close
close
hsuses

What is a cyberattack? As the NHS declares a ‘critical incident’ and shuts down operations, how hackers exploit ‘flaws’ in systems to take control

Theo



The British NHS declared a “critical incident” this week because operations and blood tests had to be cancelled in several London hospitals due to a cyberattack.

On Monday, the NHS announced that Synnovis, a provider of laboratory services, had fallen victim to a ransomware attack that brought critical services to a halt.

This caused widespread disruption as affected hospitals were forced to cancel or outsource operations and blood tests.

MailOnline spoke to cybersecurity experts to reveal how hackers exploit simple system flaws to gain control of important data.

These experts reveal how a network of specialized brokers and ransomware gangs work together to exploit our healthcare services for commercial purposes.

NHS England declared a critical incident because a laboratory service provider that works with several London hospitals, including King’s College Hospital (pictured), had fallen victim to a cyberattack.

Click here to resize this module

Patrick Burgess, cybersecurity expert at BCS, the Chartered Institute for IT, told MailOnline that a cyberattack is generally defined as “malicious or unauthorised access to a digital system”.

“A large part of our lives today is supported by computer networks, laptops and phones; any of these things could theoretically be the target of a cyberattack,” explains Burgess.

These attacks can take different forms, but NHS England announced that Synnovis had fallen victim to a cyberattack involving ransomware.

In this type of attack, a hacker gains access to a company’s computer system and locks the system from the inside in order to extort a ransom.

To do this, criminal groups – so-called ransomware gangs – first identify companies whose systems are already vulnerable to attacks.

In some cases, they hire specialized criminal groups, so-called “access brokers,” to act as intermediaries in their attacks.

Synnovis (pictured) provides pathology services to the NHS. Without its services, several trusts would not have been able to provide blood transfusions or test results.

Click here to resize this module

These groups spend all their time looking for ways into systems and tracking down compromised passwords to sell for profit, rather than carrying out the attack themselves.

A ransomware gang can then buy any lucrative credentials on the “Dark Web” and use them to inject malware into the company’s system.

In other cases, ransomware gangs themselves send millions of automated phishing emails to huge lists of companies.

These emails may contain links or downloads that install a virus on the victim’s computer, from which it can spread and infect the entire system.

Once the virus has established itself on a single device, it provides hackers with a starting point from which they can slowly spread and take over the entire network.

Ross Brewer, vice president of cybersecurity firm Graylog, told MailOnline that hackers are using a “stealth and slow” approach to take over critical systems.

He says: “They don’t want to get caught, so they usually work slowly over a period of days, weeks or months before pulling the plug.”

At hospitals like St. Thomas’ (pictured), operations have been cancelled or transferred to other providers.

According to data collected by Mandiant, the average time between initial infection and adoption in 2023 was 10 days.

But once criminals have everything in place, they can exploit tools within the computer network to take control and lock out legitimate users.

Typically, Brewer explains, this is done by encrypting company data so that employees can no longer read it.

Since this is the same type of encryption that companies use to protect their information, they cannot decrypt their data without the ransomware gang’s “key.”

According to experts, hackers used simple vulnerabilities to install malware that encrypted important parts of Synnovis’ data. The company is now unable to provide its services (file photo).

Click here to resize this module

For healthcare providers like Synnovis, this causes delays because the malware prevents employees from accessing important information.

The British health service NHS said it had had to cancel blood transfusions and operations on patients due to the hacker attack.

Cybersecurity consultant James Bore told MailOnline: “There will be a database system that will be introduced to speed up blood test results.”

“Now if that database is encrypted (by the hackers), you suddenly have to resort to paper notes.”

In a statement released yesterday, NHS England confirmed that the hack had “significant impact on service delivery”.

Guy’s and St Thomas’ NHS Foundation Trusts, King’s College Hospital and primary care services in south-east London all experienced delays.

Some procedures have already been cancelled or transferred to other providers because the hospitals working with Synnovis no longer have access to blood transfusions and testing services.

Until Synnovis either pays the ransom or restores the data from a backup, it is expected that delays and disruptions will continue.

How do ransomware attacks occur?

Ransomware attacks use computer viruses to encrypt a company’s data and demand a ransom for the decryption key.

First, ransomware gangs look for victims either through phishing emails or by purchasing passwords from an access broker.

Once hackers gain access, they can plant malware on an employee’s computer.

This malware spreads slowly across the network for about 10 days.

When the hackers are ready, they encrypt the most important data and lock employees out of the system.

The company must now pay the ransom or restore its data from a backup.

To bring the services back online, Synnovis must either pay the ransom or restore its data from a previous backup.

The NHS and the National Cyber ​​Security Centre do not pay ransoms as a matter of policy and even if they did, there would be no guarantee that the data would be recovered.

Mr Bore says: “There are no guarantees. We are dealing with a criminal organisation that has proven that it enjoys breaking the law.”

In some cases, the cybercriminals behind the attack simply refuse to decrypt the data or use a technique called “double extortion.”

Criminals may not only encrypt the data, but also steal a copy and threaten to publish it online if the victim does not pay.

This means that Synnovis will likely need to restore its databases from a previous backup – a time-consuming and difficult process that can take days to weeks.

Experts told MailOnline that such attacks are usually not targeted and that Synnovis was more likely a crime of opportunity.

Although the first contact may have brought bad luck, the importance of Synnovis may have prompted the criminals to continue their attack even more eagerly.

My Bore says: “It is remarkable that just a few months ago the companies concerned were happily announcing that they had succeeded in centralising the pathology services of several hospitals.”

It is not clear whether Synnovis was targeted. NHS lab work is a critical service vulnerable to extortion, but the majority of ransomware attacks are opportunistic (file photo)

This may have made Synnovis a tempting target for criminals hoping that greater potential disruption could result in a higher ransom demand.

Ciaran Martin, former executive director of the National Cyber ​​Security Centre, has suggested that the group behind the attack could be a threat actor called Conti.

Although the evidence is not yet fully clear, it is believed that Conti may be behind the Black Basta malware group that was used in this and many other attacks.

Joanne Coy, senior cyber threat analyst at Bridewell, told MailOnline: “Black Basta has always targeted the healthcare sector – in fact, they have increased their attacks on this sector in 2024.”

Ms Coy added: “The group behind the Synnovis attack is known for using highly targeted phishing emails to gain initial access, so it is possible that Synnovis was compromised in this way.”

Related Posts