Feature

Cyberattacks on healthcare: Russia’s tool for mass disruption

In a time of profound global geopolitical instability, cyberattacks have become as much about mass disruption than monetary gain, writes Ross Law.

Credit: Hlib Shabashnyi / Shutterstock

Cyberattacks have become a regular occurrence for organisations of all sizes, with healthcare organisations often found to be second in the pecking order below financial institutions as the target of attacks by malicious actors. 

Research has found that healthcare organisations secure 22% more data than the global average and typically hold 50% more sensitive data, making them attractive targets for financial extortion. 

Other recent research around cyberattacks on healthcare is startling, with cybersecurity company SonicWall finding that encrypted attacks in healthcare skyrocketed last year with a year-over-year increase of 252%. Meanwhile, IBM’s Cost of Data Breach Report 2023 indicates that the cost of healthcare data breaches has risen by more than 53% since 2020. 

In Oxford University’s inaugural Cybercrime Index, which ranked countries by cybercrime threat level, Russia, perhaps unsurprisingly, placed in first position. 

Russia has been implicated in countless high-profile cyberattacks over the years, including the Moonlight Maze attack on Nasa in 1999, to the more recent NotPetya attack on Ukraine in 2017. 

In near synchronisation with the continuation of Russia’s invasion of Ukraine in March 2022, boots on the ground in the country signified an acceleration of what amounts to cyber-warfare. 

Ukrainian telecommunications company Viasat experienced an attack just an hour before Russian troops moved onto Ukrainian soil, with subsequent attacks on Europe and the rest of the world occurring until the present, which are typically linked to Russian state actors.          

Significant cyberattacks on healthcare entities attributed to Russian groups this year include February’s attacks on UnitedHealth Group’s (UHG) Change Healthcare and National Health Service (NHS) Dumfries and Galloway’s IT systems and the attack on US hospital group Ascension last month. 

At a House subcommittee hearing on 1 May, UHG CEO Andrew Witty admitted that the company paid a $22m ransom in a bid to retrieve stolen patient data. 

On 3 June, a ransomware attack was carried out on Guy's and St Thomas' NHS Foundation Trust’s third-party pathology provider, Synnovis. 

The attack, which also disrupted processes in several other NHS trusts in south London, was one of the most serious on UK national infrastructure in recent years. Terabytes of patient data were stolen, and subsequently released online. 

In addition, the breach wrought havoc on St Thomas’ daily operations, causing delays to blood test results and halting hundreds of scheduled patient medical procedures, from which St Thomas’ is still recovering. 

According to the UK’s National Cybersecurity Centre (NCSC) and other observers, the Synnovis attack was yet another with ties to Russia, a hacker group named Qilin, with the National Crime Agency (NCA) and NCSC now working to verify the data included in the published files as quickly as possible. 

While leaked data is undeniably damaging, the attack on Synnovis appears to have been more about destabilising critical national infrastructure (CNI) than financial extortion or data theft. 

Reasons for attacks on healthcare

A 2023 report by Armis found that healthcare organisations have been seeing a 13% month-over-month increase in attempted cyberattacks. 

According to the company’s regional director of UK&I, David Critchley, an increase in cyberattacks on the UK is attributable to the Russia-Ukraine war. 

“Healthcare is seen as part of the CNI of a nation, and therefore it's much more about destabilising CNI than it necessarily is around extortion within the criminal fraternity,” says Critchley. “And malicious actors know that the healthcare sector's understaffed, under-resourced, and so is primed for that nation-state disruption.” 

A&O Cyber's technical cyber security head Richard Hughes agrees: “I would say this attack was politically, not financially motivated in this particular case.” 

Hughes’ view is that Russian actors are increasingly targeting CNI such as healthcare institutions or High Street banks – to destabilise and make us think about [regarding Ukraine] “supplying any kind of support”. 

“State-sponsored attacks often involve a nation deliberately targeting another CNI with cyberattacks, with the purpose of causing disruption and damage to systems integral to everyday life within the country,” says co-founder and director of Ecliptic Dynamics Tom Kidwell. 

“Due to the West’s support of Ukraine, Russia, China and other Eastern states are targeting the UK with these types of attacks, and unfortunately, healthcare falls within this category.”

The modern cybercrime landscape

The modern cybercrime landscape often involves collaboration between different nefarious groups on the dark web, with different skills and resources transacted between participants, such as ransomware code used to initiate an attack. 

The underbelly of the modern cybercrime landscape functions similarly to any legal enterprise. 

“It's fascinating. It's developed into a very sophisticated marketplace, and it looks very much like the legitimate world, only what they're doing is nefarious,” says Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance. 

Since the rise in the visibility of hacker groups like Anonymous, the modern cyberattack has become an act that is increasingly perpetrated by lone individual actors. 

“I think that's the first time the world has seen this sort of volunteer army that's decided to launch their own attacks against a foreign country. Normally, it's countries launching cyberattacks against each other, not individual citizens that are banding together to attack a country,” says Plaggemier.

Third-party suppliers a key threat

The attack on Synnovis reflects the importance for the NHS to consider its own cybersecurity provisions as much as those of the third parties they work with. It is a key threat plainly because the NHS works with many different suppliers, all of whom are linked in part to its networks, and depending on supplier size, their security rigour may be lower, which is why Synnovis was likely targeted. 

“When a system is compromised, it can give attackers the opportunity to infiltrate other, adjacent systems or organisations. In this instance, although Synnovis was the organisation which was breached, this attack could have opened doorways into other NHS Trusts or suppliers,” says Kidwell. 

Plaggemier notes that the Synnovis attack was similar to what has been seen in the US in cases such as the 2020 attack on IT firm SolarWinds, where a third-party provider was breached, causing a ripple effect across the whole supply chain. 

“A lot of organisations are better at protecting their own four walls than they are at making sure they have a really robust third-party risk programme,” she notes, stating that there is no reason for an attacker to target their initial target if they can instead find an easier way into that target network via a third-party supplier. 

In mitigating this risk, it is incumbent on organisations like the NHS to assess the level of risk a third party presents before they do business with them, and to continually assess the risk third parties they have existing relationships with may present. 

Regarding their third-party suppliers, it is key for hospitals to make certain that they are not introducing additional risk into their network. This is particularly important nowadays as even the likes of vending machines are Internet of Things (IoT) devices and are connected to the overall network. 

From June 2025, the Data and Security Protection (DSP) toolkit for NHS England will require a lot more in-depth investigation into an organisation’s cybersecurity than it did before, and its critical suppliers will be brought within the scope of this framework. 

“The DSP toolkit for 24/25 now aligns with the NCSC cyber assessment framework (CAF), which is a far-reaching framework across policies, processes and technologies that should be in place to maintain and improve cybersecurity across an organisation as complex as the NHS and the individual foundation trusts within it,” explains Jules Farrow-Lesnianski, operational technology director at Sapphire. 

Business resilience (BR) and disaster recovery (DR)

In ensuring business resilience, a key factor lies in taking the up-front step of segregating networks and systems under the assumption that a breach will likely occur at some point. 

“Segregation will hopefully stop malware or any other kind of exploit travelling between systems,” says Hughes. 

In addition, 24/7 monitoring should be in place to give organisations an understanding of the regular patterns of traffic on their networks and how these may vary in the event of a breach. 

“But monitoring tools are not something you can just install and forget about,” says Hughes. “It's a case of constantly tuning and reevaluating those rule sets that you're actually looking for.” 

Critchley says that Armis often hears from its customers that they are drowning in vulnerabilities. Due to this, he says, choosing the most important ones to address first is of key importance. 

While after an attack, a hospital may not be able to bring up patient records or the likes of blood tests, but it is imperative that they are at least still able to provide care. 

“If BR and DR plans haven't been practised like a tabletop exercise, organisations may not know if they are really ready,” says Plaggemier. “Therefore, the BR and DR function in hospitals today is important, to ensure that they can keep operating and delivering critical care, even if their systems are down.”

Lessons from the Synnovis attack

Beyond having a good BR and DR plan in place, the NHS may again need to consider the actions it can take to shore up its legacy systems. 

With cybercriminals aware of vulnerabilities in old systems, Farrow-Lesnianski notes that some cyberattacks may not be specifically targeting the NHS, but as in the case of the WannaCry attack in 2017, they end up hitting the NHS simply because it has a lot of outdated legacy systems that were vulnerable to certain forms of attack. 

“That's really the problem with a lot of these incidents, whether they're targeting the NHS deliberately, or whether they're hitting it as a result of the lack of investment that the NHS has seen in cybersecurity,” he says. 

Proactive vulnerability assessment in mitigating breach risks is a further lesson to be learned in light of the Synnovis attack. 

“The Guy's and St Thomas' NHS Foundation Trust has reportedly failed to meet the UK health service's data security standards in recent years, with concerns about security vulnerabilities being raised on multiple occasions prior to the attack,” says NAKIVO’s VP of product management Sergei Serdyuk. 

As the war in Ukraine rages on, attacks from state-aligned actors the NCSC notes are typically sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially motivated, look set to continue. 

This is a time in which it is more critical than ever for CNI like the NHS to regularly ensure that its systems are patched, threat vulnerabilities are well understood, and the daily flow of traffic through its networks is well-monitored to detect and be able to respond to irregularities. 

As per GlobalData analysis, such attacks are largely opportunistic, and their impact falls off drastically once best practices are adopted. However, organisations that do not have access to backups or the ability to reset compromised systems efficiently find themselves faced with few good options to resolve the situation, leading to the temptation to compensate their attackers to stop the attack. 

Ideally, security and cyber hygiene should be well rationalised enough to prevent future cyberattacks, but if not, the NHS should at least be able to bear the brunt of an attack and prevent it from spreading through their networks and resulting in a high degree of disruption as seen in the Synnovis attack.