What can we learn from the HSE and Department of Health ransomware attacks?

Ireland appeared to be shaken to the core by the recent cyberattack on HSE and the Department of Health, but once past the initial shock, is it time for an in-depth look at the Irish cybersecurity infrastructure and whether such attacks could not have been anticipated, detected or prevented.

In 2017 the National Health Service [NHS] in the United Kingdom came to a standstill because of an attack by the notorious WannaCry ransomware, that paralysed their computers. The recovery was long and cost the NHS £92 million, but were any lessons learned on this side of the Irish sea? Let’s have a quick look at the details we know and how the matters could have been handled differently.

It has been reported that 700GB of HSE’s data was allegedly exfiltrated by the cybercriminals. The movement of 700GB of data in any network should be noticeable, even over the duration of two weeks. Given that the data is stated to be of a sensitive nature, content aware Data Leak Prevention (DLP) could have been useful in preventing the movement of such data. Content aware DLP software aims to prevent intentional (and accidental) leakage of sensitive data by first identifying the data (using some rules written by the administrator) and then controlling who can access the data, how they can interact with it (and when), and where it can be moved.

The exfiltration of sensitive data from any network housing Personally Identifiable Information (PII) should be a huge concern for any security staff. This can be prevented at many possible stages, with the most important being at the gateway of the organisation. Perhaps firewall rules preventing communication to cloud services (OneDrive, Dropbox) and unknown IP addresses were not in place? Without knowing exactly how the data was exfiltrated we can only speculate, but there are various tools that could assist.

NetFlow monitoring may have been useful in detecting a spike in the upload traffic/outbound traffic from the organisation. NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface, so a network administrator can determine things such as the source and destination of traffic.

There are also reports of the HSE using outdated software such as Windows 7. In January 2020, the Irish Examiner reported “The HSE is to spend €1.1m on extended security support for a now obsolete operating system as the health service did not upgrade the majority of its computers in time,“
so this may or may not be related. Given that the attack/entry was attributed to a zero day exploit it would seem more likely than not.

There are numerous articles claiming that the attack could have been caused by something as simple as “a user clicking a link”. This is highly unlikely if the HSE’s network security is to be taken seriously. It is more than likely the actions of a highly motivated Advanced Persistent Threat (APT) group of some kind or another.

The utilisation of a cloud sandboxing solution can also be particularly effective in combating ransomware infections and Zero-Day threats. A properly configured cloud sandboxing product will temporarily pause the execution/opening of any unknown files until they are analysed in an operating system in the cloud. If a file is found to be malicious, execution is stopped and the file removed, with detections being provided to all the other endpoints on the network. If the file is benign, it will be allowed to run. Sometimes the most effective way of detecting what a piece of unknown software will do is to simply let it run and monitor its behaviour. It’s obviously too dangerous to do this on protected network hence the utility of cloud sandboxing solutions.

Given that the reports suggest the attackers “lived” in the network for approximately two weeks, it must be asked if the HSE’s security team were utilising an Endpoint Detection and Response (EDR) solution. EDR products aim to detect the movement and actions of attackers in a protected network by reporting seemingly innocuous events to security teams for analysis. Things like the commands they would have run, the files they would have changed, the login attempts they would have made, etc. These actions when flagged by a proper solution should ring alarm bells for any Security Operation Centre analyst and trigger an immediate investigation. In short, a correctly configured EDR solution would have flagged events typical with lateral movement to analysts.

The NCSC has stated that both the cyber-attacks are “believed to be part of the same campaign”, but the Department of Health claims to have successfully detected and stopped the execution of ransomware and also detected the presence of Cobalt Strike beacons, something an EDR solution would have flagged too.

We have also seen in human operated attacks before, that users/administrators sometimes fail to password protect their endpoint security solutions. This means an attacker can simply disable the security solution upon gaining access to the system, allowing them to run their payloads without any problems.

ESET Ireland continuously stresses the importance of a thoroughly planned defensive posture and a multi-layered approach to cybersecurity. While there is no such thing as 100% security, by applying comprehensive preventive measures, the bar can definitely be raised to an extent that makes it a lot harder for cybercriminals to carry out major disruptions. For a full report on Advanced Persistent Threats against government institutions and ways they can prepare their defence strategies, see ESET’s latest Industry Report on Government.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s