Exclusive Cybercriminals broke into systems belonging to the UK’s NHS Professionals body in May 2024, stealing its Active Directory database, but the healthcare organization never publicly disclosed it, The Register can reveal.
NHS Professionals (NHSP) is a private organization owned by the Department of Health and Social Care (DHSC), tasked with providing temporary clinical and non-clinical staff to National Health Service trusts across England.
According to the latest available data obtained from its website, it has 190,000 healthcare professionals registered with it, plus over 1,000 employees working for the organization itself.
Insiders provided The Register with documents, including the incident response report compiled by Deloitte, which provided a detailed rundown of how the attackers broke in, stole the highly valuable ntds.dit file, and engaged in further malicious activity.
The attack was detected on May 15, 2024, and Deloitte said the criminals behind it broke in using a compromised Citrix account. The investigators were not able to figure out how that account, named “LMS.Support2,” became compromised.
Deloitte’s report stated that it could not see how the attackers escalated their privileges, but did so right up to the domain admin level and moved laterally across NHSP’s network via RDP and SMB share access.
The report indicated that the criminals then started deploying malware binaries, including Cobalt Strike beacons, but due to several errors found in the system logs, the investigators could not be sure if the deployment was successful.
A day later, the attackers then used WinRM to move laterally using a domain admin account to access the domain controller, before “likely exfiltrating the Active Directory database via the established Citrix session.”
The report stated that the attackers attached a physical drive from the device they are suspected to have been working from as a network share, and copied the AD database as a ZIP archive directly to it.
The following day, NHSP engaged Deloitte’s cleanup crew to help manage the remediation efforts.
A spokesperson for NHSP said: “We identified and successfully dealt with an attempted cyberattack in May last year.
“Our cybersecurity systems and future mitigation ensured no disruption to our services, and we found that no data or other information was compromised, despite the attempt.
“We worked quickly and closely with key partners NHS England and the Department of Health and Social Care, and the Information Commissioner’s Office, to investigate this incident.
“NHS Professionals is committed to the highest standards of cyber security and complies with the strict requirements around information governance. We continue to remain vigilant as per our security policies and procedures.”
The Register highlighted that, contrary to NHSP’s statement, Deloite’s report stated that attackers likely stole data in the form of the AD database, and asked whether the organization would like to revise its statement in kind. NHSP did not respond.
Deloitte also stated that the impact of the attack was unobserved and the incident was potentially contained before the attackers could reach their end goal, whatever that might have been.
NHS insiders, speaking to The Register on condition of anonymity, said that they suspect deploying ransomware was probably the objective, but the attack never got that far.
They also said the attack was suggestive of Scattered Spider’s involvement, although the Deloitte report stated that its investigators were unable to reliably attribute the attack to any single known group due to a lack of distinguishing tactics, techniques, and procedures (TTPs).
Although no situations as serious as ransomware unfolded as a result, experts said the theft of the Active Directory database, along with every user’s hashed credentials, amounted to a highly serious incident.
Rob Dyke, current director of platform engineering and former site reliability engineer at a London NHS Trust, described Deloitte’s telling of the incident as “a major event.”
Dyke, who also has extensive experience in the health tech space outside of the NHS, added: “Attackers must have gotten deep into the environment to achieve that.
“Theft of ntds.dit provides attackers with the keys to the kingdom – control over the entire Active Directory and, by extension, the entire network. It is a major compromise.
“Recovering from a compromise of this severity takes planning, time, and skills. It sounds like NHSP didn’t have these, so they called in Deloitte. I’m going to assume the worst-case here and say that cleanup would take many months of work.”
How NHS Professionals responded
Deloitte noted that NHSP completed the highest-priority actions to prevent repeat attacks quickly.
One of the main issues that allowed the attack to unfold was the lack of multi-factor authentication (MFA) on domain accounts. Deloitte’s report stated that during the attack, NHSP had tried to enable MFA on all applicable accounts, but noted that the process of deploying MFA across all accounts, and monitoring its deployment in line with NHS England’s MFA policy, was still ongoing.
The organization also didn’t have endpoint detection and response (EDR) solutions deployed to all assets in its environment, which allowed the attackers to move around the network undetected.
Again, during the attack, NHSP tried to deploy Microsoft Defender for Endpoint across all of its assets, but at the time of the report’s compilation in June 2024, several high-priority steps had still not been taken to achieve comprehensive coverage.
What it did complete immediately was a full AD take-back, resetting authentication certificates, and rotating all user passwords in its domain. It was a crucial step to mitigate the threat of the attackers cracking the hashed credentials to re-enter the environment.
NHSP also took action on its Citrix deployment, disabling drive mapping for all user accounts where there was no justifiable business reason for the feature – something that allowed the attackers to exfiltrate data.
The only other action fully completed, out of many suggested by Deloitte, was that NHSP performed a review of service account permissions, reducing them to the minimum required levels.
Security audit
At the time the report was issued to the NHS, Deloitte said NHSP was halfway through its recovery period. The attack had started and was later contained, and it was still in the recovery stage.
What NHSP had not done at the time was complete the “remediate and harden” and “transformation” steps.
Many of the actions recommended by Deloitte were either in progress or not yet started, including but not limited to a comprehensive EDR rollout, cross-organization MFA deployment, and blocking the downloads of unrecognized programs.
The latter allowed the attackers to download and execute crypto miners and DLL files that have historically been linked with pre-ransomware activity.
NHSP’s logs also required work. Deloitte stated in its report that Windows Event Logs only had a maximum size of 16 MB for most servers, meaning that they only retained records between 15 minutes and 12 hours before being rotated out.
This “significantly limited the evidence available to the investigation,” the report said. It also stated that NHSP was in the process of increasing the maximum size of logs, and forwarding those to a centralized management solution, such as a SIEM, but this wasn’t fully completed at the time.
NHSP insiders said some progress had been made on Deloitte’s recommendations, but there were still a number of issues that remained unresolved as of June 2025.
Dyke said this is “pretty much as expected.”
“It takes time, money, and skills to implement the essentials, and unless it’s a C-suite priority, they won’t get done.”
In its incident response report, Deloitte said: “There are various further action items which can be taken to reduce the risk further and achieve a level of security that is both appropriate to [the executive committee] risk appetite and in comparison to other organisations.
These were broadly grouped under two main objectives: building cyber resilience through more stringent controls, and increasing technology operational effectiveness by transforming NHSP’s network for future requirements.
According to the NHS’s Data Security and Protection Toolkit, a self-assessment tool for UK healthcare organizations to see how their security fares against national standards, NHSP deemed its security to be of the highest order.
These national standards are set by the National Data Guardian, whose mission is to ensure England’s healthcare organizations handle the public’s data safely.
There are ten standards in total, spanning matters such as personal confidential data, data access management, incident response, continuity planning, IT protection, and more.
NHSP’s most recent submission, dated June 2024 – the month in which Deloitte’s report was handed over – noted that its status “exceeded” the national standards.
An NCSC spokesperson said: “We supported NHS Professionals and partners in response to an incident.”
Deloitte declined to comment on the matter.
An ICO spokesperson said: “We received a report from NHS Professionals and after assessing the information provided, we closed the case with no further action.”
The Register understands this case was closed since no personal data was accessed. ®
