Inside the ‘sophisticated’ Russian hacking group that shut down NHS operations

A range of hospitals across London were targeted by the attacks
PA/Google/Royal Brompton Hospital
Charlie Peters

By Charlie Peters


Published: 05/06/2024

- 10:16

Updated: 05/06/2024

- 11:08

The attack had left doctors describing the situation was “awful” - and things could get worse if the suspected perpetrators shift their focus to other UK targets

The Russian hacking group suspected to be behind this week’s cyber attack on the NHS that caused chaos in London hospitals is shifting operations to British targets, a leading cyber security analyst has told GB News.

There is a realistic possibility that the Qilin group that launched a ransomware attack on an NHS partner company is giving a cut of their profits to Russian entities to maintain their ability to launch attacks, said Kailyn Johnson from security firm Sibylline.


Her warning comes after Ciaran Martin, the former chief executive of the National Cyber Security Centre, said that Qilin was likely the source of the attack that crippled NHS operations in several major London hospitals yesterday.

Access to pathology IT systems was blocked after files were encrypted at Synnovis, a third-party organisation that works with the NHS, blocking blood transfusions.

Hospital signs/Hacker stock image

A range of hospitals across London were targeted by the attacks

PA/Google/Royal Brompton Hospital

One doctor at King’s College London hospital in South London said the situation was “awful” and that several planned surgeries were suddenly canceled, with no clear sight of when they might restart.

Qilin has been an active ransomware group since at least mid-2022, having targeted large enterprises and high-value targets, primarily focusing on the healthcare and education sectors.

Past victims of Qilin ransomware attacks include Serbia's sole electricity provider, Chinese automotive parts giant, Yanfeng, and court services in Australia.

In March, the group targeted The Big Issue magazine in Britain, understood to be its first and only UK target before the NHS hack.

MORE AS THE UK BATTLES CYBER THREATS:

Kremlin/cyberattack stock image

The hackers could realistically be giving a cut of their profits to Russian entities, Johnson warned

Reuters/PA

Ms Johnson, Sibylline’s Cyber Intelligence and Geopolitical Risk Lead, said that this was an indication that the group is “maintaining active operations and elevating disruption risks” in Britain.

“The group has not previously targeted the UK healthcare system, indicating an expansion of targets to European targets on top of their typical targets in Africa and Asia.”

She added: “While the group is of Russian-origin, it is unclear whether the group is aligned to the Russian government.

It is unlikely that the group operates under direct order of the Russian government; however, there is a realistic possibility that Qilin may give a cut of their profits to Russian entities to maintain their operations amid Internet censorship and access rules in the country.”

The Qilin group has sophisticated tactics for its ransomware operations.

“They have developed a Linux-based variant of their ransomware to target VMware ESXi servers, which often operate critical virtualisation platforms within organisations, resulting in more impactful and disruptive attacks,” said Ms Johnson.

She added: “Qilin also develops their malware in Rust and Go coding languages, which are more difficult for security detection tools to detect.

“As the group continues to actively target major organisations and their supply chain, there remains elevated security, operational and reputational risks to firms.”

You may like