Liverpool’s Alder Hey Children’s NHS Foundation Trust has revealed that a shared service operated by itself and Liverpool Heart and Chest Hospital NHS Foundation Trust was the source of an INC Ransom intrusion that has affected patient data at both hospitals, as well as Royal Liverpool University Hospital.
The attack, which came to light on 28 November, has seen data exfiltrated from the Trusts’ IT systems, but is not linked to a separate ransomware attack against Wirral University Hospitals NHS Foundation trust, which unfolded a few days earlier and has been linked to the RansomHub crew.
In an update shared on 4 December, Alder Hey said: “Criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital.
“This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children’s NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital.
The Trust said its investigation into exactly what data has been stolen is ongoing, and this may take some time. It warned that there was a possibility that the ransomware gang may publish the data before its investigation is complete, an indication that it is standing firm and resisting demands, as is public sector policy in the UK.
“As soon as we are able to update on the impact to people’s data, we will provide a further update. Work is continuing with the National Crime Agency to secure impacted systems and to take further steps in line with law enforcement advice. We are also following guidance from the Information Commissioner’s Office and will ensure that anyone impacted by this data breach is contacted directly and supported,” Alder Hey said.
It emphasised that its core frontline services remain unaffected and are running as usual – patients should still attend appointments as scheduled.
The Trust’s added that its recovery efforts were making strong headway, saying: “As part of our response to this threat we have made progress in securing impacted systems and ensuring the attackers do not have continued access. This means that we are in a position to begin to reconnect our systems when it is safe to do so.”
Was Citrix Bleed involved?
Alder Hey’s assertion that a digital gateway service served as the entry point for INC Ransom’s operators appears to confirm earlier reports – per Infosecurity – that the gang attacked a Citrix instance operated by the Trust.
If this was the case, the gang likely used a critical vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway appliances, tracked as CVE-2023-4966, but more commonly known as Citrix Bleed.
Discovered towards the end of 2023, Citrix Bleed enables both session hijacking and data disclosure. It is one of the most widely exploited zero-days of the past 12 months and has been widely used in ransomware attacks – notably a number of high-profile incidents involving the LockBit gang. According to Secureworks’ intelligence, INC Ransom has also targeted it with great enthusiasm.
Rafe Pilling, director of threat intelligence at the Secureworks Counter Threat Unit, said: “Criminal gangs are opportunistic in the hunt for the next pay-out, the impact of their actions is not their concern. The fact that this is a highly specialist children’s hospital will not cause them to lose any sleep. We have previously seen Gold Ionic – the group that operates INC ransomware – hit NHS Dumfries and Galloway. These attacks on front line healthcare underline that this sector, is a vulnerable target and must be protected.
“INC ransom was one of the most active threat groups the Secureworks CTU observed over the past year, having started operating in July 2023. Its victims are predominantly based in the US, however it’s global reach is growing. Its victims represent a wide range of sectors, but the most common are industrial, healthcare and education organisations.”
