In May 2024, cybercriminals infiltrated the systems of NHS Professionals (NHSP) and stole its Active Directory — which was never disclosed publicly by the healthcare organization.
NHSP is a private arm of the Department of Health and Social Care that dispatches temporary clinical and non-clinical staff across NHS trusts in England. Currently, it has 190,000 registered healthcare professionals and over 1,000 employees working directly for the organization.
The Register has gained access to a Deloitte report that summarises what happened, what was stolen, and more.
How the compromise occurred
Deloitte believes attackers broke into the system through a compromised Citrix account called LMS.Support2, though they don’t know how they accessed it. Over some days, they escalated privileges to the domain administrator level and moved laterally across NHSP’s network using RDP and SMB protocols
The attackers also deployed malware such as Cobalt Strike beacons, but investigators were unsure if it was successful. After that, they used WinRM to access domain controllers and an external physical drive mapped through Citrix to extract the Active Directory database packaged as a ZIP file.
What was stolen
According to The Register, a spokesperson for NHSP said, “We identified and successfully dealt with an attempted cyberattack in May last year. Our cybersecurity systems and future mitigation ensured no disruption to our services, and we found that no data or other information was compromised, despite the attempt.”
Contrary to the statement, though, the Active Directory, containing every user’s hashed credentials, was found to have been stolen. Some NHS insiders believe that the attackers’ ultimate goal was to deploy ransomware, but fortunately, the attack never got that far.
How the attack happened
Deloitte identified multiple weaknesses in the NHSP network, including:
- Lack of multi-factor authentication on domain-privileged accounts.
- Poor endpoint detection and response tools
- Insufficient event logging that prevented proper analysis
- Inadequate network segmentation and excessive permissions
Deloitte laid out essential action items the organization needed to reduce risk and increase security in its report. These items are broken down and collected into two main objectives: building cyber resilience and improving technology operational effectiveness.
The takeaway
The NHS Professionals breach is yet another reminder that outdated or incomplete technology infrastructure can make essential industries vulnerable. In today’s threat landscape organizations must invest in resilient, modern systems sooner rather than later.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.