Cyber attack on software supplier causes "major outage" across the NHS

The NHS website as seen on an internet browser
(Image credit: Shutterstock)

A software supplier to the UK’s National Health Service (NHS) has reportedly been the victim of a cyber attack leaving many services disrupted.

Emergency prescription services, ambulance dispatching systems, and the non-emergency 111 line, among others, are thought to be affected.

The attack has been confirmed by software supplier Advanced. The company told IT Pro that the incident was first spotted on Thursday morning and resulted in a loss of service.

Only a small proportion of the supplier’s servers were affected, its CEO Simon Short said, and all health and care environments were isolated as a precaution.

“Early intervention from our Incident Response Team contained this issue to a small number of servers representing an extremely small percentage of our Health & Care infrastructure,” said Short. “The protection of services and data is paramount in the actions we have and are taking.

“We continue to work with the NHS and health and care bodies as well as our technology and security partners focused on recovery of all systems over the weekend and during the early part of next week. In the meantime, those NHS impacted services will continue to operate using contingency.”

Short told Sky News that the affected servers comprised only 2% of its health and care infrastructure.

Advanced told IT Pro that an update on the incident is expected later today and has not yet responded to follow-up questioning.

The National Crime Agency (NCA) and National Cyber Security Centre (NCSC) are both involved in the investigations.

“The NCA is aware of a cyber incident affecting the company Advanced and is working with partners to better understand its impact,” it told IT Pro but declined to comment any further.

The disruption experienced across the NHS has been described differently by different arms of the organisation. A spokesperson speaking to the BBC said the disruption was “minimal”, however, the Welsh Ambulance Service described it as a “major outage of a computer system”.

An increasing number of experts have been vocal in their beliefs that the cyber attack could be ransomware in nature. The Telegraph first reported that there were indications that ransomware was involved but no official confirmation of these beliefs has been made yet.

“While no details have been released about the root cause of the 111 service outage, all signs would seem to indicate ransomware to be the cause,” said Javvad Malik, lead security awareness advocate at KnowBe4 to IT Pro.

Other experts have said that the threat actors behind the attacks are likely to be from Russia, given the UK's support for Ukraine during the ongoing war between the two eastern European countries, although the identities of the attackers have not been confirmed yet by officials.

It is currently unclear who is behind the attack or how they gained access to Advanced’s systems. An analysis of the major ransomware groups’ blogs shows none have claimed responsibility for the attack at present.

Ransomware groups have recently pivoted to a double extortion model. Victims typically have data stolen before the ransomware program infects and locks users out of their systems.

A negotiation period is usually afforded to victims, during which time the cyber attackers will attempt to convince the victim to pay a ransom to restore access to their systems and to prevent the leakage of the data that was stolen.

If a victim refuses to pay during a given timeframe, the data is usually posted online which presents legal, regulatory, and reputational risks to victims and their businesses.

The advice generally given to ransomware victims is never to pay the criminals. There is no guarantee they will restore access once the payment is made and to pay them is a direct act of funding crime.

Some organisations running critical services are forced to pay, however, given the operational necessity that their services continue, such as Colonial Pipeline’s incident last year.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.