As part of our cyber security series, we spoke to cyber security expert Raluca Saceanu about her first-hand experience during the ransomware attack on Ireland’s health service, how Kaseya’s supply chain was infiltrated and what companies need to do to defend themselves in the future.
Saceanu is the COO of Smarttech247 an Irish multi award winning cybersecurity company founded by CEO Ronan Murphy seventeen years ago. Smarttech247 is headquartered in Cork, Ireland and has offices in United Kingdom, Romania, Poland and the US.
On the 14th of May Ireland’s health service, the HSE was subject to a ransomware attack. How did this come about?
It was such a large-scale attack, and it affected so many healthcare institutions, we still have not found what we would call ‘patient zero’. We still haven’t found exactly how the attack took place, but we do know that it was most likely a phishing attack, and it was able to lock down all of the agency. Unfortunately, a lot of the hospitals were affected, and their data was encrypted, and they are still struggling to get back up. Some of the hospitals that were alerted early on, were able to disconnect from the network and they were safe.
It’s still a little bit difficult to find out exactly what happened, you’d need to run a pretty large forensic investigation.
You had some clients affected by the attack; how did you deal with the situation to keep them protected?
We have some of those hospitals under our umbrella of protection, and those hospitals were safe, we were able to find out really, really fast. I remember it was at 4am on 14th of May and we were able to see it happening. Because we provide 24/7 monitoring, we have not only systems in place but people actually looking at the systems so we were able to alert early on. Obviously, it’s important for somebody to answer your calls when we’ve had that kind of incident, they need to act fast and disconnect systems. They were disconnected for a couple of weeks after that.
How did your system detect the attack?
We are monitoring our clients’ networks and within their networks, they have servers connected to other end points like laptops and desktops, and medical devices as well. We are monitoring the high-grade security tools that they would have put in a few of years ago. They need management and monitoring, so we have been able to set that up for a couple of the hospitals in the past four years.
We’re monitoring suspicious behaviours so we are analysing, I would say, 20 million logs on a daily basis from each one of those hospitals. As you can imagine, everything they do within the network sends an event to our system.
The systems that we are using to monitor these events would normalise, let’s say, maybe 600 of those events which would actually be a little bit suspicious. From those 600, you then move into maybe 30 events that are confirmed as suspicious. And then out of those you would identify what exactly the problem is – what the anomaly is – and you end up with a couple of incidents.
That complex process takes about ten minutes for us whereas without the tools and the people looking at them, it would be absolutely impossible. If it’s a ‘priority one’ incident, we alert them straightaway. In the case of what happened back then, it was a call in the middle of the night to turn off their systems, switch off from the HSE network and start scanning networks internally.
Apart from the obvious disruption to the HSE services how else has the attack had an impact on the people of Ireland?
Other hackers have used this as a brilliant opportunity for them to launch more phishing attacks. What normally happens in 99% of the cases, after a ransomware attack other criminal gangs, will use this opportunity, for their own interests. After the HSE, because it was so public around the data being leaked and so forth, others started launching phishing attacks targeting absolutely everyone in Ireland saying we have your data and you either need to pay or sign in or whatever they request you to do. I think maybe one in every two people in Ireland probably got them, including myself.
It was reported the ransom was never paid but a decryption code was supplied to the HSE. It has been suggested the criminal gang came under pressure for their own Government in Russia to do the right thing and give them back control of their system.
On 2nd of July, Kaseya victim to one of the world biggest ransomware attacks which rippled right through their supply chains. How did it differ to the HSE attack?
The scale of the Kaseya attack is actually even bigger than what happened with the HSE. The problem is Kaseya is a network management tool used by many service providers who then also have their own clients.
The hackers were able to exploit a zero-day vulnerability in Kaseya network management tool and then they were able to push an update to their MSP (management service providers) clients – other IT companies also had their own clients who then also got infected.
It’s a typical case of supply chain security, which is the number one cyber security risk of 2021. We were warned about this last year in 2020 when Cognizant was attacked, they are another MSP. We were warned that this would be the new preferred method of attack because you get the keys to the kingdom – you attack one managed service provider, you attack their clients and then you have access to 1000s of businesses. Unfortunately, (in the Kaseya case) they were able to compromise up to 1500 businesses, including the Swedish supermarket chain Coop.
Hacks like these seem to happen so easily (sorry hackers, I’m sure you worked hard on this). Why in 2021 are ransomware attacks are becoming so common?
You need these tools to manage your network remotely, so by default allow certain actions because you trust them. And the word trust is the key here because we are supposed to trust the tools that we use to run our business on a daily basis. And because of that blind faith, we’re now being compromised, because those tools are being compromised.
What should be the next approach in reducing the number of large-scale cases we are seeing and protecting small businesses?
The advice I would give to anybody is, if you use any kind of network management tool, start asking questions. You are the client, and you are entitled to get answers to your question. Make sure that the tools that you are using on a daily basis, that their providers are taking cyber security seriously.
There is a term in cyber security called zero trust which is something that everybody needs to start adopting. But it’s not only that, we need to educate ourselves a little bit more on what the dangers actually are. You can’t apply a zero trust method on how you run your cyber operations until you actually understand the scale of the problem. You need to look at best practice frameworks and start digesting those a little bit more.
You need to understand your supply chain and who is in your supply chain and how are they protecting their own network. How are they protected from their own supply chain? You need to start asking those questions.
My parting advice would be you need to train your users better. You need a better approach for that, and you need to start understanding how to apply that zero trust methodology.