French IT outsourcer Sopra Steria hit by 'cyberattack', Ryuk ransomware suspected

You know, the firm that runs half of NHS Shared Business Services


French-headquartered IT outsourcer Sopra Steria has been struck by a “cyberattack,” reportedly linked to the Ryuk ransomware gang.

The business declined to say what had happened, though French media reports indicated (en francais) that Sopra Steria’s Active Directory infrastructure had been compromised, seemingly by hackers linked to the Ryuk malware crowd.

Sopra Steria declined to comment when The Register contacted it, beyond referring us to a regulatory statement published last night at 19:15 CEST (18:15 UK time).

This said:

A cyberattack has been detected on Sopra Steria’s (Paris:SOP) IT network on the evening of 20th October. Security measures have been implemented in order to contain risks. The Group’s teams are working hard for a return to normal as quickly as possible and every effort has been made to ensure business continuity.

The outsourcer also runs a joint venture with the UK Department of Health and the NHS, NHS Shared Business Services, which just this week awarded a £500m framework to a number of smaller firms. That same joint venture was found back in 2017 to be responsible for the biggest ever loss of patient documents - more than 708,000 items of correspondence, including test results.

Authorities in France are said to be investigating.

Infosec blogger Graham Cluley opined: “Naturally Sopra Steria’s corporate clients, some of whom rely upon the firm to operate their core business processes and IT systems, will be concerned and will have plenty of questions regarding the nature of the attack.”

Sopra Steria is a member of France’s Cyber Campus, an industry-led initiative to spread cyber security awareness, training and product sales. Some local news outlets interpretted the attack as an embarrassment, though the blunt truth is that phishing attacks which lead to ransomware infections tend to be very difficult for non-specialists to spot.

There is hope at hand for Sopra Steria, however, if the malware is indeed RYUK. In late 2019 an infosec firm declared it had obtained a decryptor for the ransomware, meaning victims do not necessarily need to pay criminals to get their files back.

Over on this side of the channel, the IT outsourcer was this month in court amid allegations of unpaid invoices and substandard work. ®


Biting the hand that feeds IT © 1998–2020