HSE hack may have happened due to something as simple as an employee clicking on a link

Experts say a combination of out-of-date software and human behaviour can facilitate ransomware attacks
HSE hack may have happened due to something as simple as an employee clicking on a link

A lack of software updates and human error can typically contribute to large organisations' websites being vulnerable to online attacks, according to Smarttech247 CEO Ronan Murphy. File picture: Michael O'Sullivan

Cybersecurity experts last night warned that it could be weeks before HSE systems return to normal after yesterday's ransomware attack.

Ronan Murphy, of Cork-based cybersecurity experts Smarttech247, said it could be into next month before remedial work fixes problems caused by what has been described as "the most significant attack the Irish State has ever had".

“This will cause unbelievable disruption to the HSE,” he said.

That is the nature of these ransomware attacks — it is the fact that they are incredibly disruptive despite how easy they are to launch. 

'Simple precautions and software updates'

He said that while there are hundreds of ways ransomware can be spread throughout a network, it usually starts with something as simple as an employee clicking on a link or opening an email attachment.

However, that action alone could be made all the worse if the person clicking on the link or downloading the file was working on a system that did not have all its software updated to the latest versions.

If their system did not have the most up-to-date security patches, there would have been an added vulnerability in their system.

“Ransomware exploits known vulnerabilities in a network,” Mr Murphy said. “It is not overly sophisticated.

“Once it gets into a network, it spreads very fast and encrypts data, and a ransom note pops up on the screen, warning the user they have 72 hours to pay up.” 

'Attack could have been planned for months'

IP-Performance’s chief information security officer Phil Cracknell, a former cybersecurity adviser to the UK government, said the attack could also have been initiated by someone figuring out the user name and password of somebody with access to the HSE network.

He also suggested that this particular attack could have been launched weeks or months ago, but only initiated early on Friday morning.

“There is not enough information out about this attack so far, “ he said.

“Various buzzwords are being used, like ‘zero-day threat’ and ‘distributed denial of service’ [DDOS] attack.

'There could be more to this incident...'

“However, you wouldn’t normally associate such attacks with a ransomware attack," he said: 

But, given the extent to which the authorities are describing it as the most significant attack ever, and alluding to its complexity, there could well be more to this incident than the authorities either know, or are prepared to talk about, at this stage.

He suggests that one of the things an attacker could have done is get into the network undetected some time ago and spread ransomware around the network.

“If they did this some time ago and went undetected, it could mean that hourly or daily backups would, over a period of time, be infected,” he said.

Phil Cracknell of IP-Performance says the ransomware attack on Ireland's health service could have been initiated weeks or even months ago.
Phil Cracknell of IP-Performance says the ransomware attack on Ireland's health service could have been initiated weeks or even months ago.

“This could lead to a situation where the company under attack tries to turn to its more recent backups to reload their systems, only to discover their backups have ransomware too.” 

One of the world’s leading cybersecurity experts had warned last December that Ireland’s health service was at risk of the same deadly cyberattacks hitting other countries.

Cyberattack may have led to death in Germany  

One such health service attack in September 2020 was being blamed for contributing to the death of a pensioner needing emergency care for an aneurysm in Düsseldorf, Germany.

She had to be diverted to another city because a ransomware attack at the hospital in Düsseldorf caused disruption to its IT systems.

Hospital IT systems in the UK and the US were also being targeted in so-called ransomware attacks at the time.

When asked if such attacks — including the one in Germany — could happen here, US cybersecurity expert Bruce Schneier, a speaker at the Web Summit 2020, told the Irish Examiner: “Unless the laws of physics are different in Ireland, yes.

If you are a country on the planet that uses the internet that everyone else uses, then you worry about this.

“There's nothing magical about anybody's borders that makes it more or less likely. These attacks happen pretty much at random, to everybody who is vulnerable."

More in this section

Puzzles logo
IE-logo

Puzzles hub

Visit our brain gym where you will find simple and cryptic crosswords, sudoku puzzles and much more. Updated at midnight every day.

Puzzles logo
IE-logo

Puzzles hub

Visit our brain gym where you will find simple and cryptic crosswords, sudoku puzzles and much more. Updated at midnight every day.