Full Report
The NHS Trust is investigating the incident with the help of the National Crime Agency
Analysis Summary
# Incident Report: INC Ransom Extortion Targeting UK Children’s Hospital
## Executive Summary
The infamous INC Ransom group claimed responsibility for a cyber-attack on the Alder Hey Children’s NHS Foundation Trust in Liverpool, UK, resulting in the potential exfiltration of sensitive patient data, donor reports, and procurement documents from 2018 to 2024. The Trust confirmed data publication online, prompting immediate investigation by the National Crime Agency (NCA), though critical services reportedly remained operational. The suspected initial attack vector likely involved the exploitation of a known vulnerability in Citrix NetScaler appliances (**CitrixBleed**).
## Incident Details
- Discovery Date: November 28, 2024 (Date data was published online)
- Incident Date: Unknown, but occurred sometime prior to November 28, 2024
- Affected Organization: Alder Hey Children’s NHS Foundation Trust, and potentially Liverpool Heart and Chest Hospital NHS Foundation Trust (due to shared systems)
- Sector: Healthcare (NHS)
- Geography: Liverpool, UK
## Timeline of Events
### Initial Access
- Date/Time: Pre-November 28, 2024
- Vector: Suspected exploitation of **CVE-2023-4966 (CitrixBleed)** in Citrix NetScaler Gateway appliances.
- Details: This vulnerability allows threat actors to bypass MFA and hijack user sessions.
### Lateral Movement
- Details: Not explicitly detailed in the report, but highly probable given data access across multiple years (2018-2024).
### Data Exfiltration/Impact
- Date/Time: Claimed ongoing until data publication on November 28, 2024.
- Details: INC Ransom alleges obtaining large-scale patient records, donor reports, and procurement data spanning 2018 through 2024.
### Detection & Response
- Date/Time: November 28, 2024 (Trust acknowledgment).
- Details: The Trust confirmed data publication online. A Citrix instance associated with Alder Hey IT systems was observed to have stopped responding, indicating defensive action by cyber defenders. The Trust engaged the UK’s National Crime Agency (NCA) and other partners.
## Attack Methodology
- Initial Access: Suspected exploitation of **CVE-2023-4966 (CitrixBleed)** on Citrix NetScaler appliances.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown, but successful in accessing sensitive data.
- Credential Access: Potential session hijacking via CitrixBleed exploitation.
- Discovery: Unknown.
- Lateral Movement: Inferred, given access to documents spanning multiple years (2018-2024).
- Collection: Patient records, donor reports, and procurement data.
- Exfiltration: Data published on INC Ransom's leak site.
- Impact: Data exposure, operational risk (though services maintained).
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Large-scale patient records, donor reports, and procurement data (affecting records from 2018-2024). Potentially affected Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust systems.
- Operational: Services were reported to be operating normally, and patients advised to attend appointments as usual.
- Reputational: Significant reputational damage due to the exposure of sensitive patient data on a public leak site.
## Indicators of Compromise
- Network Indicators (Defanged): Potential IOCs related to communication with the INC Ransom leak site infrastructure.
- File Indicators: Unknown.
- Behavioral Indicators: Successful session hijacking post-Citrix vulnerability exploitation; patterns of data staging/exfiltration over a long period (2018-2024).
## Response Actions
- Containment: A Citrix instance belonging to Alder Hey's IT systems was proactively taken offline by defenders while the investigation proceeded.
- Eradication: Investigation ongoing in partnership with the NCA.
- Recovery: Trust advised patients to attend scheduled appointments normally, suggesting core clinical systems remained functional or quickly restored. Statutory duties regarding patient data were cited as being addressed.
## Lessons Learned
- Critical third-party/remote access infrastructure (like Citrix NetScaler/ADC) must be rigorously patched, especially against high-severity vulnerabilities like CVE-2023-4966, as they serve as effective MFA bypass vectors for initial access.
- The existence of data spanning multiple years (2018-2024) suggests gaps in data retention policy enforcement or inadequate segmentation for legacy data storage.
- The prompt public confirmation and engagement with law enforcement were positive steps in managing public disclosure.
## Recommendations
- Immediately audit and apply patches for all Citrix NetScaler/ADC appliances, focusing specifically on remediating vulnerabilities like CVE-2023-4966 if not yet addressed.
- Implement robust monitoring and alerting on Citrix gateways for anomalous session activity, even post-MFA authentication.
- Review and segment historical data stores maintained on the network to limit the scope of potential future exfiltration events.
- Ensure incident response plans include clear communication protocols for joint investigations involving shared infrastructure (e.g., between Alder Hey and Liverpool Heart and Chest Hospital).