In the cyber attack on the Irish health system, the attackers also targeted the Ministry of Health. Although the IT systems of the ministry were shut down as a precaution, the attack was discovered in good time. Meanwhile, if the Irish government refuses to pay a ransom, the perpetrators are threatening to disclose patient data stolen from the attack on the HSE health service.
The attack on the HSE health administration was discovered in the early hours of last Friday. According to previous knowledge, the perpetrators were able to install the Conti ransomware on computers in various HSE systems. After the attack was discovered on numerous computers, the HSE immediately shut down all systems. It is not yet known how many systems Conti actually encrypted.
Cobalt Strike Beacons
The day before, IT experts had discovered suspicious activity on the Ministry of Health’s network. The Irish National Cyber Security Center (NCSC) announced that traces of Cobalt Strike Beacons were discovered in the Ministry’s systems on Thursday afternoon. Together with external experts, an investigation was immediately initiated and further security measures were taken.
Cobalt Strike is a software suite that is marketed for the simulation of attacks and for penetration tests. However, it is also used by real attackers who can use it to gain access to systems. The memory-resident beacon serves as a comprehensive remote access tool with which attackers can move around a system and download additional malware.
When the ransomware was triggered at the HSE early on Friday morning, it was apparently also supposed to happen on the Ministry of Health’s network. Virus protection that was already installed and the measures taken by the team of experts as part of their investigation prevented the attackers from triggering their ransomware, according to the NCSC. As a precautionary measure, the ministry’s IT was shut down anyway, the ministry confirmed. Backups are currently being restored.
According to the authorities’ knowledge so far, both attacks carried out with the “Conti” ransomware bear the signature of the Russian group “Wizard Spider”. According to previously unconfirmed chat logs circulating on the Internet, the blackmailers are demanding a ransom of US $ 20 million. The perpetrators are also said to have presented some of the files they captured as evidence.
Welche Zero Day?
It remains to be seen which vulnerability the attackers exploited. The attack was carried out via a “zero-day gap with a brand new variant of the Ramsomware Conti”, confirmed HSE operations manager Anne O’Connor, but did not provide any further details.
Citing a chat, the business news agency Bloomberg reports that the attackers threatened to publish stolen patient data next Monday if HSE does not pay. But the Irish government has so far officially refused to pay a ransom or negotiate with the perpetrators. In the meantime, however, some Irish parliamentarians are in favor of paying the ransom in order to prevent further damage to the population.
Numerous hospitals and diagnostic systems are affected by the attacks. The HSE had to shut down around 85,000 computers and 2,000 different systems. Appointments have been missed, particularly in radiology and in the care of children and pregnant women. Hospitals that are not directly connected to the HSE systems are less affected. According to official information, the Irish Covid-19 vaccination campaign is not restricted.