Garda Operation fights back against HSE hackers

Working in conjecture with Interpol and Europol, Garda have completed a crime prevention operation focused on tackling the HSE ransomware gang which rocked the Irish healthcare system with a cyber-attack – the effects of which are still being felt today. 

On Sunday, speaking from Garda’s Dublin Headquarters, the Garda released information concerning the operation to the public.  

Garda stated that “A significant disruption operation which targeted the IT infrastructure of a cybercrime group has been conducted by the Garda National Cyber Crime Bureau (GNCCB).” 

Outlining the results of the operation, Garda said, “This is a crime prevention operation and to date a total of 753 attempts were made by ICT systems across the world to connect to the seized domains.” 

“In each instance, the seizure of these domains by the GNCCB investigation team is likely to have prevented a ransomware attack on the connecting ICT system by rendering the initially deployed malware on the victim’s system as ineffective.” 

In regards to how the operation deals with visitors to the seized domains, the Garda has employed a ‘splash-screen’. When a victim falls on one of the domains in question, at risk of having been targeted by a cyber-attack, they are instead met by a government message. This message, accompanied by the Garda logo, details how the domain the person is trying to access has been seized from criminals and was previously unsafe. 

This is key to informing potential victims who may have frequented the unsafe domains that their devices may have been infected during a previous visit, and that they should run some security tests to ensure their systems are clean. 

Most of the clicks and visits to the seized domains were as a result of phishing scams, a Garda spokesperson said. Victims would follow phishing email links to the domains, where malware was then downloaded to their systems. This is how the attack on the HSE ransom from May 2021 took place. 

Speaking on “decontamination”, Garda said that their efforts to tackle this particular culprit go beyond a nationwide response, as they have shared information with Europol and Interpol. The Irish police has shared “details of the visiting URLs to the member countries to ensure that the infected systems are appropriately decontaminated” 

Finally, speaking on the identification of the culprits of the attack, Detective Inspector Brian Halligan on behalf of the GNCCB stated that progress was “steady”. So far, they have been able to determine that the gang is Russian-speaking based on the infrastructure seized, and efforts to identify suspects and bring them to justice are ongoing.