News: 1718879346

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals

(2024/06/20)


Interview The ransomware gang responsible for the current healthcare crisis at London hospitals says it has no regrets about the attack, which was entirely deliberate, it told The Register in an interview.

London hospitals left in critical condition after ransomware attack [1]READ MORE

Qilin says Synnovis, a partnership between pathology services company SYNLAB and two London NHS Trusts, wasn't targeted by accident. Asked if it knew a healthcare crisis in the capital city would ensue, should they be successful, a spokesperson for the group said: "Yes, we knew that. That was our goal."

They went on to say the attack was politically motivated: "All our attacks are not accidental. We choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country. The politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfill their promises."

Without naming any countries or events specifically, and in vaguely incoherent English, they alluded to politicians withholding "high-quality" medicines from other countries while keeping "a peaceful sky" above their own heads.

Experts have also questioned the political explanation, given the gang has been more opportunistic rather than idealistic in its targets.

[2]

For example, SOCRadar [3]said last week how Qilin is known for targeting the healthcare and education sectors not because of politics but because of the reliance they have on uptime and the sensitivity of the data they hold.

[4]

[5]

Louise Ferrett, senior threat intelligence analyst at Searchlight Cyber, questioned the alleged idealogy of the attack, suggesting it could have been fabricated given the media attention surrounding [6]the incident .

"Qilin was considered a financially-motivated threat actor so political targeting doesn't align with their usual modus operandi," she said. "It is possible that, in this case, the gang decided to mix financial gain with proving a political point.

[7]

"However, it is also possible that this wasn't deliberate targeting but - as the attack became big news due to its impact on hospitals - Qilin took the opportunity to bolster their reputation and play the role of the noble hacktivists."

Despite the deliberate intent of the attack, Qilin somewhat backhandedly said it was sympathetic to the people of London who are now suffering as a result.

"We sincerely sympathize with ordinary residents of London and other British cities who have become hostages of this situation," the spokesperson told The Register . "But we will never regret what we do, because this is a struggle.

[8]

"We hope that no one was hurt and we urge ordinary people to think about the true problems that led to this situation."

But, of course, people are hurting in London right now. More than 1,500 operations and appointments have already been canceled, [9]per the NHS' update on June 14 – a figure that's almost certainly rising by the day.

Stories are already being told of elderly Londoners having crucial procedures canceled and subsequently seeing [10]their condition become terminal if they are not swiftly rearranged.

$50 million ransom

The main question surrounding any attack carried out by a ransomware gang is the sum of money they demand in exchange for data not being published.

Qilin told us the [11]ransom demand was set at $50 million, but the gang itself ultimately "stopped all conversations and cut off contact" after Synnovis allegedly stalled for too long.

"The company had enough time to make the right decision," the spokesperson said.

Asked about the claims made by the criminals, Synnovis refused to comment on specifics, only saying "our investigation is ongoing".

"Synnovis is aware of reports that an unauthorized third party has claimed responsibility for this recent cyberattack. Our investigation into the incident remains ongoing, including assessing the validity of the third party's claims and the nature and scope of the data that may be impacted.

"We have notified relevant authorities, including The Information Commissioner's Office (ICO), and continue to work with the NCSC and third-party specialists who are assisting with our investigation. Once further information is known we will report in line with ICO requirements and prioritize the notification of any impacted individuals or partners as required."

Qilin said it believed $50 million was a "fair price" considering its claim to have stolen more than one terabyte of data, which it told us is all due to be leaked "in the coming days."

Since our interview with Qilin was held, Synnovis has appeared on the gang's leak blog in a post that states all the company's data will be leaked today on June 20.

Zero-day claim

Asked about how Qilin gained an initial foothold in Synnovis' systems, Qilin wouldn't reveal much in the way of details.

"We cannot answer this question, especially for free."

Ransomware gangs often market themselves as penetration testing specialists that offer an expert service out of the goodness of their hearts, rather than admitting they're criminals.

This could explain the lack of answer, or simply the fact that revealing its tradecraft may impede future cyber assaults.

However, Qilin did claim it used a [12]zero-day vulnerability , yet didn't specify in what product that vulnerability was found or how they acquired it.

Again, we asked both Synnovis and the UK's NCSC about this but neither offered a confirmation or denial on the matter.

Ferrett, however, said it's entirely possible that Qilin is a sophisticated ransomware gang that was able to source its own zero-days.

"We have previously observed ransomware operators exploiting zero-day vulnerabilities to compromise their victims, especially larger and more established gangs," she said. "Qilin fits that profile so there is no specific reason to doubt their claims.

"We have seen the group on hacking forums looking to recruit experienced 'pentesters' so it is possible that someone within the group or one of their affiliates identified a zero-day vulnerability that enabled this attack."

[13]Frontier Communications: 750k people's data stolen in April attack on systems

[14]Street newspaper appears to have Big Issue with Qilin ransomware gang

[15]Cyber sleuths reveal how they infiltrate the biggest ransomware gangs

[16]Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

However, it should also be noted that cybercrims are known for inflating their claims and have in the past labeled any vulnerability exploit as a so-called zero-day. So, as ever, with the accounts of criminals, it's advisable to take Qilin's words with a pinch of salt.

As with the details about the intrusion, Qilin was equally sheepish when asked about the organization itself, namely its composition and location: "We have hundreds of associates, but we cannot say anything specifically about any of them. This is a matter of our security."

Despite being named after a Chinese mythological creature, Qilin is widely believed to be an operation running out of Russia. It operates much like others in Russia have in the past and appears to target Western organizations and not those in countries allied to Russia, which would allow it to maintain its protected status at the Kremlin. ®

Get our [17]Tech Resources



[1] https://www.theregister.com/2024/06/04/suspected_cyberattack_hits_major_london/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnRSIQC5P2eZjL1Iy8@WEwAAARA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://socradar.io/dark-web-profile-qilin-agenda-ransomware/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnRSIQC5P2eZjL1Iy8@WEwAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnRSIQC5P2eZjL1Iy8@WEwAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/06/04/suspected_cyberattack_hits_major_london/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnRSIQC5P2eZjL1Iy8@WEwAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnRSIQC5P2eZjL1Iy8@WEwAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.england.nhs.uk/london/2024/06/14/update-on-cyber-incident-clinical-impact-in-south-east-london-friday-14-june-2024/?filter-keyword=&filter-category=news

[10] https://www.independent.co.uk/news/health/nhs-cyber-attack-hospital-london-surgery-impact-b2564519.html

[11] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/

[12] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/

[13] https://www.theregister.com/2024/06/07/frontier_communications_filing_cyberattack/

[14] https://www.theregister.com/2024/03/27/big_issue_qilin_cyberattack/

[15] https://www.theregister.com/2023/12/22/how_to_infiltrate_ransomware_gangs/

[16] https://www.theregister.com/2024/06/13/conti_lockbit_ukraine_arrest/

[17] https://whitepapers.theregister.com/



Oh, it's a politically motivated TERRORIST attack

nichomach

Fine. Treat them as hostile threat actors, find them, kill them. They're happy to kill innocent civilians, they should be fair game in return.

Simply criminals

Red Sceptic

They’re in it for the money - dressing this up as politically-motivated is purely cynical - maybe it helps the sleep at night? Of course, they’re likely to be acting with impunity under a krisha (Russ: roof, metaphor for protection by someone with ‘influence’) of some kind, but that ain’t politics, it’s just bad actors.

Terrorists

MJI

GCHQ can locate them. Special forces can remove them

No need to pay the ransom

Missing Semicolon

... it's only little peoples' data that's been lost anyway. A few "regret" s and a "full responsibility" or two, and it will all wash away. The people affected, of course, are now condemned to a lifetime of hyper-vigilance to prevent their lives being stolen.

Re: No need to pay the ransom

AW-S

" it's only little peoples' data that's been lost anyway"

That's not what has happened.

The systems used to process tests and returning results has been targeted and is now inoperable. It uses minimal patient data - in fact it uses keys to anonymise the patient name etc. What has happened is that important tests being conducted around the clock, with results informing medical decisions, are now having to be processed and reported manually. Time consuming at best and limiting throughput.

The real story here is why the hospital DR plans failed to operate.

The reason for these systems failing so badly is that the two key NHS Trusts involved, used each other for their backup - but all used the same single service provider. Most of us would have recognised this potential problem early on.

The good news is that many other NHS Trusts and their laborartory services were about to do down the same route - but are now recalualting the risks. Some good may come from this attack.

Bozo is the Brotherhood of Zips and Others. Bozos are people who band
together for fun and profit. They have no jobs. Anybody who goes on a
tour is a Bozo. Why does a Bozo cross the street? Because there's a Bozo
on the other side. It comes from the phrase vos otros, meaning others.
They're the huge, fat, middle waist. The archetype is an Irish drunk
clown with red hair and nose, and pale skin. Fields, William Bendix.
Everybody tends to drift toward Bozoness. It has Oz in it. They mean
well. They're straight-looking except they've got inflatable shoes. They
like their comforts. The Bozos have learned to enjoy their free time,
which is all the time.
-- Firesign Theatre, "If Bees Lived Inside Your Head"