© intel.malwaretech.com
A tool known as Eternal Blue developed by US spies was used by the hackers to make an existing form of ransomware known as WannaCry more virulent, three senior cyber security analysts said.
Their analysis was confirmed by western security officials who are still scrambling to contain the attack that hit hospitals and doctors' practices across the UK.
The same or similar virus was used in a large scale attack on Telefónica, Spain's main telecoms provider. The People's Daily in China tweeted that similar attacks may have hit China.
Ransomware encrypts data on computers and demands a fee typically payable in untraceable digital currency to unlock them. Infection is almost always made by email but the latest version of WannaCry spread laterally through the computer networks of infected organizations.
The NSA's eternal blue exploit allows the malware to spread through file-sharing protocols set up across organizations, many of which span the globe. Security officials in the UK, which has been among the countries worst hit, currently believe the attacks are the work of a criminal group, though they are still working to assess the full nature of the attack.
The UK's National Cyber Security Centre, an arm of GCHQ, has been put into a state of high alert. The speed and virulence of the infection has caught many by surprise. NHS Digital, the arm of the health service co-ordinating a response, said "a number" of NHS organizations had been affected. Hospitals in cities and towns such as London, Liverpool, York, Leicester, Derby and Glasgow were forced to close services, including cancelling operations and diverting ambulances to other hospitals. Staff were forced to use pen and paper.
Telefónica said that it had suffered a "cyber security incident" affecting the personal computers of "some" employees. In Portugal, the police cyber crime unit told local media that "large-scale" ransomware attacks had hit a number of Portuguese companies. There were unverified reports of cyber attacks in other countries, including Russia.
The NHS said that there was no evidence that patient data had been accessed but was continuing to assess the damage done by the hack. Downing Street said that the prime minister was being kept updated and that Jeremy Hunt, the health secretary, was being briefed by the NCSC. Dominic Grieve, chair of the intelligence and security committee, told the Financial Times that the government was not complacent about the threat from hackers. "The government has already allocated a colossal amount of resources to this . . . but you can't have 100 per cent guarantee that you cannot be hacked into." In October, Ben Gummer, Cabinet Office minister, warned that "large quantities of sensitive data" held by the NHS and government were being targeted by hackers — with the potential to disrupt Britain's energy, water and transport networks.
Barts Hospital, in central London, confirmed that it was among the hospitals to have been hit and said it had been forced to cancel routine appointments and divert ambulances to neighboring hospitals as the "major IT disruption" took hold. It asked the public "to use other NHS services wherever possible" and said that the IT breakdown was causing delays at all the hospitals within the trust. "We have activated our major incident plan to make sure we can maintain the safety and welfare of patients," it added. Technicians were turning away patients seeking blood tests and the electronic sign that determines the queue was switched off. "It's because of the computers," one staffer told a confused woman. One person said that managers at all levels were in meetings to assess the attacks. Patrick Ward, a salesman from Dorset, was poised to have open-heart surgery at Bart's on Friday when the computers went down. Mr Ward said he had been prepared for surgery when, just before 2pm, "the consultant came and said there's been a cyber attack and they could no longer do the operation". His doctor only performs the surgery for Mr Ward's condition, which is not life threatening, once a week, on Fridays. Mr Ward said he was told to expect a call on Monday with more information. "I've got to wait now."
A doctor working in a hospital in east London affected by the attack said staff had "turned everything off and we are sitting back and going on seeing patients as we normally do". Staff had reverted to paper records, he added. East and North Hertfordshire NHS Trust posted a statement on its website to say it was "currently experiencing significant problems with our IT and telephone network which we're trying to resolve as soon as possible". Hospital trusts and GP groups in Lancashire were also reporting problems. NHS Digital said it was "working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations". Vanessa Sandhu, a GP in Braintree, Essex, said: "We got a call from the CCG [Clinical Commissioning Groups] saying there had been a security breach. We all had to shut down our computers and unplug all cables from the walls. "It was scary — we had no idea what was going on. We didn't have access to our notes or patient medical records. We couldn't request blood tests or ultrasounds. We had to disconnect the surgery telephones so we couldn't communicate with other doctors or patients. We tried to see the patients in the building, but everyone else we told to go home. "We've had to close the surgery for the day. Some hospitals have had to shut down so it's going to be absolute carnage in A&E if you can't do emergency tests or get blood results for those most in need."
© PA
Reader Comments
to our Newsletter