- Author, Joe Tidy
- Role, Cyber Correspondent, BBC World Service
- Twitter,
The cybercriminals responsible for causing a major breach at London’s hospitals say they are “sorry” for all the damage caused but “are not to blame”.
The ransomware gang spoke to the BBC on the encrypted chat service qTox in an attempt to justify the attack as a form of political protest.
Qilin, which has a well-established record of attempted extortion, claims in this case that it carried out the cyberattack in retaliation for the UK government’s actions in an undisclosed war.
But experts are skeptical, with Jen Ellis of the Ransomware Task Force telling the BBC that “cybercriminals like this gang routinely lie”.
“Where they are from and why they carried out the attack is secondary to the damage that is now being done to patients and hospital staff,” she added.
The hack led to the postponement of more than 1,000 operations and meetings and the notification of a critical incident.
“Yes, we are aware of the situation,” the hackers said in broken English.
“We are very sorry for the people who suffered because of this. We do not consider ourselves guilty of this and ask you not to blame us in this situation.”
The hackers said the UK government should be blamed for not helping in an unspecified war.
The gang, which is believed to be based in Russia, like many ransomware crews, did not say where it was.
It said the British government “doesn’t give a penny to the lives of those fighting on the front lines of the free world”, echoing language used to describe Ukraine’s fight against the Russian invasion.
But it can also refer to Russian troops fighting against Ukraine.
The group says it has set out to target blood testing firm Synnovis, which is used by two London NHS trusts.
“Our citizens are dying in an unequal struggle due to the lack of medicine and donor blood,” it said.
It would be unusual, but not unprecedented, for the Qilin hackers to be in Ukraine, where many alleged ransomware hackers have been arrested in recent months.
In Russia, it is very rare for hackers to be arrested because the government there refuses to cooperate with the demands of Western law enforcement agencies.
Qilin declined to be more specific about his political affiliation or geography “for security reasons”.
It’s the first time the crew have claimed a political motive for their hacks – Qilin has been tracked since 2022 for criminal hacks against schools, hospitals, companies, councils and healthcare organisations.
The gang charges victims a ransom in bitcoins to restore systems to normal once they infect a computer network or steal private data.
On their darknet page, crew members regularly post details of their latest victims – of the dozens currently listed, there are no others allegedly linked to political activism.
They haven’t released the stolen data from Synnovis yet, but threatened to do so soon: “Stay tuned,” they said.
The hack of the London hospitals was first reported on June 3 when pathology services provider Synnovis said all its IT systems were offline.
This meant that blood tests and information sharing could not be done using normal computer systems.
The NHS trusts affected are Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, with patients affected at four hospitals as well as GP services in Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth.
One hospital doctor told BBC London that blood tests that used to take an hour can now take up to six hours because the systems needed to process them are down.
According to NHS London, five planned caesareans were rescheduled and 18 organs diverted for use by other trusts, while 736 hospital outpatients and 125 community outpatients had to be postponed.
Optional tests for blood-borne viruses (HIV, Hep C and Hep B) are also currently suspended.
Primary care appointments are as usual, but blood tests are preferred in urgent cases.
Synnovis says it is working to restore its IT systems and has not confirmed whether or not Qilin is holding them for a buyout.
The BBC asked Qilin how they could justify harming innocent people, who said “this conversation is over” and had not responded since.