Sergey Nivens - stock.adobe.com

Cyber extortionist threatened to bomb NHS targets

A German court has convicted a 33-year-old Italian man for making extortion and bomb threats against NHS hospitals at the height of the Covid-19 pandemic’s first wave last year

A German court has convicted a 33-year-old Italian man for making cyber extortion and bomb threats against the NHS at the height of the first wave of the Covid-19 pandemic, following an international investigation led by the UK’s National Crime Agency (NCA).

Emil Apreda was sentenced to three years following his conviction at Berlin’s District Criminal Court. He has been released on bail until the court’s decision has been ratified.

Apreda sent an email to the NHS on 25 April 2020 that threatened to detonate a bomb at an unspecified hospital in the UK unless demands for a £10m bitcoin ransom were met. He purported to be a member of Combat 18, a neo-Nazi group that is not banned in the UK.

The deputy director of the NCA’s National Cyber Crime Unit (NCCU), Nigel Leary, told reporters that the NCA also directly received a copy of the threat early on the morning of 26 April.

“Obviously, we were in a period of deep and heightened vulnerability … with the response to the pandemic being conducted by the NHS across the UK,” he said. “There were certain conditions in place around the provision of treatment to individuals at UK hospitals, which really made this incident an acute one, and something that required a dynamic and significant law enforcement response.

“Our offender in this case was using a variety of methods to try to obfuscate their identity and avoid detection by law enforcement agencies,” he added. This is understood to have included the use of various dark web services and encrypted communications.

Leary said that the perpetrator remained in contact with the NHS for a period of several weeks, reacting to world events and, following the death of George Floyd at the hands of police officers in Minneapolis, made threats against the Black Lives Matter movement, as well as the lives of MPs around the fourth anniversary of the assassination of Jo Cox.

Subsequent technical investigations, and the use of behavioural and linguistic analysis, enabled the NCA to establish concrete leads as to the perpetrator’s identity and profile, and to his location in Germany, at which point the organisation involved local law enforcement, leading to an arrest on 15 June 2020. The trial began in December 2020.

Tim Court, head of investigations at the NCCU, said that the threat – which ultimately proved to be baseless – was one of the most significant threats to UK critical national infrastructure (CNI) seen in some time, and an “entirely cynical” attempt to hijack significant social events not only for monetary gain, but to cause disruption to the NHS pandemic response and day-to-day activities, and damage trust in the health service.

“Even if, as we later found out, he didn’t have access to, or the ability to deploy an IED, if that had become public the consequences of people not having confidence in the NHS was frankly unacceptable,” he said.

The bomb threats are just one out of many thousands of malicious emails sent to the NHS by malicious actors during the Covid-19 pandemic, but they clearly stand out among the more usual phishing attempts that organisations might expect to see.

Figures obtained last year under the Freedom of Information (FoI) Act revealed that the NHS received 8,085 malicious emails during April 2020 alone, and more than 30,000 between March and July 2020. These figures are only those reported to the official NHSmail reporting address, so the true figure will be much higher.

In its 2019-20 annual report, the National Cyber Security Centre (NCSC) said that the NHS had largely withstood the spike in cyber crime seen during the initial phases of the pandemic.

Last year, the NCSC shared more than 160 instances of high-risk and critical vulnerabilities with the NHS, scanned more than a million NHS IP addresses to detect security weakness, shared 51,000 indicators of compromise with the health service, performed threat hunting on 1.4 million NHS endpoints, and rolled out its Active Cyber Defence service to 235 frontline health bodies.

It also assisted the Centre for the Protection of National Infrastructure on the secure build of the UK’s seven Nightingale hospitals.

Read more about NCA convictions

Read more on Hackers and cybercrime prevention