The U.K. government holds North Korea responsible for the global WannaCry ransomware attack that crippled parts of the state-run National Health Service as a damning report highlighted its weak defense against such attacks.
While the rogue Asian state has long been suspected as the culprit, this is the first time it’s been officially acknowledged by Britain.
“This attack, we believe quite strongly came from a foreign state,” U.K. Security Minister Ben Wallace told BBC radio. “North Korea was the state that we believe was involved in this world-wide attack on our systems. We can be as sure as possible.”
He added that the U.K. has been developing cyber weapons but warned that “tit for tat” attacks against “hostile states” would have consequences for ordinary citizens — everyone needs to update their software and change passwords — and that major companies were at risk.
The National Audit Office criticized the Department of Health for being too slow to improve critical IT systems, in a report published Friday. It said reports from the National Data Guardian and Care Quality Commission published in July 2016 warned the government that cyber attacks could jeopardize patient security, but the health-care department had not made significant enough improvements by the time WannaCry struck.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” the head of the NAO, Amyas Morse, said in an emailed statement.
After WannaCry began infecting Microsoft Corp. Windows-powered computers via the internet on May 12, users were given 72 hours to pay $300 in bitcoin — chosen by the hackers because the crypto currency is harder to track than conventional payments — or pay twice as much. If they refused to pay after seven days, their computer would be permanently locked.
The NHS was not specifically targeted — companies such as FedEx Corp. and Nissan Motor Co. were also compromised — but the NAO concluded Friday that 81 of the 236 NHS trusts were affected in some way by the attack, either by direct infection or voluntary shutdown of networked hardware as a precautionary measure. Trusts include regional hospitals and ambulance services. In addition, 595 local doctor’s offices were infected with the virus.
Keith McNeil, chief clinical information officer for Health and Care at the NHS, said in a statement that “many lessons had been learned” from the incident, but “as the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.”
He said an extra 21 million pounds ($28 million) has been made available “to increase the cyber resilience of urgent and emergency care, starting with major trauma centers.”
Click here to read a QuickTake about ransomware attacks
While NHS computers and email accounts were inaccessible during the attack, local medical staff would communicate with each other via Facebook Inc.’s WhatsApp messenger service, as well as telephone. In part, doing so was the result of what the NAO concluded was a lack of clear guidelines for responding to a major cyber attack.
The use of WhatsApp in particular was in stark contrast to NHS guidance in 2015 that said the service “should never be used for the sending of information in the professional health-care environment.”
The organization had appeared to have softened its stance as soon as May 25, when an NHS Digital guide to the use of social media said services like WhatsApp should not be used for work or official communications “unless it is part of your responsibilities”.
Home Secretary Amber Rudd said earlier this year that WhatsApp should open its encryption to security services to help combat terrorism — a so-called backdoor that would make it technically possible for a third party to access the platform’s encrypted contents. Many security experts have criticized the demand, and Facebook has resisted them.
Dan Taylor, head of security at NHS Digital, the health service’s IT provider, welcomed the outcome of the NAO’s report and said WannaCry’s impact on Britain’s health services was significant.
The NAO’s report concluded that although no ransom was paid by the NHS to regain access to medical systems, the organization would have spent additional money to cover additional IT support, national and local staff working overtime and canceled appointments.