NHS Supplier Cyber Incident 4^th August 2022

Cyber incidents are never nice, I wasn’t exactly overcome with joy when I say there was a cyber attack on an NHS supplier on the 4^{th of} August 2022. There’s still lots of unknowns with the scenario, it’s impacts and how this will play out. I’m always cautious to speculate too much however cyber incidents aren’t magic, they are usually bound to certain patterns. A week ago this was reported as likely being restored by Tueday, since then there’s been another press release and now even more articles in the maintream media. I am however not convinced with the press release contents, I’m also unsure as to why there isn’t a more concise view… something doesn’t seem to add up, my spider sense is tingling. So, here’s my star gazing (experienced based) view so far.

Initial Access

What methods are likely for the criminals to have used to gain initial access? Do we know what occurred?

It’s likely they could have used:

Phishing
Exposed Remote Desktop Services like services
Credential Theft and VPN
A remote code execution on a network edge device
Bribing an insider to deploy malware or provide credentials

Honestly Initial Access could have been via a wide range of vectors, there has been no release from the organisation outlining how initial access occurred.

Lateral Movement and Threat Actor Activity

Once the threat actors were in the network what did they day?

Without detail this area is simply too vast to comment on with specifics but for ransomware to have been deployed there will have to have been high privileged access. Given the range of systems affected it’s likely that was on shared infrastructure components.

Ransomware and Data Exfiltration

What could the threat actors have done?

The ransomware actors gained admin/root/system level access to a vast array of systems for a significant time, exfiltrated data and then initiated ransomware payloads.
They gained access, decided to not take any data, and just sent a ransomware payload

What is most probable based on how ransomware gangs operate?

Option A is most likely based on my experience

Response

As part of the response update PDF we have the following outlined as actions they have/are taking:

• Implementing additional blocking rules and further restricting privileged accounts for Advanced staff;
• Scanning all impacted systems and ensuring they are fully patched;
• Resetting credentials;
• Deploying additional endpoint detection and response agents and;
• Conducting 24/7 monitoring.

Call me cynical but this reads like:

PAM was weak/poor and likely staff had excessive levels of access.
Scanning systems for patches sounds like they weren’t patched (who’s servers are though to be fair!)
Resetting credentials sounds bad if segmentation was in place, sounds like it wasn’t.
Deploying additional EDR sounds like, we didn’t have EDR so now we are deploying it (if they had EDR did they not test for these kind of scenarios?)
Do they not monitor 24/7 anyway?

Partly a reason why I’m now cynical about this as well, the comms on this to me seem awfully lacking given:

It’s a major healthcare provider funded by millions of public money
There have been not technical details
The wording/phrasing of the updates feels like spin

“We are rebuilding and restoring impacted systems in a separate and secure environment. To help all customers feel confident in reconnecting to our products once service is restored, we have implemented a defined process by which all environments will be systematically checked prior to securely bringing them online.”
No one is going to take that level of action unless something is seriously wrong, this sounds like there were significant security deficencies, sure they might be being overly cautious but honestly… this doesn’t feel like that, it feels like they had a breach in a network location that means mulitple environments/systems were/are at risk, otherwise why do all the heavy lifting? why impact availability when you don’t need to?

I’ve run through the https://www.oneadvanced.com/siteassets/resources/other-types/advanced-cyber-incident-faq.pdf document and commented line by line in my notes so I might publish that.

I’m not that familiar with Advanced, however it looks like they are:

A software development organisation
A platform provider/hosting provider

We can see they have a range of tech exposed online (jenkins, a SIEM logon interface) and looking at digital marketplace we can see there are both on premises and hosted solutions.

The services might be a mix of Web (SaaS) and then remote access via RDS/Citrix services (which would make sense for some NHS apps, the screenshots of the apps look like native windows apps (not web apps) so i’m going to place a pint on hosted CITRIX remote desktops with MS SQL backend (there’s no way i can guess this right!) – but this was from their site: “identified an issue on infrastructure hosting products used by our health and care customers”. I’ve done a few designs for these type things in my career and I’ve been aroud the block a bit.

Impact

The services were offline from the 4^{th of} August 2022, and they still are offline at the time of writing. What are the likely impacts both short and long term?

Short term the impact is clearly on service availability, press releases state that staff are using manual methods and service restoration activities are in progress. The longer-term impacts could be more severe, say for example if data subjects are impacted (they likely are and will be) alongside regulatory review by the ICO as well as contractual obligations between the organisation (a private company) and its customers.

Based upon the press releases and public information:

Advanced has engaged Mandiant & Microsoft DART
The NCSC & NHS are being engaged
The ICO has been engaged

This all leads me to suspect the impact may be far more than “a few servers were compromised” or simply that the servers that were compromised may have significant data volumes.

Summary

There are still relatively few details in the public domain, the vendor information is high level. The lack of information in the public domain however gives concern that the impact of this event may be significant.

The potential for bulk sensitive data access to me seems high, there’s nothing filling me with confidence this isn’t the case, however as I said above, this is speculation. It would however, from my point of view be very odd for someone to gain all this access, not exfiltrate the data, impact only a small part of Advanced systems and then Advanced take everything offline, contact all these organisations including the data regulator and this turn out to be small affair. I do know there’s good people at all the supporting organisations, and I do know these things take time to work out. It’s never a happy time when incidents occur, especially when healthcare data might be compromised. They say only a small number of servers were compromised, if that’s the case why was everything taken offline? If the impact was small, why in their press release do they say it will be necessary to keep contingency plans in place for three or four weeks? This all feels a bit at odds, “don’t worry” but keep contingency for weeks… time will tell. I hope all the people responding are getting enough sleep and ultimately that the impact isn’t what it could be.

[Update]
I’m currently going line by line on the press release, there actually seems to be two things, a web page and then a PDF with slightly different content in it… see below for links: