A Russian group of cybercriminals was behind the attack on pathology services affecting several major London hospitals, a cybersecurity expert has said.
Ciaran Martin, former chief executive of the National Cyber Security Centre, said that a group of criminals named Qilin were likely to be behind the attack that devastated NHS services on Tuesday.
Memos to NHS staff at King's College Hospital, Guy's and St Thomas' (including the Royal Brompton and the Evelina London Children's Hospital) and primary care services in the capital say pathology partner Synnovis was hit by a "major IT incident".
Some procedures and operations have been cancelled or have been redirected to other NHS providers as hospital bosses continue to establish what work can be carried out safely.
Mr Martin told BBC Radio 4’s Today programme: “These criminal groups, there are quite a few of them, they operate freely from within Russia, they give themselves high-profile names, they've got websites on the so called dark web and this particular group has about a two-year history of attacking various organisations across the world.
“They've done automotive companies, they've attacked the Big Issue here in the UK, they've attacked Australian courts. They're simply looking for money.”
He said it is “unlikely” the Russian hackers would have known they would cause such serious primary healthcare disruption when they planned the attack.
Here’s what we know.
Who are Qilin?
Qilin, also known as Agenda, is a Russian-speaking ransomware gang that lets hackers use its tools in exchange for cuts of proceeds.
Although the location of the group is unknown, if it is based in Russia as first thought, it will be difficult for British law enforcement to directly target it.
Qilin has been active since October 2022, when it launched its first wave of attacks on firms including the French company Robert Bernard and Australian IT consultancy Dialog. It operates a “ransomware as a service” approach, letting independent hackers use its tools and infrastructure in exchange for a 15 per cent to 20 per cent cut of the proceeds.
What is ransomware?
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
It is called cryptovirological malware and works by permanently blocking access to the victim's personal data until a ransom is paid.
Has the gang struck before?
The group was said to be behind a previous attack on the publisher of the Big Issue in March this year, when it trashed the group’s systems before stealing and publishing confidential data. In that attack, more than 500GB of information was taken from the publisher and ended up being posted on the dark web after it refused to pay the ransom, including passport scans of employees and payroll information.
The group has steadily increased its activity over the past year, claiming responsibility for more than 50 hacks in the past four months.
Cybersecurity experts Secureworks said the group seems to carry out “opportunistic” attacks.
A spokesman said: “Good security hygiene is the best defence against Qilin and other similar groups. In total, there have been 112 organisations posted to their site, and although information technology companies lead the way in terms of impacted industries, they have attacked organisations across a wide range of sectors.”
It has been reported how, in 2023, Qilin’s typical ransom demand was anything from $50,000 (£39,000) to $800,000 (£626,000), according to Group-IB, a cybersecurity firm that infiltrated the group. It generally gains its initial foothold in its victims’ networks through spear phishing, targeted messages to insiders to convince them to share credentials or install malware.