Irish health service missed several chances to stop devastating ransomware attack

Service has 'a very low level of cybersecurity maturity' finds PwC

The Irish Health Executive missed several signs that an attacker was present on its network prior to the execution of Conti malware in May, a post-mortem review by consultancy PwC says.

The attack had a major impact on all local and national systems involved in core health services and took months to return to normal.

The Post Incident Review, commissioned by the board of the Health Service Executive (HSE), the Chief Executive Office and Executive Management Team, found signs that the attackers were on the health service's networks at least two months before it was hit by Conti ransomware on May 14th.

The initial breach occurred on March 18th, when an employee opened a malware-laced Excel document attached to a phishing email.

Having gained access, the attackers then put in place measures to ensure continuous access to the workstation, even if the device was rebooted.

Later they compromised a number of admin accounts, gaining access to servers and "exfiltrating data and moving laterally to statutory and voluntary hospitals," the report says.

The first sign the hackers were detected on the network was on March 31st when Cobalt Strike and Mimikatz post-exploitation tools were spotted on the compromised device, but the anti-malware software was set to monitor mode and no action was taken.

On May 7th, the post-mortem found that the attackers had installed more offensive software on the compromised workstation, and were using privileged accounts to move around the network and perform reconnaissance activities. Two hospitals were compromised the following day.

On May 10th, more systems in two further hospitals were breached. In one (the hospital in which the original 'Patient Zero' workstation was located), Cobalt Strike was detected, but again the anti-malware systems failed to deal with it.

The next day, numerous attempts to log onto systems in another hospital were observed, and this time the systems detected and deleted malware on several systems.

The attackers then moved on to an additional hospital, with records showing them "browsing folders, opening files, creating archives and accessing or attempting to access file sharing websites on systems" in three separate hospitals. The intrusion was spotted and system scans were carried out.

On May 13th the HSE was compromised, with the attacker again browsing folders and copying files. At this stage, the HSE's third-party security provider emailed the organisation's security team to say there had been "unhandled threat events since 7 May 2021 on at
least 16 systems". The HSE team requested that servers be restarted.

However, the attackers were already embedded in the system.

The next day, May 14th, the attacker executed Conti ransomware within the HSE and six hospitals. HSE management reported that 80 per cent of its environment across corporate IT services, hospitals and community healthcare organisations was affected and that electronic health records were encrypted. It ordered many systems to be shut down, resulting in numerous appointment cancellations and massive disruption to many services.

The attackers sent a ransom demand for $20 million in cryptocurrency, although they later relented and supplied a decryption key. Even so, it took four months for all the servers to be decrypted with the key and for all applications to be fully restored. Many operations had to be cancelled at the height of the pandemic, and the overall cost was estimated in June as to be in the region of €700 million.

Concluding that the Irish health service has "a very low level of cybersecurity maturity", PwC has recommended a complete overhaul of cyber security provisions which it says tend to fall between many stools. Noting that The HSE's IT security policy was written in 2013 and last updated in 2014, it says it "does not reflect the controls and capabilities required to manage cyber risk in 2021".

"The cyber attack was not detected prior to the ransomware execution, protective controls and technologies were not robust enough to prevent the spread of the ransomware. Furthermore, the response and recovery was based on ad hoc structures, including processes to identify and prioritise applications and systems to be recovered," the consultancy states.

PwC acknowledges that putting the system right will need "considerable resources and sustained investment", requiring new management structures and an infrastructure overhaul. While they are not implicated in the attack, it notes the presence of 30,000 outdated Windows 7 workstations, which are an indicator of the amount of hard-to-defend legacy technology present within the system.

This picture is far from being confined to the Irish health service, and with current financial and medical pressures dues to the pandemic, it can be assumed that the sector will continue to be an easy target for cyber criminals for years to come.