Cybersecurity officials are monitoring the dark web for evidence of data from the HSE ransomware attack being dumped online.
It is believed cybercriminals harvested vast amounts of personal data during the attack last week and are likely to publish it online or sell it unless they receive payment from the Government. Irish officials reiterated on Monday that no ransom would be paid.
Following previous attacks the gang has been known to dump samples of stolen data online to demonstrate they have access to it and that they are serious.
Cybersecurity experts in two firms – McAfee and FireEye – hired by the HSE to contain the attack are currently monitoring a number of "dump sites" on the dark web for HSE files, security sources said.
The suspected gang behind the attack, which is believed to be based in Russia, last year established their own dedicated dump site for stolen data. It currently lists almost 200 victims.
Sources said the attackers were able to gain access to HSE systems through human error, probably an employee clicking a link or opening a document sent to them in an email. The hackers probably used a “shotgun approach” and sent many such emails to employees, meaning there may have been more than one access point.
Virus samples
The response to the attack is being led by the National Cyber Security Centre with the support of the Garda National Cyber Crime Bureau.
Officials are liaising with the FBI, the UK's National Crime Agency and Europol's European Cybercrime Centre (EC3). Samples of the virus have been sent to the Europol Malware Analysis Centre to be compared with previous attacks.
The group that created the Conti ransomware is sometimes known as Wizard Spider. It has been known to license out its ransomware products in return for a share of any profits.
The Conti Ransomware has been used in attacks on the Scottish Environmental Protection Agency and UK clothes retailer Fat Face.
The Russian embassy has condemned the cyberattack on the HSE and suggested Moscow was ready to look into the matter if approached by Irish authorities.
A spokeswoman for the embassy said it “condemns ... any type of criminal activity in cyberspace, including this particular incident”.
“We do not have any way to judge on who the perpetrators are ... The Irish authorities have not yet approached the embassy regarding this ransomware attack.”
She said the Russian government had been promoting initiatives on strengthening international co-operation on international information security and confronting cybercrime.
Dismantling networks
European police agencies are becoming more adept at dismantling cybercrime networks and arresting hackers, said Brian Honan, a former cybersecurity adviser to Europol.
“Given the disruption they caused here at a national level I would say there will be a lot of political pressure behind getting them brought to justice,” he said of the most recent attack.
However, James Moles, a senior engineer with the cybersecurity company Extrahop, believes it is "highly unlikely" the perpetrators of the attack will be caught and extradited. He said countries such as Russia and China tend to turn a blind eye to cybercriminals if they are attacking "adversaries".
"If they're attacking targets in the West, President [Vladimir] Putin is not going to stop them. It is not in his interests to do so."
The UK’s cybersecurity apparatus has “done quite a good job” in identifying the leading figures in these gangs, Mr Moles said. “But international arrest warrants aren’t respected.”