The head of the cybercrime bureau of An Garda Síochána has said it is planning a number of operations over the next few months related to its probe into the HSE ransomware attack.
Detective Chief Supt Paul Cleary said the main investigation into the breach, which paralysed the health service for many weeks, is still continuing.
He said evidence has been retrieved from nine different jurisdictions around the world and gardaí and their partners have also launched major disruption operations against the hackers.
This involved the targeting and seizure of the criminals’ technical infrastructure, including the taking over of domains they had used so that an early warning could be provided to other potential victims.
This has since prevented attacks on 753 new victims of the gang around the world, he claimed.
“We are planning more,” Det Supt Cleary told the Ibec Global organised Cybersecurity: The Transatlantic Reboot Summit.
“We now know their modus operandi and how they target potential victims so we will keep the pressure on them. We are also following the money. We are looking closely at how they are financing their operations.”
However, he added that disrupting the financing is more challenging because the criminals have adopted new forms of cryptocurrency such as Monero that were more difficult to trace and are more secure.
Tracking down those responsible had also been challenging, he also said.
He said the HSE case had been an eye-opener for many and the most important part of the investigation has been collaboration with partners internationally, including Interpol and Europol.
He said there have been a lot of learnings from the investigation, including that the gangs are very innovative, including more recently moving from traditional email and attachment style methods of breaching networks to port scanning.
Earlier, the HSE’s interim Chief Information Officer, Fran Thompson, told the conference that the health service continues to go through the final recovery and learning phase of the fallout of the attack and that this would continue for a number of years.
He said a key lesson from the incident was that cybersecurity and governance is a leadership issue, not an IT issue.
“Within the HSE and I think within a lot of other organisations cybersecurity was seen as an IT problem, it is something IT need to deal with, and it wasn’t seen as a significant business issue,” he said.
“And it is only when something like we had, the cyberattack, happens do people fully understand the impact it has on the totality of the business.”
He said organisations need a cyber security strategy and it is not good enough to say the IT guys will look after it.
Every organisation’s leadership needs to have good cybersecurity skills.
“We were lacking in that,” he admitted.
“We were good IT people. But the difference between a good IT leadership and a good cybersecurity leadership are different.”
He added that every leader throughout all organisations needs to be aware of how their business is dependent on technology and what happens if it is not available.
This includes bringing in external assurance at governance level, he said.
He said the HSE had individual ransomware specific assessments, but never undertook one at the totality of the organisation.
“We now know that we need to have far better and far more effective cyber security monitoring, supported by third parties, not just internally,” he claimed, adding that the HSE now has a number of centres monitoring its systems 24/7.
Mr Thompson also advised that organisations carry out simulated attacks.
He said that before the attack the HSE thought it had sufficient recovery documentation for its systems.
“But when it came to it, the documentation we had was lacking,” he admitted.