Over the years we, at Expert, have banged on about website and email security and how important it is to have strong passwords and good back-up systems. We’ve warned about how important it is to never open an email attachment that might look even slightly dodgy. We’ve written blogs about all of this until the cows come home, as have many others, yet still the bad guys get in.
It can’t happen to us
The news feeds in Aotearoa New Zealand have covered ransomware attacks a lot recently, so when one of this country’s larger district health board, Waikato DHB, was attacked by a ransomware scumbag on 18 May 2021 there was initial shock that something like this could happen to such an important organisation. Surely, they would have strong security measures in place?
Phone lines and computers crashed, blocking all IT services except email in Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui hospitals. All clinical services at these hospitals were disrupted, elective surgeries were postponed and patient notes were inaccessible. Absolute chaos was caused inside Waikato hospital, the largest of them all. It was likely that material was stolen that included sensitive patient information and employee records, such as contracts and financial records. It even crashed the DHB’s parking meters!
The Police’s High Tech Crime Group and Cybercrime Unit were called in. Quickly followed by the Government Communications Security Bureau.
Identifying the weak link
Within a short time, it was reported that the attack happened when ‘someone’ opened an email attachment that was dodgy. A phishing email apparently. I’m guessing it must have been opened by a system administrator who had high-level permissions which allowed access to such a large part of the system – how else could so much damage be done? Of course, opening a dodgy attachment isn’t the only way to let the bad guys in – access through insecure WordPress websites is another easy way to be hacked.
First reactions were that this should never be possible to happen in a technology-dependent environment, but somehow it did. The next thoughts were about having a good back-up system that could restore the affected systems quickly so that services and vital health care weren’t disrupted. An investigation into how it happened and the lessons learned could come later, followed by a strengthening of weaknesses to ensure an organisation such as this would never be in a vulnerable position again.
A little over a week after the Waikato DHB was hacked, and still in chaos, it was dubbed to be the largest cyberattack in NZ’s history and was considered so serious that it was escalated to the OCDESC (Officials’ Committee for Domestic and External Security Co-ordination) who convened an urgent response meeting. But the news just got worse...medical records were leaked to media organisations, who said they wouldn’t publish details from them, but it confirmed the access the hackers managed to gain.
Not a one-off
While this had been happening, the Volunteer Service Abroad (VSA) organisation of New Zealand was also hit by a ransom attack. VSA does really good work matching up NZ volunteers who give up months and sometimes years of their lives to work for free in poor third world communities throughout the Pacific and South East Asia to improve the living conditions of their inhabitants. It’s not a wealthy organisation – it’s a non-government organisation, a registered charity, that is not funded by taxpayers, and is reliant on sourcing its own funding through individual and corporate donations. Why would they be a target? It’s akin to people stealing charity donation boxes!
Chances are these two organisations weren’t the only ones. The Irish Health System had also been attacked around this time.
Back in the Waikato, some cancer patients were unable to be traced and as a result were not able to start vital radiation treatment. Needless to say, lives will be lost as a result. DHB staff worked frantically using any paper-based information they could find to make contact, and kept things moving as much as possible. The public were warned to be wary of unsolicited communications claiming to be from Waikato DHB or other government organisations and the DHB was working with an independent company which was an expert in the field. It’s a shame they hadn’t been working with them before this happened.
Bad architecture to blame?
As the days have become weeks, it would seem that most of the checks and balances that would normally be in place for a network of this size were either not there or were hugely inadequate. The system should have been run in silos to prevent cross-contamination and there shouldn’t have been network shares happening. Had these obvious controls been in place, the attack could have been more quickly contained. Think of firebreaks in forests or national parks. Or Covid outbreak management.
There will no doubt be a parliamentary Select Committee investigation and hearing set up as soon as normal service is resumed at the Waikato DHB. As usually happens, the blame game will be enacted and heads will no doubt roll. Lessons should be learned and hopefully the right improvements made. The perpetrators of the hack will probably never be brought to justice – even if they were identified, it’s unlikely their corrupt country would hand them over to face the music. Politicians will use it to score points at the next, and possibly future, general elections. And it will happen again. It always does because we’re a nation of naïve operators and slow learners. Apparently.
We’d been warned for years to be aware of these attacks, yet we continued to do what we always did. Applied the cyber equivalent of band-aids and hoped for the best. There was never enough money allocated and invested in creating proper systems, or on the rare occasions when adequate funding was available, it was often spent on the wrong things. I wonder how many more attacks like this will occur and how many people will die before someone has the foresight and intelligence to get it right and keep vermin away from our most important infrastructure. I wonder what condition the rest of the county’s DHBs’ cyber security is in, not to mention all the other critical things we’ve come to rely on the use of technology for.
Make your own checks
If you aren’t sure how secure your organisation is from cyber-attacks talk to your in-house techies in IT support. In the meantime, here are some basic things everyone in your organisation should be doing, or not doing, to ensure minimal protection.
- Don’t open unsolicited emails or any links or attachments that look a bit unusual. It’s better to err on the side of caution if you aren’t sure
- If you have a WordPress website ensure the security patches are kept up to date
- Keep your virus protection up to date
- Keep operating systems up to date (especially on your phone)
- Don’t use the same password for everything
- Don’t use an ‘obvious’ password, such as your initials, date of birth, or 123 etc
- Don’t use unknown USB memory sticks
- Don’t use insecure (public) internet networks for important stuff
- Only download software from trusted sites – don’t download from unknown sites
- Check the email address of an unknown sender by ‘mousing over’ the sender’s email address – watch for anything that doesn’t match
For more info on email safety, check this out and for other information on cyber security visit the Expert website or use Google.
Being attacked in cyber space is hugely distracting, time consuming and expensive. When it comes to threatening lives it’s also unconscionable and unforgiveable, but then the perpetrators are just unscrupulous vermin. Fortunately, karma has no deadline, so hopefully they’ll get theirs.