UK’s Healthcare & the Russians

12676049296?profile=RESIZE_400xMore than 1,000 planned operations and over 3,000 outpatient appointments have been postponed amid ongoing disruption caused by a cyber-attack that impacted London hospitals.  Synnovis, an agency which manages labs for NHS trusts and GPs in south-east London, was the victim of a data hack on 3 June.[1]

New figures from NHS England show that since then, 3,396 appointments and 1,255 elective procedures have been postponed.  In a statement, the chief executives of two affected trusts said they were continuing to manage the attack as a "critical incident." 

Data published last week showed that between 17 June and 23 June, the two most affected trusts, King's College Hospital NHS Foundation Trust and Guy's and St. Thomas' NHS Foundation Trust, postponed 1,300 outpatient appointments and 205 elective procedures as a result.  It comes as doctors' surgeries in London have also warned about the ongoing impact of the cyber-attack, with blood testing remaining at a fraction of its former capacity.

There was a time when hackers had somewhat of a moral understanding to stay away from hacking certain sectors of a nation’s critical infrastructure; healthcare was one of them.  No more.  So, who’s hacking the UK’s NHS? 

Many cyber experts believe that Russian hackers are behind the current NHS attack and is a part of a wider cyber army working under the Kremlin’s protection to try to destabilize the UK ahead of their election. 


European investigators on the frontline of hunting Russian cyber criminals have found that hacking group Qilin, which has been held responsible for the attack, is merely one arm of a much wider web of Russian hacking affiliates.  Hackers, using servers based in Russia, are working under Moscow’s protection to carry out attacks on UK critical infrastructure.  The recent attack on the NHS has been seen as a “major escalation” of the Kremlin’s use of cyber warfare, according to investigators.[2]

The hacking syndicate, is allegedly made up of more than 100 groups, is not believed to be under the direct control of the Russian government but is rather seen as a useful tool of global disruption that the Kremlin is happy to turn a blind eye to.  Hackers enjoy safe haven in Russia, from where they carry out ransomware attacks, so long as they do not cross red lines or cause too much diplomatic uproar. 

Ciaran Martin, the former chief executive of the National Cyber Security Centre (NCSC), recently said, “The Russian state does not control or direct criminal cyber groups but it does in effect set the parameters of who they are allowed to attack.”

Internal messages between the Russian hackers, show them asking a higher authority from the group’s leadership for permission to attack specific targets in the UK on previous occasions.  This just like any good organized crime ring, except the government seems to have a hand in setting the parameters. 

Until earlier this month, attacks on other nation’s healthcare services which could potentially lead to casualties were seen as “off limits” by the Russian government.   But the attack on NHS provider Synnovis on 3 June represents a loosening of the reins that the hacking groups work under, leading to national security concerns among all Western intelligence agencies.  This should be understood as a national security issue for the West.

A detailed security briefing from European investigators on the forefront of the West’s fight against Russian cyber-crime groups, and interviews with three UK sources, reveal the worrying escalation in cyber warfare against Britain ahead of its election.  All of the UK sources warned that the country could face more attacks on critical national infrastructure which could disrupt services, meddle with the democratic process, and actually threaten lives.  “The Kremlin has lifted a block on UK targets it once thought were a step too far,” a UK intelligence source reported.  “I expect we will see a drastic rise in cyber-attacks to critical services over the next 12 months.”  Some called the UK attack a “significant escalation” which challenges the definition of an “act of war.” 

In the recent NHS hack, Qilin, which has a record of attempting to extort money, stole records covering 300 million patient interactions, including the results of blood tests for HIV and cancer, and led to the cancellation of over 1,000 operations and 2,000 appointments.  The group later published a tranche of highly sensitive NHS records they stole into the public domain last week, after failing to receive a ransom payment.

The National Crime Agency (NCA) leads the UK’s response to cybercrime and is currently weighing up the possibility of taking retaliatory action against the group, working with the US Federal Bureau of Investigations (FBI) to determine the scale of the attack.  Qilin, a well-established Russian hacking group with a record of attempting to extort money, claimed to have carried out the attack on the NHS as revenge for the UK Government’s actions in an undisclosed war.  But new evidence compiled by investigators, shows that the Qilin group is part of a front for a Russian-state protected cyber army, acting to cause chaos and disruption in the lead up to the UK election.  Hmmm, sounds an awful like to old Soviet Union tactics.  In a detailed security briefing, investigators from PRODAFT, which is a privately funded cyber-crime firm partnering with official organizations including Europol, the FBI, and NCA, warned that action against Qilin without looking at the wider hacking network would be “insignificant.”  PRODAFT is part of Europol’s EC3 partner framework which works with international law enforcement agencies as part of a coalition of specialist researchers, focused on unmasking some of the world’s most notorious cybercrime groups.  EC3 is an EU taskforce to help protect nations against cyber-crime of all types, and continues to work with UK agencies after Brexit (the UK leaving the EU).


Current intelligence shows how Qilin is just one of over 100 affiliated groups working together to destabilize UK infrastructure ahead of the upcoming election.  The group is “physically untouchable” and operates under state protection such as Russia, investigators warned.

PRODAFT’s head of UK operations Christopher McGrath said that UK agencies must be careful to acknowledge that groups like Qilin are “simply brands” designed to “obfuscate the highly complex structures and capabilities” of the real threat posed by the wider organization.  He continued saying, “The recent attack on the NHS supplier Synnovis has once again raised the concern that Cyber Ransom Groups are able and continue to have the ability and state protection to conduct high profile and now potentially life-threatening attacks against the UK.”  Three credible UK sources warned that Britain is bracing for “12 months of significant impact” from Russian hacking groups, in what they described as a “major wave change” in Putin’s attitude towards them.  Of note: The exit of the UK from the European Union was considered by some as a move toward more conservatism.  Reported on 30 June, the French Far right Rassemblement National (RN) Party has won the first round of France's snap parliamentary elections, according to first exit polls.[3]  Per a poll published by France’s main commercial TF1 TV station, RN has taken 34.5 % of the votes, with the hastily assembled Left wing New Popular Front (NPF) alliance trailing behind with 28.5% and President Emmanuel Macron's centrist Ensemble bloc out of the second with 22.5%  This has to be troubling Russia too. 

While the Russian hacking organization is not believed to be working under the direct orders of the Kremlin, groups based within Russia are expected to act within the boundaries set by the Kremlin.  Previously, there had been a fine line on how much impact Russian hacking groups could have on Western countries. The Kremlin has been willing to crack down on ransomware gangs if their actions caused too much diplomatic or reputational damage for Moscow in the past.

In 2021, a ransomware attack to the US Colonial Pipeline led to gas shortages in several US states and ensuing alarm.  Inside Russia, the hack had been viewed as a “step too far,” according to sources, and several cyber criminals were arrested by Russia’s Federal Security Service (FSB), despite increased tensions between the US and Moscow.  However, the latest hack on the NHS leading to potentially life-threatening consequences showed the “gloves were off,” sources said.  Mr. McGrath stated that this is a “significant escalation” in Russia’s use of “cyber armies” to attack UK national infrastructure. 

PRODAFT investigators pointed to previous intelligence operations where they have witnessed communications between Russian hacking groups requiring higher authority from its leadership to attack NHS data, only to be denied on the basis of “not having another Colonial Pipeline.”  The Qilin group claims to have carried out the cyber-attack as revenge for the UK Government’s actions in an undisclosed war.  UK sources believe the hack was a retaliation to Britain signaling it would allow Ukraine to strike targets in Russian territory with western weapons.


NCA Director Paul Foster, “The National Crime Agency is leading a criminal investigation into the recent cyber incident affecting hospitals.  We are aware data has been published and we are working closely with the National Cyber Security Centre, NHS England and our international law enforcement partners, to progress our investigation and support the incident response.  As the investigation is ongoing I’m unable to comment further at this time.”

The hack led to a critical incident being declared at NHS trusts.  It forced King’s College Hospital (KCH) and Guy’s and St Thomas’ (GSTT) health service trusts to cancel 1,134 planned operations and 2,194 outpatient appointments, including 184 cancer procedures and 64 organ transplants.  “Yes we know about the situation,” the hackers told the BBC.  “We are very sorry for the people who were suffered because of it.  Herewith we don’t consider ourselves guilty and we ask you don’t blame us in this situation.”  The hackers said the UK Government should be blamed instead.

The UK’s NCA and NSCS want the public and UK organizations to remain alert to possible cyber-crime, and to tell the authorities at the earliest possible opportunity if they think they have been targeted.

In a joint statement on the recent NHS situation, Julie Lowe, the deputy chief executive at King’s College Hospital NHS Foundation Trust and Dr. Simon Steddon, chief medical officer at Guy’s and St Thomas’ NHS Foundation Trust, said, “We are having to postpone a number of operations and appointments at present, and we would like to apologize again to those patients affected.  Staff are continuing to do an excellent job in very challenging circumstances, for which they deserve enormous credit.” 

So, the question for the rest of the “West” remains: Will the Russians pivot to France and then possibly the US in retaliation for western weapons going to the Ukraine?  Will the current shift to the right in many western European countries, including the US, be seen as a threat to the Russian Federation?  Will the cyber attacks escalate?  Time will tell.  And in the meantime, cyber defenses and proactive cyber intelligence operations need to continue.   

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Our services can help detect cyber threats and vulnerabilities.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or    


Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!