London hospitals left in critical condition after ransomware attack Hospitals in London are struggling to deliver pathology services after a ransomware attack at a service partner downed some key systems. NHS England's London region confirmed in a statement to The Register that a provider of pathology lab services, Synnovis, was the target. A spokesperson for the region said: "This is having …
It's been a while, but the Equifax hack has a few lessons:
(1) The hack was eventually revealed in July 2017
(2) ....but the hackers had been exfiltrating data for months
(3) ....but the duration of the exfiltration was actually unknown
(4) ....and the scope of the data stolen was never fully defined
This report in El Reg is pretty clear about item #1 at Synnovis............
......and pretty unclear about items #2, #3 and #4.
I think we should be told!
That would help, but sadly i don't think these attacks would stop even if nobody paid. A lot of these gangs seem to be part of a hybrid warfare strategy from the "crinks" (China, Russia, Iran and North Korea).
These mafia states redirect domestic organised crime to their war efforts, allowing them to make money through both ransomware and scams provided they only hit Western targets.. Even if nobody pays a ransom, they will sell the data to other gangs who will use it for industrial scale automated scamming and other secondary attacks.
A big part of the problem is reliance on 3rd party cloud IT contractors in the first place. But fixing that would require a decade of public sector investment in training and retaining in-house IT professionals, which successive governments have cut to the bone..
cyberdemon,
I can't speak for the state of hacking in China - but in Russia it's an absolute jungle out there. The security services definitely do use criminal gangs to target foreign states - and use them in hybrid war. But it's not in exchange for protecting the home market from their attacks. I rather suspect that they are given a choice of going to prison for their crimes in Russia or set on certain targets - and probably end up paying a cut of their profits to FSB officers in exchange for not going to prison.
If you look at the Bellingcat (or other) investigations of Russiain FSB and GRU agents, it's truly amazing how much data is out there. They were able to get hold of large portions of the Russian passportv voting and car registration databases - plus phone and credit card transactions. It was one of the ways they were able to track down the two GRU officers who carried out the Salisbury Novichok attack. They had sequential passport numbers and they were then able to cross-reference their (and some of the passport holders in the same number sequence) phone and credit card details to, for example, find a GRU office in Moscow were various of these people had all had pizzas delivered to. There's a whole network of security journalists and researchers mining this data for interesting stuff - and I'm sure Western intelligence agencies are also having a go. While there's lots of this kind of data about the UK / US / European population online, it doesn't seem to be quite as extensive yet - though I'm sure Intelligence services with access to hackers will be trying to hoover up lots of lovely data while they're about it.
"A big part of the problem is reliance on 3rd party cloud IT contractors in the first place. But fixing that would require a decade of public sector investment in training and retaining in-house IT professionals, which successive governments have cut to the bone.."
Before that, it requires government to rethink what activities and services it should provide for itself, and what are better provided by commercial providers. At the moment the default position in the UK is that the public sector should outsource anything that it can, and that won't be changing regardless of the current general election.
Some activity isn't all of it. It's very likely involving a lot of phoning round for capacity and a lot of couriers taking samples around. It's going to involve time spent doing that which would normally have been better used elsewhere. If you're in London why not give one of the hospitals a call to see if they're looking for volunteers to help out with that. At the same time you can do a real feasibility study.
Thanks for the offer, but I'm currently staying at home to attend to my wife who's just had a surgery, and I'm glad it's not her hospital that's been attacked by these scumbags.
Now I know it's never an easy task to change suppliers, but if you're tied to one supplier for a critical activity, then you already have a problem. If this supplier is a security liability, you have an even bigger one.
It is easy to say "Lessons would have been learned" however that actually assumes you can do something about the underlying cause, ingress point or vulnerability,
If the attack is exactly the same as an earlier one that is unforgivable.
They can cut ties with the provider but cannot do that overnight. They are stuck at the moment where the priority it to get things working again. Dumping the current provider now is unlikely to expedite that and they will have all sorts of contractual and insurance issues.
If your services touch the public internet they are vulnerable. So you should have a back-up plan that offers a rapid and smooth fallback to a resilient analogue/manual service for when it happens. As essential as a fire drill. No audit sign off and no bonuses until you can operate without vulnerable software. Given that this is going to last some time (and even longer if the NCSC are involved), the fallback for hospitals should cover all services on site. Time to rediscover paper forms and have them ready. Digital is a luxury, not a default.
This is a path lab service. It's not clear whether they're being run on the hospitals' sites or whether they have a centralised lab. In the latter case having a set of fully equipped set of labs on site really would be a luxury. In either case falling back to services on site is meaningless - either they are on site or there's nothing to fall back to.
A lot of the instruments will be controlled by PCs. "Digital" isn't a luxury, its how it works.
I’m old enough to remember when scientific instruments used either for research or process control (XRD, XRF, particle size, CNC, etc.) were controlled by PC but NOT connected to the LAN, WAN, Cloud.. because it simply didn’t exist yet. Most all services are now beholden to the enshitiffication of the IT world because profit driven companies decided the OS needed to phone home for a license key, patches, additional storage, or even the actual processing… whatever, to maintain and control revenues.
Connectivity, the internet is not what it once was (or thought it could be). Switch it all off, define the actual business requirement and start again. Paper and people to shuffle it are cheap and plentiful.
My mother (85 last week) was once one of a few people (5) that could manage the staff payroll of a four figure govt. dept. without waiting for the cloud or being held hostage by an external actor. Some of these “IT services” are not better, they’re just “data driven” honey pots for profiteering (by large software co., ext. consultants, criminal orgs, state actors).
"Paper and people to shuffle it are cheap and plentiful."
We live in different worlds. In mine, paper is cheap, and everything else is expensive. People to move forms manually when a computer can move thousands per second are a lot more expensive than that computer. Finding the people who want to do that work is not easy either. Dealing with errors caused by, for instance, someone misreading handwriting is not fast. Space to store all that paper is not free.
Atomic Duetto,
You can't not have lab equipment connected to the internet when it has to pass on its testing results via the internet to the hospital deparments that need the information.
Obviously you could have dedicated networks or use something like fax transmissions for some of this - but then that would mean having specialist kit to do the job, and would create other problems of keeping it working.
Each hospital doctor is probably ordering tens to hundreds of lab tests per day (depnding on their speciality) - and that data has got to be moved around.
Yes.
My comment was simply that ubiquitous 24/7 connectivity to everything (prod/dev/data) is the issue.
Where needed (is it needed), is it secure?
I appear to have introduced my own simpleton straw/paper man by mentioning historical business practices.
I was not passing comment on the lab services required by the NHS.
FFS
"What is your official position if critical infrastructure such as the power grid or utilities is attacked by cyber terrorists?"
Personally I'd be finding out who attacked and readying a retaliatory strike if they don't hand over the key(s) but that's just me.
Some call me an extremist for daring to even suggest such a thing but when lives are at risk you don't simply stand by
and do nothing.
The UK absolutely needs an offensive cyber-warfare division of the Army (call it Net Force or something) which can use any
assets at its disposal to achieve the aim of keeping the UK safe on the Internet.
And the answer they'd both give in private would be along the lines of "We know what needs doing but it will cost a lot of money to fix and if we tell the voters we're going to put taxes up they won't vote for us. Easier to just let it happen and blame Russia, China, etc."
We get what we pay for.
"The UK absolutely needs an offensive cyber-warfare division"
The UK (and other countries) needs a defensive cyber division which has audit privileges over every public sector + public company for their cyber security and offer recommendations ranging from compulsory - with penalties if not implemented later on - to optional.
Aye right, and the Government then sells the data this organization holds to the likes of their favourite lobbying org and we are back to square one.
These problems exist because there is a politician making a buck out of the situation. Red Tory or Blue Tory, its just going to be different hands in the till.
You might get them to say that, but they're not going to do it.
Prime Minister: Who attacked our power grid with ransomware?
Security consultant: We're pretty sure it's a ransomware group called TheoreticalName.
PM: And who runs that?
SC: We don't know yet.
PM: How can we find out?
SC: They attacked a Brazilian water company, an American school, and a factory in France recently. Does that suggest anything?
SC: Well, you can usually assume that there are at least some people in Russia for any of these big things. We do know that Russia is blocked in the software as a victim country.
PM: So bomb Russia then?
You can suggest anything you want, and if you ask enough times they'll realize that you want a military response and they'll promise you one, but they will have reasons not to do it when it happens. Those reasons are logical. There's a reason why we don't solve every diplomatic incident with bombs.
And their response would be;
"We take cybersecurity very seriously and will be invested heavily in ensuring our IT arrangements are as safe as they possibly can be. “
They would then go back to their offices and try and figure out why the budgets are so broken that front line hospital staff are being made redundant and services are being cut in order to “save money”
offensive cyber force..
We have one… its new building is under construction within the BAE perimeter at Samlesbury near Preston. it is expected to employ 8500 people from across military and govt agencies.
This public information doesn’t mean to say that the people already exist, are doing the job but working somewhere else right now.
"offensive cyber force..We have one… its new building is under construction within the BAE perimeter at Samlesbury near Preston. it is expected to employ 8500 people from across military and govt agencies."
Right, so they're going to recruit top IT talent from Blackburn, Preston and Blackpool? This is going to be as effective and useful as our Border Force (or the other dullard's "Border Security Command").
@AC
Maybe people could move there from elsewhere? (makes a change from people having to move to London)
Locals with aptitude could be trained (skills need to be learned, e.g. I have worked in IT for a long time but that does not mean I will have automagically absorbed cyber offense skills)
A lot cheaper area to live than London (property prices such that younger people might actually be able to afford a mortgage!)
The economy of this country is horrendously skewed by London, and it creates a vicious circle as companies move to London / surrounds as they know "talent" is there, which tends to give a bit of a "brain drain" elsewhere in UK as some "talent" inevitably moves to London as not many jobs in their local area.
So govt / big companies employing significant numbers of people in areas outside of London is a good thing for UK as a whole as less centralization of "talent"
.. Lives in forlorn hope of much of the rest of country getting anything like the (relatively) cheap & frequent public transport of London, or the stunning amount (& quality) of museums, galleries, theatres etc. which are obviously another attractive feature of London
Given the ongoing malware infestation. It is patently obvious these “cyber” systems are not fit for purpose.
“Catholic faith-driven Ascension healthcare group”
Wha' do the doctors prescribe two “Hail Marys” and an “Our Father” with the medication /s
I can understand how most ransomware spreaders can find excuses for what they do. Even though it's all crap, you can convince yourself that life gave you no legal opportunities, or you are just too special for a 'normal' job. Maybe your ransomware is a weapon against another country that has wronged your country and you've successfully dehumanised all of the citizens of that country. You are only taking money from evil companies that basically stole it in the first place. However they have manage to make themselves the hero in their mind, or decided that they had no choice, attacking critical medical facilities must be very tricky to excuse when you are unable to sleep at 3am. Ransomware gangs aren't just one psychopath, its a group of people who must talk to each other and choose targets. I'm hoping that their bad consciences take all the pleasure out of their lives.
You're rashly assuming that criminals think of anything other than themselves. They may well not even have bothered targeting as "hit and hope" is a viable strategy for ransomware given how dim most people are when it comes to clicking on random links in emails etc. If criminals are anything they're Social Darwinists but mostly they're just lazy,greedy and stupid (hence why they're caught as PC Plod tends not to be too assiduous or bright themself).
> .. I'm hoping that their bad consciences take all the pleasure out of their lives.
If they grew up outside the Judaeo-Christian cultural heritage then the concept of a personal conscience would be alien to them.
Thats a bit rich, there are aresholes everywhere including jews and christians.
Close to half of all office workers are themselves frauds, they do little if anything but bullshit. You might some of them as managers. We all know examples of people who could be gone for a month and nobody would notice and yet they still take their pay home.
The problem is that health service providers are under great pressure to deliver services online, partly in the name of efficient use of staff. Some of the London hospitals provide appointment bookings and access to test results and consultation notes over the Internet. They're also under great pressure to exchange information with each other electronically so that the era of letters passing from one clinician to another via the postal service - and lost - and paper notes being distributed between them and available in complete detail nowhere.
Given the number of independent organisations involved, any private network you devised for that purpose would be just about as vulnerable as the Internet. As soon as you link a bunch of vulnerable systems together you amplify the risk of exploitation and you only need access to one of them to begin an attack.
Despite the evidence we have gathered over a couple of decades at least on the vulnerability of traditional computer systems we've done almost nothing serious to rethink them. We cannot depend on IT that requires expensive frequent replacement and constant human vigilance simply to operate as intended. It's time to threaten the suppliers with substantial penalties and to stop blaming the hapless users.
abend: The problem is that health service providers are under great pressure to deliver services online, partly in the name of efficient use of staff
cow: This is a bullshit claim.
Staff can talk to the customers on a separate computer, they dont need to use their "intranet" computer to talk to external customers.
abend: They're also under great pressure to exchange information with each other electronically so that the era of letters passing from one clinician to another via the postal service - and lost - and paper notes being distributed between them and available in complete detail nowhere.
cow:
Wow this is why these bad things happen...
Idiots like yourself dont hvve the imagination that you can still have computerised healthcare on an intranet without connecting to THOSE computers to the internet.
Simple answer two computers. There problem solved.
In answer to your next dumb response that this costs money, yes it does, but it costs far less than damage like this new problem where vandals attack hospital systems because of internet connectivity.
> > Idiots like yourself dont hvve the imagination that you can still have computerised healthcare on an intranet without connecting to THOSE computers to the internet.
> Given the number of independent organisations involved, any private network you devised for that purpose would be just about as vulnerable as the Internet.
Two replies in a row and you didn't read what you're responding to before sending either of them? Although I'd lose the "about as vulnerable as" bit.
> Simple answer two computers. There problem solved.
Simple questions: Who makes the second computer? Who installs it? Who uses it? What does it communicate and with whom? How? Who out of the small number of mostly clinical staff does a local healthcare provider designate to maintain this pile of electronic crap?
Two computers? You now have an order of magnitude more than two problems.
Chohang: Simple questions: Who makes the second computer? Who installs it? Who uses it? What does it communicate and with whom? How? Who out of the small number of mostly clinical staff does a local healthcare provider designate to maintain this pile of electronic crap?
cow: WOW
THe second computer or an ipad would be part of the solution suggested, provided and supported by the original consultant. It would be locked down to one of popular video chats, the doctor would use their other computer to view personal records and all that.
Yet the general public are screaming for everything to be online, they cannot do anything if it is not online, on an app and uses Social Media as the contact tool of choice.
Most will read this think "incompetent overpaid hospital consultants and it is all the government's fault". The exception will be those who are directly impacted will have a similar view whilst ranting on Social Media that their appointment was cancelled and it is all the fault of the NHS.
Another stupid comment. They cant grasp the concept that you can have both, ...
No wonder those consultants are idiots, just look at the responses to my original post, none of them show a slight amount of intelligence, like using different computers for public zoom chats and the intranet computer system w/ actual customer data.
@hoola
I would argue that "the general public are screaming for everything to be online" is not wholly correct.
Lots of companies / govt agencies essentially forcing activities to be online.
Partners mother is a pensioner, not online & does not want to be, so we have to deal with many facets of her life that she is unable to do as they are online only (e.g. the bank she is with has closed many branches so no nearby branch, dealing with utilities companies etc. is pretty much impossible without doing it online (she tried the joys of massive phone line queues* and just when getting near the head of the queue, the call getting disconnected) - she would love to be able to do things "offline" ).
She is lucky we can do "online" stuff for her, many people without internet and lacking family / friends to deal with that aspect of life for them have a very difficult time, playing the roulette of phone queues or just having to do most things via letter.
* IMHO deliberately understaffed to make the phone queue experience a nightmare, effectively forcing people online. The phone line queues that depress me most are where they are so big they do not even give a "you are position 'n' in the queue" as 'n' would just be absolutely massive.
the nhs is busily training people to click on links in txt msgs and emails and seem to be doing a fair bit of that themselves.
personally I report txts purporting to come from the nhs wanting me to click on a link as spam. But I'm pretty sure it's the idiot surgery sending some really quite odd links, well away from nhs.uk
"We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be." they say. I call BS - they are definitely NOT as safe as they possibly can be otherwise the attack wouldn't have succeeded (+ their total IT security budget will be way less than their CEO's bonus).
Indeed. If you run a bank you don't keep the keys to the vaults in a cupboard on the wall and send memos to the staff reminding them to be careful. The keys are securely stored, with precise rules about who can access them, and a process in place to enforce those rules. Anyone breaking the rules gets fired.
Until IT companies realise that data is as valuable, and needs the same protection, these stories will continue. There's nothing new or unusual about doing this, the security services have such processes and the IT equipment to implement them is already widely available.
This post has been deleted by its author
Good analogy. Especially because vaults still get robbed.
Whatever you do and whatever you spend, there will be a sufficiently skilled, well resourced and determined adversary who could defeat you (if you have something that's worth nicking). There is always some limit to the countermeasures you can afford to put in place, so you must always make your plans on the basis of when, not if, you will be compromised. Excellent preparation for a breach is the sign of a well managed business.
Also, not all data has/have equal value. As such, different databases should be secured to different levels.
This. Exactly this.
They're private, they're turning a profit. You do that by putting the prices up or cutting costs. And so more often than not IT and security are seen as a cost that isn't needed.
And none of them, Tories, Labour, or the Milkshake are going to change this.
Democracy in action, my fragrant hole it is.
THis has nothing to do with loweest price winners and everything to do with those winners not being responsible for their recommendations. Responsible here means they recommended a solution and they need to sufer the monetary consequences when their recommendation fails like it has here.
And the people who allow it to happen because they are clueless mangement who hire and accept advice from the wrong people should also goto jail for exactly the same reason.
The real cause of the problem are the frauds who call themselves management, make them liable and considerable amounts of money would be saved and the public wouldnt be put at risk because of their poor choices.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
