The hackers used “legitimate” credentials to breach the vendor’s network
Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised.
Advanced first confirmed the ransomware incident on August 4 following widespread disruption to NHS services across the U.K. The attack downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information.
In an update dated October 12 and shared with TechCrunch on Thursday, Advanced said the malware used in the attack was LockBit 3.0, according to the company’s incident responders, named as Mandiant and Microsoft. LockBit 3.0 is a ransomware-as-a-service (RaaS) operation that hit Foxconn earlier this year.
In its updated incident report, Advanced said that the attackers initially accessed its network on August 2 using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. The report implies that there was no multi-factor authentication in place that would block the use of stolen passwords.
“The attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware,” Advanced said in the update.
Advanced said some data pertaining to 16 Staffplan and Caresys customers (referring to NHS trusts) was “copied and exfiltrated,” a technique known as double-extortion, where cybercriminals exfiltrate a company’s data before encrypting the victim’s systems.
In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected, or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.
Lockbit 3.0’s dark web leak site did not list Advanced or NHS data at the time of writing. Short also declined to say if Advanced paid a ransom.
“We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes,” Advanced said in the update.
Advanced said its security team disconnected the entire Health and Care environment to contain the threat and limit encryption, which downed a number of services across the NHS. The extended outage left some trusts unable to access clinical notes and others were forced to rely on pen and paper, BBC News reported in August.
Advanced said its recovery from the incident is likely to be slow, citing an assurance process set by the NHS, NHS Digital, and the U.K. National Cyber Security Center.
“This is time consuming and resource intensive and it continues to contribute to our recovery timeline,” Advanced said. “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible.”
The healthcare industry remains a top priority for ransomware actors. Earlier this month, U.S. hospital giant CommonSpirit was hit by a cybersecurity incident that is disrupting medical services across the country — which it later confirmed was a ransomware attack.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
