‘Wizard Spider’: Who are they and how do they operate?

‘Wizard Spider’: Who are they and how do they operate?

The organised cyber crime group that targeted the Health Service Executive and the Department of Health is known to international law enforcement agencies as one of the most sophisticated and technically proficient cyber crime gangs in the world.

The HSE was last week forced to shut down all of its IT systems following a “significant” ransomware attack, which focused on accessing data stored on central servers.

The group known as ‘Wizard Spider’ is, according to the intelligence agencies, based in and around St Petersburg in Russia.

They estimate the crime group consists of approximately 80 employees, some of whom are unaware they are working for a criminal organisation.

The group employs skilled computer programmers and hackers on a part-time and temporary basis as part of a modus operandi that involves regular changes in staff.

‘Wizard Spider’ has for many years been a target of the FBI, the UK National Crime Agency, Interpol, Europol and other international law enforcement agencies.

They suspect that key figures in the organised crime group were involved in cyber attacks in 2014 and 2015 involving malware known as ‘Dyre’.

The ‘Dyre’ malware was at the time the pre-eminent virus enabling cyber criminals to steal money online and first brought suspected members of the group to the attention of law enforcement.

In 2018 however, international agencies identified a significant upgrade in the criminal organisation’s technical ability and its primary use of three types of ransomware, Trickbot, Ryuk and Conti.

These were used to target large organisations for a high-value return in a criminal activity, referred to online as “big game hunting”.

The organised crime group specialises in inserting malware into computer systems all over the world and targets government, healthcare, aerospace, agriculture, academic, retail and commercial bodies making high ransom demands

Conti is the ransomware that was used to disable the HSE’s and the Department of Health’s IT systems and law enforcement agencies say there is no known case of success in relation to generating a decryption key for the ransomware.

Europol operates a decryption platform, which enables victims of other malware attacks to download keys that have been recovered from cyber crime gangs and restore their data.

Law enforcement agencies here also say that the ‘Wizard Spider’ cyber crime group does not carry out attacks on systems in Russia and the groups key members do not travel outside Russia.

Cyber criminals buy and sell their services and capabilities, such as fraud or hacking abilities, on underground websites but the ‘Wizard Spider’ group is very security conscious, which has enabled it to continue to operate covertly for some time.

It does not openly advertise on the Darknet and will only sell access to or work alongside trusted criminals and it is known to belittle its victims.

It is not yet clear what this international organised crime group, believed to be responsible for the most significant and damaging attack on the State’s infrastructure, intends to do with the data it has stolen.

Cyber criminals threaten to publish stolen data online or they can sell it on to other criminals to use for fraud and extortion if their ransom demands have not been met.

“These are hardened criminals who don’t care what they do or who they hurt,” cyber security specialist Brian Honan said.

Hackers who attacked a psychiatric hospital in Finland in October of last year and stole the medical records of 40,000 people not only sought a ransom from the hospital but also emailed individual patients and threatened to publish their therapy and mental health treatment records if they were not paid.

The Government has said it will not pay a ransom to the criminal gang.

Taoiseach Micheál Martin said today the Government is working to make sure criminals do not exploit the situation following the cyber attack on the HSE’s IT systems last week.

The criminal investigation is being led by the Garda National Cyber Crime Bureau but they are working closely with international law enforcement as this is a crime that has been committed from another jurisdiction and affects countries all over the world.

Minister for Foreign Affairs Simon Coveney said he has spoken to his Russian counterpart, Sergey Lavrov, about the cyber attack.

The Russian Embassy here has said it is willing to “look into the matter”.

In a statement yesterday the Russian Embassy said it condemned the attack in the strongest terms and that the Russian government has been consistently promoting initiatives on strengthening international co-operation on the issues of international information security and confronting effectively cyber space crime.