack started when a single computer stopped working, causing its user (HSE worker) to reach out for help by clicking on an infected link.<ref>N O'Connor, “[https://www.thejournal.ie/hse-cyber-attack-ransonware-started-5443370-May2021/ HSE ransomware attack began on a single computer when an employee clicked on a link]”, 20 May 2021, ''TheJournal.ie''.</ref>
 
|-
 
|-
 
! scope="row"|Purpose
 
! scope="row"|Purpose
Line 20: Line 22:
 
|-
 
|-
 
! scope="row"|Result
 
! scope="row"|Result
|The attack disrupted services at several Irish hospitals. It resulted in a near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services.<ref>“[https://www.bbc.com/news/world-europe-57126601 Covid-19 jabs to go ahead in Ireland despite cyber attack]”, 15 May 2021, ''BBC News''.</ref> The number of appointments in some affected areas dropped by up to 80%.<ref name=":1" />
+
|The cyberattack on the HSE has been described as the most significant in Ireland‘s history.<ref>“[https://www.bbc.com/news/world-europe-57134916 Cyber-crime: Irish health system targeted twice by hackers]”, 16 May 2021, ''BBC News''.</ref> The HSE took the decision to shut down all of its IT systems as a precaution in order to assess and limit the impact.<ref name=":0" />
  +
The attack disrupted services at several Irish hospitals. It resulted in a near complete shutdown of the HSE's national and local network, forcing the cancellation of many outpatient clinics and healthcare services.<ref>“[https://www.bbc.com/news/world-europe-57126601 Covid-19 jabs to go ahead in Ireland despite cyber attack]”, 15 May 2021, ''BBC News''.</ref> The number of appointments in some areas of the system has dropped by 80%.<ref name=":1" />
   
HSE workers had to continue with paper records<ref name=":1" /> and they were unable to access e-mail.<ref>“[https://www2.hse.ie/health-service-disruptions/ Health service disruptions]”, ''HSE.ie''.</ref> However, hospital emergency departments remained open, the national vaccination programme against Covid-19 was not affected and the testing system also remained fully capable and operational.<ref>A Cox, “[https://www.rte.ie/news/coronavirus/2021/0516/1221884-appointments-hse-cyber/ HSE disruption will 'go well into this coming week' - Henry]”, 16 May 2021, ''RTÉ''.</ref>
+
HSE workers had to continue with paper records<ref name=":1" /> and they were unable to access email.<ref>“[https://www2.hse.ie/health-service-disruptions/ Health service disruptions]”, ''HSE.ie''.</ref> However, hospital emergency departments remained open, the national vaccination programme against covid-19 was not affected and the testing system was also fully capable and continuing.<ref>A Cox, “[https://www.rte.ie/news/coronavirus/2021/0516/1221884-appointments-hse-cyber/ HSE disruption will 'go well into this coming week' - Henry]”, 16 May 2021, ''RTÉ''.</ref>
   
 
Personal and medical information of patients and HSE staff was accessed in the attack, with a small amount of data (including sensitive information of 520 patients) shared on the dark web.<ref>“[https://www2.hse.ie/services/cyber-attack/if-you-are-affected-by-a-data-breach.html 2. If you are affected by a data breach]”, ''HSE.ie''.</ref><ref>G Lee, “[https://www.rte.ie/news/2021/0528/1224527-cyber-attack-hse/ HSE says stolen sensitive data of 520 patients on dark web”], 28 May 2021, ''RTÉ''.</ref>
 
Personal and medical information of patients and HSE staff was accessed in the attack, with a small amount of data (including sensitive information of 520 patients) shared on the dark web.<ref>“[https://www2.hse.ie/services/cyber-attack/if-you-are-affected-by-a-data-breach.html 2. If you are affected by a data breach]”, ''HSE.ie''.</ref><ref>G Lee, “[https://www.rte.ie/news/2021/0528/1224527-cyber-attack-hse/ HSE says stolen sensitive data of 520 patients on dark web”], 28 May 2021, ''RTÉ''.</ref>
 
|-
 
|-
 
! scope="row"|Aftermath
 
! scope="row"|Aftermath
 
|On 20 May 2021, the HSE has secured a High Court order preventing the hackers (or any individual or business) from sharing, processing, or selling the information stolen during the attack. The court injunction also applies to social media platforms such as Twitter, Google, and Facebook and therefore limits the hackers' scope for disseminating the stolen data.<ref name=":1" /> On the same day, it was reported that the hackers provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.<ref>P Reynolds, “[https://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/ State did not pay ransom for decryption key - Donnelly]”, 20 May 2021, ''RTÉ''.</ref>
|The cyberattack on the HSE has been described as the most significant in Ireland‘s history.<ref>“[https://www.bbc.com/news/world-europe-57134916 Cyber-crime: Irish health system targeted twice by hackers]”, 16 May 2021, ''BBC News''.</ref>
 
 
In reaction to the attack, the HSE will establish a cyber security operations centre to monitor the HSE network, and a full procurement process for the facility will be also getting under way.<ref name=":2">T Meskill, “[https://www.rte.ie/news/politics/2021/0622/1230770-hse-oireachtas-committee/ Three quarters of HSE IT servers decrypted]”, 23 June 2021, ''RTÉ''.</ref>
On 20 May 2021, the HSE secured a High Court order preventing the hackers (or any individual or business) from sharing, processing, or selling the information stolen during the attack. The court injunction also applies to social media platforms such as Twitter, Google, and Facebook and therefore limits the hackers’ scope for disseminating the stolen data.<ref name=":1" />
 
   
On the same day, it was reported that the hackers provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.<ref>P Reynolds, “[https://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/ State did not pay ransom for decryption key - Donnelly]”, 20 May 2021, ''RTÉ''.</ref>
+
On 23 June 2021, it was confirmed that at least three quarters of the HSE's IT servers had been decrypted and 70 % of computer devices were back in use.<ref name=":2" /> However, it is estimated that it may take 6 months for the HSE systems to fully recover.<ref>B Hutton, J Bray, “[https://www.irishtimes.com/news/health/hse-may-be-impacted-for-six-months-by-cyberattack-says-reid-1.4594901 HSE may be impacted for six months by cyberattack, says Reid]”, 16 June 2021, ''The Irish Times''.</ref>
 
In reaction to the attack, the HSE announced it would establish a cyber security operations centre to monitor its networks, and implement a full procurement process for the facility.<ref name=":2">T Meskill, “[https://www.rte.ie/news/politics/2021/0622/1230770-hse-oireachtas-committee/ Three quarters of HSE IT servers decrypted]”, 23 June 2021, ''RTÉ''.</ref>
 
 
On 23 June 2021, it was confirmed that at least three quarters of the HSE’s IT servers had been decrypted and 70% of computer devices were back in use.<ref name=":2" /> However, it was estimated that it could take up to six months for the HSE systems to fully recover.<ref>B Hutton, J Bray, “[https://www.irishtimes.com/news/health/hse-may-be-impacted-for-six-months-by-cyberattack-says-reid-1.4594901 HSE may be impacted for six months by cyberattack, says Reid]”, 16 June 2021, ''The Irish Times''.</ref>
 
 
|-
 
|-
 
! scope="row"|Analysed in
 
! scope="row"|Analysed in
 
|[[Scenario 14: Ransomware campaign]]
 
|[[Scenario 14: Ransomware campaign]]
  +
 
[[Scenario 20: Cyber operations against medical facilities]]
 
[[Scenario 20: Cyber operations against medical facilities]]
  +
 
|}
 
|}
   
Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)