Istari

Post Incident Review of the Cyberattack on Ireland’s Health Service

Back to Spotlight

The cyberattack on Ireland’s Health Service in May 2021 is an interesting case study. A ransomware attack disrupted most hospitals in Ireland, causing substantial cancellations to outpatient services.

Appointments in some areas dropped by more than 80%. But as bad as the attack was, it could have been far worse had the attack:

  • targeted specifically medical devices;
  • took action to destroy data at scale;
  • used auto-propagation capabilities to move across domains (e.g., the exploit used in WannaCry or NotPetya);
  • infected cloud systems, such as the COVID-19 vaccination system

The criminal group initially demanded $20m as a ransom for the decryption key. In response to the public outcry, the criminal gang released the decryption keys without requiring payment. But even then, the recovery work took several months, and the Health Service asked members of the military to help restore laptops and systems.

PwC conducted an independent post-mortem review of the attack. Their review serves as an important case study for other organisations. Below is a summary of PwC’s report.

  • Let’s start with the timeline of the attack. The initial infection happened on March 18th, when an employee clicked and opened a malicious Microsoft Excel file that was attached to a phishing email and sent to the user two days before. The attackers then spent eight weeks in the IT environment before detonating the ransomware (see timeline of the event)

 Source:https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

 

  • As is mostly the case in cyberattacks, tremors had foreshadowed the attack, but those tremors went unnoticed. In this case, they included:
    • Two weeks after the initial infection, antivirus software detected malware, but the antivirus was configured to monitor-only mode and thus did not block malicious commands
    • Four days before the ransomware’s detonation, a hospital identifies malicious activity
    • Two days before detonation, a different hospital communicates alerts of malicious activity to the central IT department
    • One day before detonation, the health service's cybersecurity solutions provider emailed the internal security operations team about unhandled threats on 16 systems; the internal security operations team initiated server restarts

 

The report goes into much greater depth (including recommendations on people, processes and technology) and is worth a read.

Why does this matter for businesses?

  • In post-event analysis, we see similar patterns of mistakes time and time again. Learning from the mistakes and successes of other organisations can help significantly improve own cybersecurity
  • PwC’s post-event analysis is an uncommonly candid, comprehensive, and transparent account of what went wrong. It may encourage other organisations to share their successes and mistakes with the public to strengthen our collective defences. 

 

Access the full report here