Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - UK
The Guardian - UK
Technology
Alex Hern Global technology editor

Who are Qilin, the cybercriminals thought behind the London hospitals hack?

The exterior of a hospital with ambulances lined up in front.
The recent cyber-attacks in London brought tests and operations at two hospital trusts to a halt. Photograph: Andy Rain/EPA

A Russian-speaking ransomware criminal gang called Qilin is thought to be behind the cyber-attack on NHS medical services provider Synnovis, that halted tests and operations at hospital trusts to a halt and affected GPs across London.

Although the location of the group is unknown, if it is based in Russia, it will be difficult for British law enforcement to directly target it. The Russian state has long had a ban on extraditing criminals overseas, and since it launched a full-scale invasion of Ukraine, it has largely ended all cooperation on cybersecurity matters so long as the hackers focus their attacks on foreign targets.

Qilin has been active since October 2022, when it launched its first wave of attacks on companies including the French company Robert Bernard and Australian IT consultancy Dialog. It operates a “ransomware as a service” approach, letting independent hackers use its tools and infrastructure in exchange for a 15 to 20% cut of the proceeds.

The group was behind a previous attack on the publisher of the Big Issue in March this year, when it trashed the group’s systems before stealing and publishing confidential data. More than 500GB of information taken from the publisher was posted on the dark web after it refused to pay the ransom, including passport scans of employees and payroll information.

The group has steadily increased its activity over the past year, claiming responsibility for more than 50 hacks in the past four months. According to cybersecurity experts Secureworks, “its attacks tend to be opportunistic rather than targeted and so good security hygiene is the best defence against Qilin and other similar groups”.

“In total, there have been 112 organisations posted to their site, and although information technology companies lead the way in terms of impacted industries, they have attacked organisations across a wide range of sectors,” a Secureworks spokesperson added.

In 2023, Qilin’s typical ransom demand was anything from $50,000 to $800,000, according to Group-IB, a cybersecurity firm which infiltrated the group that year. It generally gains its initial foothold in its victims’ networks through spear phishing, targeted messages to insiders to convince them to share credentials or install malware.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.