The attack has been attributed to a Russian criminal group based in the St. Petersburg area, Wizard Spider. This group of 80 hackers is believed responsible for the attack earlier this year on FatFace, the UK retailer who is reported as having paid a ransom of £1.45m. The Minister with responsibility for eGovernment has described it as “possibly the most significant cybercrime attack on the Irish State” and the Taoiseach (head of government) has repeatedly stated that the State will not pay a ransom.
It appears likely that the attack may have emanated from a phishing campaign exploiting the current stresses on healthcare workers and the Coving remote working structures in place across circa 80,000 HSE devices. Emergency departments and urgent care centers remain operational as do many hospital services, however delays are accumulating.
In addition to patient files, the data stolen also includes HSE internal files, reportedly including on equipment purchase and minutes of meetings. Contractors to the HSE may be impacted and their commercial arrangements potentially at risk of disclosure. So far, the Financial Times has claimed it has seen screenshots of 27 HSE files released on the dark web in recent days. The media attention has, to date, been on the human side (the 27 files disclosed so far include 12 patient files) more so than on the potential for commercial disclosures. The issue is an evolving one as the hackers seek to pressure the Irish governments non-payment of ransom position. They are now believed to have issued a deadline on May 24 for payment of the ransom.
The HSE have included the following information for suppliers in their overall health service disruption notice.
Information for HSE suppliers and contractors
The HSE have included the following information for suppliers in their overall health service disruption notice (available here):
“The HSE is experiencing difficulty with the communication of Purchase Orders to all Suppliers and Contractors due to the recent cyber-attack on HSE systems. An interim approach to support the processing of Purchase Orders is presently underway and updates in this regard will be posted here as available. The continued understanding and support of all Suppliers and Contractors is greatly appreciated during these unprecedented times.”
The National Cyber Security Centre, which is currently involved in the investigation and management of the incident, has issued an alert stating it is monitoring other networks to address the risk of further attacks (available here). It also advises a useful short and snappy set of measures to be taken in the event of an attack.