What is a cyber attack? As NHS declares ‘critical incident’ and cancels operations, how hackers exploit ‘flaws’ in systems to take control
The NHS has declared a ‘critical incident’ this week as a cyber attack cancels operations and blood tests in London hospitals.
On Monday, the NHS announced that Synnovis, a provider of laboratory services, had been hit by a ransomware attack that shut down key services.
This has led to widespread disruption as affected hospitals have been forced to cancel or outsource surgeries and blood tests.
MailOnline has spoken to cyber security experts to reveal how hackers are exploiting simple flaws in systems to take control of vital data.
These experts reveal how a network of specialist brokers and ransomware gangs are working together to exploit our healthcare services for profit.
NHS England declared a critical incident as a laboratory service provider working with several London hospitals, including King’s College Hospital (pictured), fell victim to a cyber attack
Patrick Burgess, cyber security expert at BCS, The Chartered Institute for IT, told MailOnline that a cyber attack is generally defined as ‘malicious or unauthorized access to a digital system’.
‘Much of our lives are now supported by computer networks, laptops and telephones; all of these things could theoretically be the subject of a cyber attack,” Burgess explains.
While these attacks can take different forms, NHS England revealed that Synnovis had fallen victim to a ‘ransomware’ cyber attack.
In these types of attacks, a hacker gains access to a company’s computer system and locks the system from the inside to extort a ransom.
To do this, criminal groups called ransomware gangs will first identify companies whose systems are already vulnerable to attack.
In some cases they use specialized criminal groups, so-called ‘access brokers’, who act as facilitators of their attacks.
Synnovis (pictured) provides pathology services for the NHS. Without their services, several trusts have been unable to provide blood transfusions or test results
These groups spend all their time looking for ways to penetrate systems and trying to find compromised passwords that they can sell for a profit rather than carrying out the attack themselves.
A ransomware gang can then purchase any credentials that appear profitable on the ‘dark web’ and use them to implant malicious software (‘malware’) into the company’s system.
In other cases, ransomware gangs themselves send millions of automated phishing emails to huge lists of companies.
These emails may contain links or downloads that install a virus on the victim’s computer, from where it can spread and infect the entire system.
Once that virus is implanted on one device, hackers gain a foothold from which they can slowly spread and take over the entire network.
Ross Brewer, vice-president of cyber security firm Graylog, told MailOnline that hackers are using a ‘low and slow’ approach to take over key systems.
He says, “They don’t want to get caught, so they usually work slowly over a period of days, weeks or months before pulling all the plugs.”
At hospitals like St. Thomas (pictured), surgeries have been canceled or moved to other providers
According to data collected by Mandiant, the average time between the first infection and the takeover in 2023 was ten days.
But once the criminals have everything in order, they will abuse tools within the computer network to take control and lock out legitimate users.
Typically, Mr. Brewer explains, this is done by encrypting the company’s data so that employees can no longer read it.
Because this is the same type of encryption that companies use to keep information safe, they cannot decrypt their data without the “key” that the ransomware gang has in their hands.
Experts say hackers used simple mistakes to install malware that encrypted key parts of Synnovis’ data, meaning the company can’t provide their services (file photo)
In the case of healthcare providers such as Synnovis, this leads to delays because the malware denies employees access to crucial information.
The NHS says it has had to cancel blood transfusions and patient operations because of the hack.
Cybersecurity consultant James Bore told MailOnline: ‘What will happen is there will be a database system involved which will have been introduced to speed up blood test results.
‘If that database is now encrypted (by the hackers), you suddenly have to fall back on paper notes.’
In a statement released yesterday, NHS England confirmed that the hack had ‘a significant impact on the delivery of services’.
Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care in south-east London have all been hit by delays.
Some procedures have already been canceled or transferred to other providers, as hospitals that partner with Synnovis lose access to blood transfusion and testing services.
Until Synnovis pays the ransom or restores the data from backup, delays and disruptions are likely to continue
To get the services back online, Synnovis must pay the ransom or restore the data from a previous backup.
The NHS and National Cyber Security Center do not generally pay ransoms, and even if they did, there is no guarantee they will get their data back.
Mr Bore says: ‘There are no guarantees; You are dealing with a criminal organization that has proven that they are willing to break the law.’
In some cases, the cybercriminals behind the attack simply refuse to decrypt the data or use a technique called “double extortion.”
Criminals can not only encrypt the data, but also steal a copy and threaten to publish it online if the victim does not pay.
This means that Synnovis will likely have to restore their databases from a previous backup – a time-consuming and difficult process that can take days to weeks.
Experts told MailOnline that these types of attacks are usually not very targeted and are more likely to hit Synnovis as part of a ‘crime of opportunity’.
While the initial contact may have been unlucky, the importance of Synnovis may have made criminals more eager to continue their attack.
My Bore said: ‘It’s notable that the company that was hit just a few months ago happily stated that they have managed to centralize pathology services from several different hospitals.’
It is not clear whether Synnovis was deliberately targeted. NHS lab work is a crucial service, making it ripe for extortion, but the majority of ransomware attacks are opportunistic (file photo)
This could have made Synnovis a tempting target for criminals, hoping that greater potential disruption could lead to a larger ransom.
Ciaran Martin, former CEO of the National Cyber Security Center, has suggested that the group behind the attack could be a threat actor known as Conti.
Although evidence is still emerging, it is believed that Conti could be behind the Black Basta malware group used in this attack and many others.
Joanne Coy, senior cyber threat analyst at Bridewell, told MailOnline: ‘Black Basta has a clear history of attacking the healthcare sector – in fact they have accelerated their attacks on this sector in 2024.’
Ms Coy added: ‘The group behind the attack on Synnovis is known for using highly targeted phishing emails to gain initial access, so it is possible that Synnovis was compromised in this way.’