NHS computer systems hacked!?

Arazi · 14 May 2017 at 13:34

FutileBreadMachine said:
I was working there at the end of last year on a contract when someone in support sent a test email to a new Outlook distribution group which they had accidentally added pretty much the entire NHS staff mailing list to. Then people started doing "Reply All" to the message saying things like "Please remove me from this group"/"You sent me this in error" and this multiplied out into millions(?) of emails and brought the entire NHS email system to a halt. It even ended up on the BBC and I believe The Sun even named the support person who sent the initial email.

I worked there for just over 6 years in different trusts, some of the things you see are shocking.

Rroff said:
Previously they've been less sophisticated and not utilised capabilities like SMB to break out from the initial infection - as I've been saying in some of the threads slowly these are being packaged up with more sophisticated tools and increasingly there is attention being paid to things like infecting IoT devices or hiding copies of it away in device firmware (for instance NAS boxes) to reactivate at a later date when people think the infection has gone, etc. I'm not quite sure at what level and on what timeframe that kind of stuff is making its way into the wild.

I agree, I still think this was sat there waiting to be triggered, similar to what you said earlier, embedded with some form of hardware maybe, this came in from the N3 spine from what i have read, caged above has supplied some great links also.

There are 1.5 million plus people working in the NHS, if this was just a simple click on a wrong\dodgy email then it would happen everyday.

Arazi · 14 May 2017 at 13:38

Rroff said:
AFAIK current infections are stalled due to the "killswitch". The NHS has had people working through the weekend quarantineing and cleaning systems so there shouldn't be any mass event from people turning them on.

Ah yes, i forgot about that

StriderX · 14 May 2017 at 13:38

Was the spread just to quick for administrators to deal with?

Rroff · 14 May 2017 at 13:45

Arazi said:
I worked there for just over 6 years in different trusts, some of the things you see are shocking.

I still think this was sat there waiting to be triggered, similar to what Rroff said earlier, embedded with some form of hardware maybe, this came in from the N3 spine from what i have read, caged above has supplied some great links also.

There are 1.5 million plus people working in the NHS, if this was just a simple click on a wrong\dodgy email then it would happen everyday.

It is kind of strange - the way it suddenly burst out world wide doesn't fit any normal propagation pattern even for an aggressive worm and doesn't seem to have the normal patterns in relation to timezones, etc. which does suggest it has been loitering undetected waiting for some kind of trigger or something very odd going on. The pattern of updates on the live map also kind of suggests people turning infected systems on for the first time post some kind of triggering event rather than new infections (though that is largely just a guess based on instinct).

V F · 14 May 2017 at 13:45

Arazi said:
I worked there for just over 6 years in different trusts, some of the things you see are shocking.

Do tell!

Arazi · 14 May 2017 at 13:46

StriderX said:
Was the spread just to quick for administrators to deal with?

Yes, they probably watched it unfold but not really able to do anything, you can't just switch everything off

neil_g · 14 May 2017 at 13:47

StriderX said:
Was the spread just to quick for administrators to deal with?

i still recon the infection was probably some time in the past and that it was a timed payload. probably didn't know it was there until it was too late.

Arazi · 14 May 2017 at 13:49

Rroff said:
It is kind of strange - the way it suddenly burst out world wide doesn't fit any normal propagation pattern even for an aggressive worm and doesn't seem to have the normal patterns in relation to timezones, etc. which does suggest it has been loitering undetected waiting for some kind of trigger or something very odd going on. The pattern of updates on the live map also kind of suggests people turning infected systems on for the first time post some kind of triggering event rather than new infections.

I wonder if it could have been hidden in PLC's up and down the UK and elsewhere in the world, then triggered by whoever had the access.

neil_g · 14 May 2017 at 13:54

Arazi said:
I wonder if it could have been hidden in PLC's up and down the UK and elsewhere in the world, then triggered by whoever had the access.

maybe. im sure i've read of these types of malware having a scheduled activation.

would explain why so many different organisations were effected at the same time.

Arazi · 14 May 2017 at 13:56

V F said:
Do tell!

I wouldnt feel comfortable posting things about it on here, lets just say security, top to bottom, that was when i worked there and i don't expect things to have changed much.

Deleted member 77746 · 14 May 2017 at 13:57

Does this effect dropbox files or any files associated with syncing?

neil_g · 14 May 2017 at 13:59

mrbell1984 said:
Does this effect dropbox files or any files associated with syncing?

if the encryptyed files are local and sync'd off to dropbox then i guess that could be an issue.

Rroff · 14 May 2017 at 14:00

V F said:
Do tell!

My brother does IT contracting for the NHS and previously worked at a high level in IT at the NHS - have to be a bit careful though I don't want to get him into any trouble heh relaying some of the same kind of stories as Arazi could probably tell.

Arazi · 14 May 2017 at 14:00

Rroff said:
It is kind of strange - the way it suddenly burst out world wide doesn't fit any normal propagation pattern even for an aggressive worm and doesn't seem to have the normal patterns in relation to timezones, etc. which does suggest it has been loitering undetected waiting for some kind of trigger or something very odd going on. The pattern of updates on the live map also kind of suggests people turning infected systems on for the first time post some kind of triggering event rather than new infections (though that is largely just a guess based on instinct).

Fully agree, also, now that the killswitch has been broadcast worldwide then it is surely easier now for someone to change the domain to a different one and off we go again.

Arazi · 14 May 2017 at 14:01

neil_g said:
if the encryptyed files are local and sync'd off to dropbox then i guess that could be an issue.

Yes, same with any cloud storage, google drive etc.

Arazi · 14 May 2017 at 14:03

Rroff said:
My brother does IT contracting for the NHS and previously worked at a high level in IT at the NHS - have to be a bit careful though I don't want to get him into any trouble heh relaying some of the same kind of stories as Arazi could probably tell.

He will deffo know where im coming from

Rroff · 14 May 2017 at 14:03

Arazi said:
Fully agree, also, now that the killswitch has been broadcast worldwide then it is surely easier now for someone to change the domain to a different one and off we go again.

Its given time for systems to be patched against the SMB exploit (though I suspect a lot aren't) but it just shows how vulnerable business networks are to these things if better measures aren't taken - the next one could find an even nastier way to spreading.

Caged · 14 May 2017 at 14:05

Most cloud storage systems version their files though so you can roll back.

Rroff · 14 May 2017 at 14:06

Caged said:
Most cloud storage systems version their files though so you can roll back.

I really should look at some kind of local versioning - currently I just manually rotate backup drives.

Deleted member 77746 · 14 May 2017 at 14:07

Caged said:
Most cloud storage systems version their files though so you can roll back.

I'm not going to take any chances. I know what I'm going to be busy with tomorrow AM. I've already sent an email tonight about it.