Russian Hack on Hosipitals via 3rd Party

June 24, 2024

On June 3 2024, a ransomware attack by the Russian group Qilin allegedly targeted Synnovis, a key third party supplier of pathology services for several London hospitals. The attack forced the cancellation of thousands of medical procedures. Since the cyber attack, the group has been attempting to extort the NHS provider with a ransomware payment. [1] The ransomware gang allegedly gained access to the systems of Synnovis on June 3, exfiltrating and subsequently encrypting a large amount of data, leaving the IT systems unusable. This led to more than 3,000 hospital and GP consultations and operations being disrupted. [2]

The 400GB of stolen compressed files were posted to the group’s Telegram channel on June 20. Qilin states that it stole over 1TB of Synnovis’ extremely sensitive data which reportedly includes patient names, dates of birth, NHS numbers and information relating to blood tests. [3] Business and financial records relating to Synnovis, GP centres and hospitals were also included in the data, according to the BBC.  

The data was likely published due to the fact that Synnovis was unwilling to pay the ransom. The published data can be valuable for cyber criminals as it may allowing threat actors to conduct further illicit activities, including conducting scam attempts against individuals who had their personal data stolen and perform further attacks against other related organisations. NHS England states the “files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.” [2] The National Crime Agency and National Cyber Security Centre are currently working to verify the data. [4]

The threat actor group Qilin is thought to be based in Russia and began conducting cyber attacks against companies in October 2022. The group has previously targeted schools, healthcare organisations and other companies globally. Qilin does not target organisations based in Russia or the Commonwealth of Independent States, indicating the group’s Russian origin. The group is a financially motivated, opportunistic threat actor, aiming to receive a ransom payout from whichever organisation they can successfully compromise.

Healthcare services are a primary target for ransomware gangs, due to the sensitive data healthcare organisations collect and store. Furthermore, following the $22m ransom payment earlier this year by United Health Group, the healthcare sector has become a focus for ransomware operations. [1] The healthcare sector relies on a variety of third-parties to provide specialised services. [5] Understanding and prioritising third-party risk management can help to mitigate the risks associated with compromises such as ransomware attacks. Black Room Intelligence provides solutions to monitor for compromised third-parties in your supply chain and compromised staff credentials.

Black Room Intelligence has a specific focus on protecting UK organisations and provides an extensive third-party monitoring solution to detect and mitigate attacks against third parties. Our Russia and Asia Desks include analysts with significant language and geopolitical expertise, with the cybersecurity knowledge to follow ransomware trends and developments.

References

1. Stolen test data and NHS numbers published by hospital hackers. BBC. 2024 June 21. Available from: https://www.bbc.co.uk/news/articles/c9ww90j9dj8o

2. Synnovis cyber attack – statement from NHS England. NHS. 2024 June 21. Available from: https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

3. Qilin cyber scum leak data they claim belongs to London hospitals’ pathology provider. The Register. 2024 June 21. Available from: https://www.theregister.com/2024/06/21/qilin_cyber_scum_leak_the/

4. Synnovis cyber incident. NHS. 2024 June 21. Available from: https://digital.nhs.uk/news/synnovis-cyber-incident

5. Cybersecurity and hospitals: Big risks come from third parties. Chief Healthcare Executive. 2024 May 3. Available from: https://www.chiefhealthcareexecutive.com/view/cybersecurity-and-hospitals-big-risks-come-from-third-parties

Experienced Analysts
+
Best of Breed Data Feeds
=
Exceptional Insights
Transform your ability to identify and monitor dark web threat actors today.

Speak to an expert
Services BlogCareersAboutContact
Black Room Intelligence is a cyber threat intelligence company with considerable expertise in a wide range of industries. Our experienced analysts and linguists offer a range of insights and monitoring that can help you understand and combat a variety of cyber threats including sophisticated disinformation campaigns.

Registered in England and Wales (number 14885394) whose registered office is at 20-22 Wenlock Road, London, N1 7GU.

Address: 20-22 Wenlock Road, London, N1 7GU

Email: contact@blackroomintelligence.comPhone: +44 (0) 208 058 2971Linkedin: linkedin.com/black-room-intel
Copyright © 2025 Black Room Intel Ltd