Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals
Cybercriminals claim they used a zero-day to breach pathology provider’s systems
Interview The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview.
Qilin says Synnovis, a partnership between pathology services company Synlab and two London NHS Trusts, wasn't targeted by accident. Asked if it knew a healthcare crisis in the UK capital would ensue as a result of its attack on that organization, should they be successful, a spokesperson for the group said: "Yes, we knew that. That was our goal."
London hospitals left in critical condition after ransomware attack
MORE CONTEXTThey went on to say their cyber-assault was politically motivated: "All our attacks are not accidental. We choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country. The politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfill their promises."
Without naming any countries or events specifically, and in vaguely incoherent English, they alluded to politicians withholding "high-quality" medicines from other countries while keeping "a peaceful sky" above their own heads.
Experts have also questioned the political explanation, given the gang has been more opportunistic rather than idealistic in its targets.
For example, SOCRadar said last week how Qilin is known for targeting the healthcare and education sectors not because of politics but because of the reliance they have on uptime and the sensitivity of the data they hold.
Louise Ferrett, senior threat intelligence analyst at Searchlight Cyber, questioned the alleged idealogy of the attack, suggesting it could have been fabricated given the media attention surrounding the incident.
"Qilin was considered a financially-motivated threat actor so political targeting doesn't align with their usual modus operandi," she said. "It is possible that, in this case, the gang decided to mix financial gain with proving a political point.
"However, it is also possible that this wasn't deliberate targeting but - as the attack became big news due to its impact on hospitals - Qilin took the opportunity to bolster their reputation and play the role of the noble hacktivists."
Despite the deliberate intent of the attack, Qilin somewhat backhandedly said it was sympathetic to the people of London who are now suffering as a result.
"We sincerely sympathize with ordinary residents of London and other British cities who have become hostages of this situation," the spokesperson told The Register. "But we will never regret what we do, because this is a struggle.
"We hope that no one was hurt and we urge ordinary people to think about the true problems that led to this situation."
But, of course, people are hurting in London right now. More than 1,500 operations and appointments have already been canceled, per the NHS' update on June 14 – a figure that's almost certainly rising by the day.
Stories are already being told of elderly Londoners having crucial procedures canceled and subsequently seeing their condition become terminal if they are not swiftly rearranged.
$50 million ransom
The main question surrounding any attack carried out by a ransomware gang is the sum of money they demand in exchange for data not being published.
Qilin told us the ransom demand was set at $50 million, but the gang itself ultimately "stopped all conversations and cut off contact" after Synnovis allegedly stalled for too long.
"The company had enough time to make the right decision," the spokesperson said.
Asked about the claims made by the criminals, Synnovis refused to comment on specifics, only saying "our investigation is ongoing".
"Synnovis is aware of reports that an unauthorized third party has claimed responsibility for this recent cyberattack. Our investigation into the incident remains ongoing, including assessing the validity of the third party's claims and the nature and scope of the data that may be impacted.
"We have notified relevant authorities, including The Information Commissioner's Office (ICO), and continue to work with the NCSC and third-party specialists who are assisting with our investigation. Once further information is known we will report in line with ICO requirements and prioritize the notification of any impacted individuals or partners as required."
Qilin said it believed $50 million was a "fair price" considering its claim to have stolen more than one terabyte of data, which it told us is all due to be leaked "in the coming days."
Since our interview with Qilin was held, Synnovis has appeared on the gang's leak blog in a post that states all the company's data will be leaked today on June 20.
Zero-day claim
Asked about how Qilin gained an initial foothold in Synnovis' systems, Qilin wouldn't reveal much in the way of details.
"We cannot answer this question, especially for free."
Ransomware gangs often market themselves as penetration testing specialists that offer an expert service out of the goodness of their hearts, rather than admitting they're criminals.
This could explain the lack of answer, or simply the fact that revealing its tradecraft may impede future cyber assaults.
However, Qilin did claim it used a zero-day vulnerability, yet didn't specify in what product that vulnerability was found or how they acquired it.
Again, we asked both Synnovis and the UK's NCSC about this but neither offered a confirmation or denial on the matter.
Ferrett, however, said it's entirely possible that Qilin is a sophisticated ransomware gang that was able to source its own zero-days.
"We have previously observed ransomware operators exploiting zero-day vulnerabilities to compromise their victims, especially larger and more established gangs," she said. "Qilin fits that profile so there is no specific reason to doubt their claims.
"We have seen the group on hacking forums looking to recruit experienced 'pentesters' so it is possible that someone within the group or one of their affiliates identified a zero-day vulnerability that enabled this attack."
- Frontier Communications: 750k people's data stolen in April attack on systems
- Street newspaper appears to have Big Issue with Qilin ransomware gang
- Cyber sleuths reveal how they infiltrate the biggest ransomware gangs
- Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin
However, it should also be noted that cybercrims are known for inflating their claims and have in the past labeled any vulnerability exploit as a so-called zero-day. So, as ever, with the accounts of criminals, it's advisable to take Qilin's words with a pinch of salt.
As with the details about the intrusion, Qilin was equally sheepish when asked about the organization itself, namely its composition and location: "We have hundreds of associates, but we cannot say anything specifically about any of them. This is a matter of our security."
Despite being named after a Chinese mythological creature, Qilin is widely believed to be an operation running out of Russia. It operates much like others in Russia have in the past and appears to target Western organizations and not those in countries allied to Russia, which would allow it to maintain its protected status at the Kremlin. ®