The UK government is considering action against Russian hackers over the theft of NHS data
The government is considering hitting back against Russian hackers who stole data on 300 million patient interactions with the NHS, including blood test results for HIV and cancer, the Guardian can reveal.
The National Crime Agency (NCA) is considering the possibility of taking retaliatory action against Qilin, the Russia-based ransomware gang that released into the public domain early on Friday a huge amount of highly sensitive NHS data that they stole in a cyber attack. June 3.
Health bosses in London, where the hack was targeted, have responded to the widespread alarm Qilin’s action has caused by setting up a helpline to answer questions from anxious patients.
They have urged patients who may have received details of care from NHS trusts and GP practices in South East London to “not contact your local hospital or GP practice to ask if your details have been affected by this attack affected, as they do. do not store this information”.
Qilin’s action, which was an indication that the ransom demand of a reported US$50 million had been ignored, has sparked discussions between the NCA and the National Cyber Security Center (NCSC) on how to respond. The government’s communications centre, GCHQ, is said to be aware of the talks.
A source with knowledge of the options being explored said: “There is a specialist (NCA) team working behind the scenes to access, understand and, if possible, remove the data.”
The NCA is considering taking action to delete as much of the data as possible that Qilin posted on a messaging platform early Friday morning, the source added. “That is being investigated and what is possible. (Action is likely because) it is in fact an attack on the state.”
Cybersecurity sources said the impact of any operation to recover or delete the data could be reduced if the Qilin gang had already copied the files and could post them elsewhere.
British law enforcement has set a precedent for directly tackling ransomware gangs. The gangs pose a challenge to authorities as they are known to operate from Russia or former Soviet states.
However, the NCA recently disrupted the operations of the world’s largest ransomware group – the LockBit group – in a joint operation with international partners.
In February, the agency said it had seized the entire command and control apparatus for LockBit, including the leak site where it displayed hacked victims’ data. The operation also took control of the infrastructure behind LockBit’s ransomware-as-a-service operation, in which affiliated companies lease the malicious software, or malware, that infiltrates and disables victims’ computer systems.
The operation was carried out in collaboration with the FBI, Europol and a coalition of international police forces and led to the unmasking of the gang’s alleged leader, Russian national Dmitry Khoroshev.
The Guardian announced on Friday that the hackers had stolen much more data than previously thought. They obtained data on 300 million patient interactions with the NHS, including blood test results for HIV and cancer.
The attack has caused serious disruption at seven hospitals run by the King’s College Hospital Foundation Trust and the Guy’s and St Thomas’ Foundation Trust, two of the health service’s largest and busiest providers. Qilin focused on Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage whether the hack only affected hospitals in those trusts or was more widespread, as Synnovis also does work for other NHS trusts elsewhere in England.
The two trusts had to Canceling 1,134 planned surgeriesincluding cancer and transplant surgery, and postponed 2,194 outpatient appointments in the first 13 days after the attack alone, the London region of NHS England said on Thursday.
It is still unclear exactly what data, or how much of the loot, the ransomware group has made public. But well-placed sources said the stolen data included details of the results of blood tests conducted on patients undergoing many types of surgeries, including organ transplants; about those suspected of having a sexually transmitted infection; and on those who had had a blood transfusion.
In a statement on Friday, NHS England said the NCA and NCSC were “working to verify the data contained in the files published by the criminals. These files are not simple uploads and so these types of investigations are very complex and can take weeks, if not longer.”
However, the amount and sensitive nature of the data Qilin has obtained, as well as the gang making at least some of what is required public, has caused concern among NHS bosses.
NHS England said in a warning that patients could now be targeted by ransom-seeking criminals: “You should always be alert to approaches from anyone claiming to have your details and other suspicious calls or emails, especially if you are asked for personal or financial information.”
Anyone contacted in relation to their NHS details should immediately call Action Fraud, it added.
The NHS ‘incident helpline’ went live on Friday and is available on 0345 8778967.
Furthermore, in a development that will cause anxiety among patients who have received private healthcare in recent years, Qilin would also include data from tests people have undergone at multiple private healthcare providers. It is not clear which private healthcare companies Synnovis – a joint venture between pathology company Synlab and London’s two acute hospital trusts – works for and whether this includes operators of the capital’s range of private hospitals.
The NHS is working hard to transfer the care it can provide to other providers and in the past week has managed to increase the number of blood tests it can do from 10% of the usual number to 30%.
The fact that Qilin has locked Synnovis out of its own IT system means that affected hospitals and GP practices, which care for 2 million patients, still have to severely ration access to blood tests. They can only do 30% of their usual numbers.
Tim Mitchell, a senior researcher at the cybersecurity firm Secureworks, said the posting of data indicated the negotiation period had ended. “By the time the data is leaked, the ransomware negotiations will be largely over,” he said.
Synnovis has not confirmed whether it has had discussions with Qilin.