Linkedin X-twitter
    • November 11, 2025

    NHS.UK Hacked by CL0P^_

    This report confirms a high-severity, multi-vector compromise of the National Health Service (nhs.uk). Intelligence dated November 11, 2025, confirms nhs.uk has been listed on the “CL0P^_- LEAKS” dark web extortion site. This site is operated by the prolific, financially-motivated threat actor group TA505.

    Key Insight: The “Two-Front War”: Analysis of the available intelligence indicates this is not a single incident. The organization is facing two simultaneous, distinct, and critical attacks that require parallel and immediate response:

    1. Incident 1 (Systemic Breach): A “Big Game” data exfiltration and extortion attack by the CL0P (TA505) group. We assess with high confidence this attack was not a traditional ransomware (encryption) event, but rather a large-scale data theft campaign. This breach was almost certainly achieved by exploiting Cleo Managed File Transfer (MFT) zero-day vulnerabilities (CVE-2024-50623, CVE-2024-55956). This campaign is systemic, targeted, and has resulted in a massive, currently unquantified data breach, impacting the organization at its core.
    2. Incident 2 (Widespread Compromise): A concurrent, high-volume “commodity” campaign by infostealer malware, primarily Vidar and X-FILES, targeting individual users (staff, patients, partners). This has resulted in the mass harvesting of NHS-related credentials for critical external-facing portals, including access.login.nhs.uk, jobs.nhs.uk, and Outlook Web Access (OWA). These credentials and the associated “logs” are actively being sold on dark web marketplaces like Exodus Market and Olux Shop.

    Victim Scope: The “victim size” must be understood in two distinct parts.

    • For Incident 1, the victim is the entire NHS organization, which has been listed alongside more than 66 other global enterprises (e.g., PricewaterhouseCoopers, Shell, Siemens Energy, Deloitte) breached in the same Cleo MFT campaign.
    • For Incident 2, the victims are a large and growing number of individual users—staff, patients, and job applicants—whose accounts are now fully compromised and whose credentials are in the hands of multiple unknown threat actors.

    Immediate Action Required: The Security Operations Center (SOC) must immediately initiate two parallel, high-priority workstreams:

    1. Incident Response (IR) for Incident 1: A full-scale incident response must be launched, commencing with an emergency audit and immediate patching of all Cleo MFT assets. All data that has transited these systems must be assumed exfiltrated and compromised.
    2. Containment for Incident 2: An immediate, mass-scale credential invalidation and forced password reset for all known-compromised accounts (listed in Section V) is required. This must be paired with an emergency rollout of mandatory Multi-Factor Authentication (MFA) on all affected portals.

    Third-Order Implication: The two incidents, while likely operationally separate, create a compounding crisis. The commodity infostealer logs from Incident 2 provide a “fuel source” of initial access credentials for other threat actors (e.g., ransomware-as-a-service affiliates, Initial Access Brokers). These actors can and will use the stolen credentials to launch new attacks. This is exacerbated by the fact that the X-FILES stealer is known to capture session cookies, which can be used to bypass MFA. These secondary attackers will attempt to move laterally and establish persistence, all while the organization’s leadership and security teams are consumed by the CL0P data breach (Incident 1).

    Incident 1: CL0P Extortion Campaign

    This section provides a detailed analysis of the systemic, server-side breach that led to the CL0P^_- LEAKS dark web posting.

    Threat Actor Profile

    Identity: The threat actor TA505 (also known as the CL0P group, and overlapping with FIN11) is a highly sophisticated, financially motivated cybercrime syndicate believed to be Russian-speaking. The group has been operational since at least 2014 and is responsible for some of the most significant and widespread campaigns in recent history.

    Modus Operandi: TA505’s history is one of evolution. The group was initially known for operating one of the largest botnets in the world, distributing malware via massive phishing and malspam campaigns. They were early adopters of ransomware, leveraging the CL0P variant (an evolution of the CryptoMix family) in “Ransomware as a Service” (RaaS) operations.

    Pivotal TTP Evolution: A critical shift in TA505’s tactics has been observed. Historically, the group was synonymous with the “double-extortion” model: first exfiltrating sensitive data, then encrypting the victim’s network and demanding a ransom for both the decryption key and the deletion of the stolen data.

    However, beginning with a slowdown in 2023, the group has dramatically pivoted its strategy. TA505 has moved away from the noisy, disruptive, and technically complex deployment of ransomware. The group now focuses almost exclusively on a new model: data-stealing-and-extortion. This new TTP, observed in the 2023 MOVEit campaign and now this 2024-2025 Cleo campaign, focuses on identifying and exploiting zero-day vulnerabilities in enterprise-grade Managed File Transfer (MFT) solutions. This allows the group to conduct a “low-and-slow,” stealthy exfiltration of massive volumes of data without ever deploying a ransomware payload. The extortion demand is based solely on the threat of leaking the stolen data. The listing of nhs.uk on their leak site is the final stage of this new, streamlined kill chain.

    Campaign Analysis

    The intelligence listing nhs.uk is not an isolated event. The victim is listed alongside a “who’s who” of global corporations, including PricewaterhouseCoopers (PwC), Ernst & Young (EY), Deloitte, Shell, Siemens-Energy, and Schneider Electric. This victimology is a perfect match for the known list of companies compromised in the large-scale “Cleo” campaign that took place in late 2024 and early 2025.

    Initial Access

    • Vector: The attack vector was enterprise-grade Managed File Transfer (MFT) software developed by Cleo. The specific affected products are Cleo LexiCom, Cleo VLTrader, and Cleo Harmony. These platforms are designed for the secure exchange of sensitive documents between business partners, making them an ideal, high-value target for a data theft group like CL0P.
    • Vulnerability 1: CVE-2024-50623: This was the initial vulnerability exploited by TA505, likely in or before October 2024. It is described as an unrestricted file upload and download vulnerability that directly leads to Remote Code Execution (RCE) on the underlying server. CISA added this to its Known Exploited Vulnerabilities (KEV) catalog in December 2024.
    • Vulnerability 2: CVE-2024-55956: This is a second vulnerability that was exploited after Cleo released an initial patch for CVE-2024-50623. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary PowerShell or Bash/script code by manipulating the autorun directory. This demonstrates TA505’s high level of sophistication, as they either discovered a patch bypass or had a second, independent zero-day vulnerability in reserve to continue their campaign.

    Execution and Defense Evasion

    • Upon gaining RCE, CL0P operators executed arbitrary commands to enumerate the host system and connected network resources. The TTPs associated with CVE-2024-55956 specifically mention the execution of PowerShell and Bash scripts.
    • This TTP is consistent with, though slightly different from, their 2023 MOVEit campaign, where they were known to deploy a specific web shell named LEMURLOOT to maintain persistence and steal data. The IRT should hunt for both specific Cleo-related script execution and historical CL0P web shells. Research also notes that other, smaller groups (like “Termite”) may have also exploited these vulnerabilities, which can complicate forensic attribution efforts.

    Collection and Exfiltration

    • The singular goal of this campaign was data theft. After compromising the MFT servers, the attackers identified and exfiltrated sensitive data stores accessible to or transiting these systems.
    • The victim list in the intel provides a critical clue to the nature of the data stolen. The presence of major consulting firms (PwC, EY, Deloitte), energy giants (Shell, Siemens), and logistics providers (Blue Yonder) alongside the NHS implies these MFT servers were being used for B2B data exchange. The data exfiltrated from the NHS is therefore highly likely to include not just internal data, but also highly sensitive inter-organizational data, such as contracts, financial reports, supply chain details, and PII/PHI shared with partners.

    Impact: Extortion

    • The intelligence showing the santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion leak site is the final stage of the attack.
    • The taunt, “The company doesn’t care about its customers, it ignored their security!!!” is a standard CL0P tactic to apply public pressure.
    • Research confirms the timeline: on December 24, 2024, CL0P announced they had breached 66 companies in the “Cleo” attack and gave them a 48-hour deadline to initiate contact via secure chat or email. The public listing of nhs.uk on November 11, 2025, indicates the organization (along with the others listed) either did not respond to the extortion demand or refused to negotiate, prompting the attackers to follow through on their threat to “name and shame.”

    Victim Size (Incident 1)

    • The “victim size” for this incident is organizational.
    • Direct Victim: The National Health Service (nhs.uk), listed with its headquarters, phone, and a “Revenue: $234 Billion”.
    • Campaign Victims: The NHS is one victim in a massive, systemic campaign. Research indicates at least 66 organizations were compromised, and intelligence and supporting research confirm the list of co-victims includes:
      • PricewaterhouseCoopers (PwC)
      • Ernst & Young (EY)
      • Deloitte
      • Shell
      • Siemens Energy
      • Schneider Electric (SE.com)
      • Cognizant
      • AON
      • Blu