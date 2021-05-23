An Irish ‘white hat’ hacker working in the Middle East as a senior cyber security consultant says the attack on Russian criminals against the HSE is a sign of things to come as gangs become more powerful in the dark network.

obert Feeney, who legally controls systems to tell companies where their weaknesses lie, says the Wizard Spider group that carried out the attack will feel very safe despite the FBI and Europol trying to track them down. .

He also says the group is likely to follow HSE and its employees for months before they disrupt the system.

“These attacks are so sophisticated and deliberate, it is very unlikely that they did not know exactly who they were targeting.

“These groups spend months profiling and making discoveries using information available to the public, and each effort is usually designed specifically for the target organization.

“Some of these threatening actors are state-sponsored and some are criminal gangs that get a free license as such from the countries in which they operate after not returning them,” he says.

“Even if they are identified, which is unlikely, you are seeing that you have to go to Russia to bring these people and bring them to justice.”

He says it is likely that up to 20 cybercriminals working for the 80-member Wizard Spider gang could have hidden the HSE system for months after planning the removal, which has left the country struggling to get health care services, including cancer treatments. , support and direction.

Cyber ​​security expert Robert Feeney has warned of future attacks

This week, Health Minister Stephen Donnelly confirmed that data had been leaked to the darknet and that the ransomware attack was ‘widespread’.

“When something like this happens you can be sure it was an extremely targeted operation. You can be sure they used social media sites to find out who was working there and things like that,” says Rob.

“There is a lot of information available publicly called open source information that would have been useful.

“One of the things that has been made available to the public was that the HSE was using 46,000 end-of-life software computers. This piece of information, for example, may have been in use by someone with malicious intent, and they could they had decided to create a piece of malware that could have exploited it, “he adds.

“The HSE is currently in a state of disarray and its core services are being negatively affected. Simply put, ransomware is a type of computer virus that has infected HSE computers, encrypted files and locked owners from systems so that they can not use them. those.

“Then finally, to add insult to injury, the group behind ransomware is demanding a large sum to decrypt the files and return administrators control of the systems.

“When something like what is currently happening with the HSE happens, you can be sure that the information has been stolen as a bargaining chip.

“It is extremely possible that this ransomware lived on the HSE network for several weeks, maybe even months before it turned on and then suddenly shut down the systems. During this time, it would have discovered and collected information on the HSE network.

“At the moment there is a team working – a kind of cyber version of detectives. These people specialize in digital forensics and react to events like this. As part of their job, it is their responsibility to uncover these events, to conduct an analysis. , do a triage, restore the systems and clean up the mess.

“But the most important thing is to make sure that the malware is contained.

“So they have to decide right away, with really limited information, in a rapidly changing environment, the magnitude of the attack and the best course of action to get it under control.

Minister of Health Stephen Donnelly.

“In the case of HSE, this means minimizing medical data leaks and stopping other systems from being attacked and compromised.

“What you are seeing now with interruptions, resumption of meetings, lack of digital images that particularly affect radiology and ICU departments, is the result of systems that have been directly compromised by attackers or precautionary measures taken by ‘blue team’ defenders to contain the damage and minimize its impact. “

Rob, who began his career in Dublin, works in the field of risk assessment in what is known as the ‘Red Team’ – the practice of actively attacking an organization, with their permission.

“Red squad teams are ‘white hat’ hackers who have been hired by a company to try to find security flaws and gaps in a certain system, and you do this in order to find before someone who is malicious in his goals .. teams are people who use their skills for good.

“But then of course, the other side of this is that there are people out there who have these skills and use them badly. They are nation states, cyber gangs, cyber thieves and they are known as black hat hackers.”

The Spider Wizard has been actively pursued by the FBI and Europol for several years.

They are based in St. Petersburg and use three major pieces of malware – one that attacks banking applications to steal credentials and two other viruses known as Ryuk and Conti. Under Conti the one suspected of being used in the HSE holiday and Rob does not believe the authorities will catch up with them.

“I am usually a very optimistic person, but I think in this case it will be extremely difficult. The geopolitical climate is a difficult terrain to navigate at the best of times. No one knows what is going on behind the scenes. .

“In many cases they operate abroad or reside within states that are not on good terms with their victim nations or they reside in states where there are no extradition treaties. This means that there may be a serious lack of accountability. “Having said that, I have no doubt that the various law enforcement agencies will do their best to bring the gang to justice eventually,” he says.

“Some of the members may not know they are working for a criminal gang. These chains of attacks have been going on for at least months.

“A person can be brought on board for a certain stage in the life cycle or deal with a specific technical problem and leave after that problem is resolved. It can be an individual in charge of sending a reliable phishing email and another in charge of dealing with the reward.

“They can all work in isolation without knowing the true purpose of their work, but for this to work, there would have to be some key core members pulling the wires.

“The cyber security industry itself is still very young and has been largely a cyber arms race, setting up black hat hackers against private companies and governments. Those with the ability to stay in the race will survive and others will not. These attacks are highly advanced and extremely well funded.

A group known as ‘DarkSide’ has earned about $ 90 million from their online ransomware activities.

“The cyber world is becoming more and more full of reality. We have IoT devices like Alexa, home alarm systems that we can look through the alarm camera, start our cars with applications on our phones. This is very convenient for t ‘was used by humans, suitable to take advantage of attackers.

“Cyber ​​attacks have increased dramatically in 2020 and 2021 and this is partly due to the Covid situation and blocking procedures.

“The consequence of this has been that it gave threatening actors more opportunities to focus more time on these malicious activities, but it also forced organizations that were poorly prepared to move online and work remotely very quickly. It’s just the storm.” perfect.”

