Russian hackers behind NHS attack are part of Kremlin-protected cyber army

Russian hackers behind the NHS attack are part of a wider cyber army working under the Kremlin’s protection to try to destabilise the UK ahead of the election, i can reveal.

European investigators on the frontline of hunting Russian cyber criminals have found that hacking group Qilin, which has been held responsible for the attack, is merely one arm of a much wider web of hacking affiliates.

Hackers, using servers based in Russia, are working under Moscow’s protection to carry out attacks on UK critical infrastructure. The recent attack on the NHS has been seen as a “major escalation” of the Kremlin’s use of cyber warfare, according to investigators, whose work i was given exclusive access to.

The hacking syndicate, made up of more than 100 groups, is not believed to be under the direct control of the Russian Government but is rather seen as a useful tool of global disruption that the Kremlin is happy to turn a blind eye to. Hackers enjoy safe haven in Russia, from where they carry out ransomware attacks, so long as they do not cross red lines or cause too much diplomatic uproar, i has been told.

Ciaran Martin, the former chief executive of the National Cyber Security Centre (NCSC), told i: “The Russian state does not control or direct criminal cyber groups but it does in effect set the parameters of who they are allowed to attack.”

Internal messages between the Russian hackers, seen by i, show them asking a higher authority from the group’s leadership for permission to attack specific targets in the UK on previous occasions.

Until earlier this month, attacks on other nation’s healthcare services which could potentially lead to casualties were seen as “off limits” by the Kremlin. But the attack on NHS provider Synnovis on 3 June represents a loosening of the reins that the hacking groups work under, leading to national security concerns among Western intelligence agencies.

A detailed security briefing from European investigators on the forefront of the West’s fight against Russian cyber crime groups, and interviews with three UK sources, reveal the worrying escalation in cyber warfare against Britain ahead of the election.

All of the UK sources warned that the country could face more attacks on critical national infrastructure which could disrupt services, meddle with democracy, and threaten lives.

“The Kremlin has lifted a block on UK targets it once thought were a step too far,” a UK intelligence source told i. “I expect we will see a drastic rise in cyber attacks to critical services over the next 12 months.”

Another called the attack a “significant escalation” which challenges the definition of an “act of war”.

In the recent NHS hack, Qilin, which has a record of attempting to extort money, stole records covering 300 million patient interactions, including the results of blood tests for HIV and cancer, and led to the cancellation of over 1,000 operations and 2,000 appointments.

The group later published a tranche of highly sensitive NHS records they stole into the public domain last Friday, after failing to receive a ransom payment.

Hackers enjoy safe haven in Russia, from where they carry out ransomware attacks

The National Crime Agency (NCA) leads the UK’s response to cybercrime and is currently weighing up the possibility of taking retaliatory action against the group, working with the Federal Bureau of Investigations (FBI) to determine the scale of the attack.

Qilin, a well-established Russian hacking group with a record of attempting to extort money, claimed to have carried out the attack on the NHS as revenge for the UK Government’s actions in an undisclosed war.

But new evidence compiled by investigators, seen by i, shows that the Qilin group is part of a front for a Russian-state protected cyber army, acting to cause chaos and disruption in the lead up to the UK election.

In a detailed security briefing with i, investigators from PRODAFT, which is a privately funded cyber crime firm partnering with official organisations including Europol, the FBI, and NCA, warned that action against Qilin without looking at the wider hacking network would be “insignificant”.

PRODAFT is part of Europol’s EC3 partner framework which works with international law enforcement agencies as part of a coalition of specialist researchers, focused on unmasking some of the world’s most notorious cybercrime groups. EC3 is an EU taskforce to help protect nations against cyber crime of all types, and continues to work with UK agencies after Brexit.

Intelligence seen by i showed how Qilin is just one of over 100 affiliated groups working together to destabilise UK infrastructure ahead of the upcoming election. The group is “physically untouchable” and operates under state protection such as Russia, investigators warned.

PRODAFT’s head of UK operations Christopher McGrath told i that UK agencies must be careful to acknowledge that groups like Qilin are “simply brands” designed to “obfuscate the highly complex structures and capabilities” of the real threat posed by the wider organisation.

Mr McGrath told i: “The recent attack on the NHS supplier Synnovis has once again raised the concern that Cyber Ransom Groups are able and continue to have the ability and state protection to conduct high profile and now potentially life threatening attacks against the UK.”

Three UK sources warned that Britain was braced for “12 months of significant impact” from Russian hacking groups, in what they described as a “major wave change” in Putin’s attitude towards them.

While the Russian hacking organisation is not believed to be working under the direct orders of the Kremlin, groups based within Russia are expected to act within the boundaries set by the Kremlin.

Previously, there had been a fine line on how much impact Russian hacking groups could have on Western countries. The Kremlin has been willing to crack down on ransomware gangs if their actions caused too much diplomatic or reputational damage for Moscow in the past.

In 2021, a ransomware attack to the US Colonial Pipeline led to gas shortages in several US states and ensuing panic. Inside Russia, the hack had been viewed as a “step too far”, according to sources, and several cyber criminals were arrested by Russia’s Federal Security Service (FSB), despite increased tensions between the US and Moscow.

However, the latest hack on the NHS leading to potentially life-threatening consequences showed the “gloves were off”, sources said.

Mr McGrath stated that this is a “significant escalation” in Russia’s use of “cyber armies” to attack UK national infrastructure.

Guys and St Thomas’ Hospital in London was among those hit by a Russian cyber attack (photo: PA)

PRODAFT investigators pointed to previous intelligence operations where they have witnessed communications between Russian hacking groups requiring higher authority from its leadership to attack NHS data, only to be denied on the basis of “not having another Colonial Pipeline”.

The Qilin group claims to have carried out the cyber attack as revenge for the UK Government’s actions in an undisclosed war. UK sources believe the hack was a retaliation to Britain signaling it would allow Ukraine to strike targets in Russian territory with western weapons.

NCA Director Paul Foster told i: “The National Crime Agency is leading a criminal investigation into the recent cyber incident affecting hospitals.

“We are aware data has been published and we are working closely with the National Cyber Security Centre, NHS England and our international law enforcement partners, to progress our investigation and support the incident response.

“As the investigation is ongoing I’m unable to comment further at this time.”

The hack led to a critical incident being declared at NHS trusts. It forced King’s College Hospital (KCH) and Guy’s and St Thomas’ (GSTT) health service trusts to cancel 1,134 planned operations and 2,194 outpatient appointments – including 184 cancer procedures and 64 organ transplants.

“Yes we know about the situation,” the hackers told the BBC. “We are very sorry for the people who were suffered because of it. Herewith we don’t consider ourselves guilty and we ask you don’t blame us in this situation.”

The hackers said the UK Government should be blamed instead.

The NCA and NSCS want the public and UK organisations to remain alert to possible cyber crime, and to tell the authorities at the earliest possible opportunity if they think they have been targeted.

The Foreign Office and the Russian Embassy did not respond to requests for comment.