| 11.5°C Dublin

web of fear 'White hat' hacker says cyber gang were likely stalking HSE for months and warns there's more to come


The FBI and Europol are trying to track down Wizard Spider

The FBI and Europol are trying to track down Wizard Spider

The FBI and Europol are trying to track down Wizard Spider

An Irish 'white hat' hacker working in the Middle East as a senior cyber security consultant says the attack on the HSE by Russian criminals is a sign of things to come as gangs become more powerful on the dark net.

Robert Feeney, who legitimately hacks systems to show companies where their weaknesses lie, says the Wizard Spider group who conducted the attack will be feeling very confident despite the FBI and Europol trying to track them down.

He also says the group was likely stalking the HSE and its employees for months before they took down the system.

"These attacks are so sophisticated and deliberate, it's extremely unlikely they didn't know exactly who they were targeting.

"These groups spend months profiling and doing reconnaissance using publicly available information, and any attempt is usually crafted specifically for the target organisation.

"Some of these threat actors are State sponsored and some are criminal gangs who get a free pass as such from the countries they operate in once they don't turn on them," he says.

He says the Wizard Spider gang could have been lurking on the HSE system for months as they planned the takedown, which has left the country struggling to get healthcare services, including cancer treatments, back up and running.

This week, Minister for Health Stephen Donnelly confirmed that data has leaked on to the darknet and that the ransomware attack was 'extensive.'


Cyber security expert Robert Feeney has warned of future attacks

Cyber security expert Robert Feeney has warned of future attacks

Cyber security expert Robert Feeney has warned of future attacks

"When something like this happens you can be sure it was an extremely targeted operation. You can be sure that they exploited social media sites to find out who was working there and things like that," says Rob.

"There is a lot of information available publicly that is called open source information and that would have been helpful.

"One of the things that has been made publicly available was that the HSE was using 46,000 computers with software that had an end of life. That piece of information, for example, could have been of use to someone with malicious intents and they could have decided to create a piece of malware that could have exploited that," he adds.

"The HSE currently has a major disruption and its key services are being negatively affected. Put simply, ransomware is a type of computer virus that has infected the HSE computers, encrypted the files and locked the owners out of the systems so they can't use them.

"Then finally, to add insult to injury, the group behind the ransomware are demanding a lump sum figure to decrypt the files and return the control of the systems back to the administrators.

"When something like what is currently happening to the HSE occurs, you can be assured that information has been stolen as a bargaining chip.

Sunday World Newsletter

Sign up for the latest news and updates

This field is required This field is required

"It's extremely likely that this ransomware has lived in the HSE network for a number of weeks, possibly even months before it was triggered and then suddenly locked down the systems. During this time, it would have been doing reconnaissance and gathering information on the HSE network.

"At the moment there is a team working - a sort of cyber-version of detectives. These people specialise in digital forensics and reacting to events like this. As part of their job, it's their responsibility to detect these events, perform an analysis, do a triage, restore the systems and clean up the mess.

"But, most importantly, it is to ensure the malware is contained.

"So, they have to decide immediately, with really limited information, in a rapidly-changing environment, the extent of the attack and the best course of action to take to get it under control.

"In the HSE case that means minimising medical data leakage and stopping other systems from being attacked and compromised.


Health Minister Stephen Donnelly.

Health Minister Stephen Donnelly.

Health Minister Stephen Donnelly.

"What you're seeing now with the shutdowns, rescheduling of appointments, lack of digital imaging that's particularly affecting radiology and ICU departments, is the result of systems that have been directly compromised by attackers or precautionary actions taken by the 'blue team' defenders to contain the damage and minimise its impact."

Rob, who started his career in Dublin, works in the area of risk assessment in what's known as a 'Red Team' - the practice of actively attacking an organisation, with their permission.

"Red teamers are 'white hat' hackers who are hired by a company to try to find security flaws and gaps in a given system, and you do that with the aim of finding them before somebody who is malicious in their intentions does so. Red teamers are people who use their skills for good.

"But then of course, the other side of that is there are people out there who have these skills and use them for bad. They are nation states, cyber-gangs, online thieves and they are known as black hat hackers."

Wizard Spider have been actively pursued by the FBI and Europol for a number of years.

They are based in St Petersburg and use three main pieces of malware - one which attacks banking apps to steal credentials and two other viruses known as Ryuk and Conti. It is the Conti one that is suspected of being used in the HSE break and Rob doesn't believe that the authorities are going to catch up with them.

"I'm usually a very optimistic person but I think in this case it's going to be extremely difficult. The geopolitical climate is a difficult terrain to navigate at the best of times. Nobody knows what's going on behind the scenes.

"In a lot of cases they operate out of or reside within states that are not on good terms with their victim nations or they reside in states where there is no extradition treaties. This means there can be a severe lack of accountability. Having said that, I have no doubt the various law enforcement agencies will do their utmost to bring the gang to justice eventually," he says.

"Some of the members may not even know they are working for a criminal gang. These attack chains are months in the making at least.

"One person might be brought on board for a particular stage in the lifecycle or to deal with a specific technical problem and let go once that problem has been solved. There might be one individual in charge of sending a believable phishing email and another in charge of dealing with the ransom.

"They could all be working in isolation without knowing the true purpose of their work, but for that to work, there would have to be a few key core members pulling the strings.

"The cyber security industry itself is still very new and it has largely been a cyber arms race, pitting black hat hackers against private companies and governments. Those with the ability to stay in the race will survive and others won't. These attacks are incredibly advanced and extremely well-funded.

"One group known as 'DarkSide' have made around $90 million from their ransomware activities online.

"The cyber world is becoming increasingly bridged with reality. We have IOT devices like Alexa, home alarm systems we can look through the doorbell camera, start our cars with apps on our phones. This is very convenient for people to use, but equally as convenient for attackers to take advantage of.

"Cyber attacks have dramatically risen in 2020 and 2021 and it's partly because of the Covid situation and the lockdown procedures.

"The consequences of this have been that it further enabled threat actors to focus more time on these malicious activities but it also forced organisations who were ill-prepared to move online and work remotely very rapidly. It's the perfect storm."

This story was updated on May 24, 2021

Download the Sunday World app

Now download the free app for all the latest Sunday World News, Crime, Irish Showbiz and Sport. Available on Apple and Android devices

Top Videos