The garda’s cybercrime taskforce is analysing a trove of leaked data from the Conti group, the Russian gang that carried out last year’s ransomware attack on the HSE.
The information was leaked over the weekend when Conti was itself hacked after the group threatened to inflict damage on the critical infrastructure of any country that attacked Russia over its invasion of Ukraine.
The attack on Conti was carried out by an unidentified Ukrainian, who is now leaking files, messages and codes stolen from its server.
The Garda’s National Cyber Crime Unit (GNCCB), which is continuing to investigate the Conti gang in conjunction with partner agencies, is analysing the leaked data for evidence that could help identify those involved in the HSE attack.
Simon Woodworth, a lecturer at University College Cork, said the leak could prove important as it revealed how Conti operated from the inside.
Advertisement
“It is very revealing but it may change the behaviour of other ransomware gangs and encourage them to switch tactics,” he said. “ This is an arms race. The leak also shows that ransomware is run as a business.”
Woodworth said the hack on Conti also showed how Ukrainian digital activists had become involved in the unfolding war in Ukraine. “We should expect to see more of this in the weeks ahead,” he added.
Analysis of the leaked data indicates Russia’s intelligence services have links to the collective. The citizen journalism website Bellingcat last week alleged Conti had targeted one of its journalists on behalf of the Russian Federal Security Service (FSB) in revenge for its exposure of Russian intelligence operations across Europe.
Alex Holden, the Ukrainian-born founder of the American cybersecurity company Hold Security, yesterday said the files were being leaked by a Ukrainian researcher who had infiltrated the Conti gang, which is made up of various nationalities.
“This is a Ukrainian citizen, a legitimate cybersecurity researcher, who is doing this as part of his war against cybercriminals who support the Russian invasion,” Holden said. “It’s one person’s war against the Russian invaders in his country.”
Advertisement
Holden said the leaked files indicated that the Conti group was linked to Russia’s intelligence services.
“There are references to someone telling the gang not to target hospitals and having access to sensitive information but it’s unclear who these people are,” he said.
The disclosure, in part, may explain why the Conti hackers provided a decryption key to unlock encrypted HSE files after spending weeks planting ransomware to encrypt them for no apparent reason.
The group’s decision to provide a decryption key was highly unusual as the government had not made a financial payment to the cybercriminals in line with government policy.
Suspicions of Russian state involvement in the affair were further raised when the Conti group did not publish the stolen HSE data on the darknet, which is its usual modus operandi when ransom demands are not met.
Advertisement
The Russian embassy in Dublin had suggested the gardai should begin working with their counterparts in Moscow to bring cybercriminals to justice following the digital attack. The HSE hack had led to public criticism of the Russian authorities for failing to arrest, prosecute and extradite cybercriminals.
The leadership of the Conti group is based in the city of St Petersburg, where cybercriminals work privately but also as proxies for the state’s intelligence services. The group is known for carrying out sophisticated attacks on hospitals and healthcare providers. The leaked data shows the gang has earned hundreds of millions since 2017.
“This is eye-opening for everyone,” said Tom Pádraig O’Connor, an IT consultant from Meath who researches online attacks. “Russia chose not to arrest their hackers and allow them to hack and make money, more money than anyone else, so they could grow their groups and become bigger and badder.”
The attack on the HSE was the single largest cyberattack in the history of the state.
An investigation by the cybersecurity consultancy Mandiant found the criminals compromised the HSE’s IT network on March 18 last year after sending a phishing email to a member of staff at a Dublin hospital.
Advertisement
The gang explored the HSE network over an eight-week period, infecting critical servers with their ransomware.
The intrusion was detected by the HSE’s antivirus software but the antivirus software had been set to monitor mode so it did not block the malicious commands. This allowed the hackers to ultimately gain access to the HSE servers before going on to compromise databases in seven hospitals and other parts of the network in the following days.
The gang went on to exfiltrate data from both statutory and voluntary hospitals, which they threatened to publish online unless their ransom demands were met.
