- A NHS organization was hit with a cyberattack
- The attack took place in May 2024 but was never publicly published
- Attacks against NHS -Fagmen appear to have been a failed ransomware -attempted trial
A cyberattack targeted at NHS subject people, a private company owned by the Department of Health and Social Care, resulted in theft of its Active Directory data -but the violation was never published, despite the attack that took place in May 2024.
A report from RegisteredCiting a Deloitte -event report, noted attackers a compromised Citrix account to get the first access.
Once inside they stole attackers a “very valuable ntds.dit file and engaged in further malicious activity”. The criminals moved laterally inside the organization’s network using RDP and SMB access access, although it is not clear how they escalated their privileges at the domain administrator level.
A major event
NHS -Fagen people temporarily supply staff to the NHS trusts throughout England, and the site has over 190,000 registered health professionals as well as over 1,000 employees.
Insider -Comments say the attack is suspected of being bound to scattered spider, and seemed to be an attempt at ransomware -perhaps similar to ransomware attacks carried out by the group earlier in 2025, targeting three huge British retailers.
The Deloitte report also cites a lack of multi-factor approval (MFA) in domain accounts as one of the primary reasons why attackers gained access to. Alongside this, the organization did not have endpoint detection and response solutions that were deployed across all its environment, which means the criminals could move within the network undetected.
“Our cyber security systems and future mitigation ensured no disruption of our services, and we found that no data or other information was compromised, despite the trial,” a spokesman in health service confirmed.
“We worked quickly and closely with the most important partners NHS England and the Department of Health and Social Care and Information Commissioner’s Office to investigate this incident.”
“NHS subject people are obliged to the highest standards of cyber security and comply with the strict requirements for information management. We continue to remain vigilant according to our security policies and procedures.”
