Status Update: 19th Aug 2022
I am very pleased to advise that Mandiant, a global leader in threat intelligence and expertise, have concluded a sweep of both the eFinancials servers and HSCN network connection and has not identified any immediate evidence of a compromise. For a copy of the Incident Response Investigation Update provided to us by Mandiant and a System Diagram of eFinancials please contact your Account Manager.
As you know, Advanced recently experienced a disruption to our systems that we have since determined to be the result of a cybersecurity incident caused by ransomware. On August 4, 2022, at approximately 7 am, our teams identified the cybersecurity incident. In response, we immediately took action to mitigate any further risk and isolated all of our Health and Care environments, including the HSCN network which is used to access eFinancials by NHS Trusts.
We moved swiftly to engage leading third-party forensic partners, including Mandiant and Microsoft DART, to conduct an investigation and to ensure our systems can be brought back online safely and our customers who use them can feel confident in reconnecting once service is restored.
Since our Health and Care systems were isolated, no further issues have been detected and our security monitoring continues to confirm that the incident is contained, allowing our recovery activities to move forward. At this time, we are unable to confirm the number of servers that were impacted by the malware.
With respect to our eFinancials customers connecting via a direct VPN through the HSCN secure network, there is nothing, to date, to suggest that any of our customers are at risk of malware spread. Mandiant has reviewed the eFinancials and HSCN systems and have scanned for Indicators Of Compromise (IOCs) known to date and has not identified any immediate evidence of a compromise on any system.
eFinancials Infrastructure
The eFinancials private cloud platform is hosted by Advanced in our dedicated secure suites in two commercial Tier 3 aligned data datacentres one in Slough and the other in East London. All of the hardware, including server, storage, network and firewall equipment is owned and operated by Advanced. The virtualisation platform technology used is VMware. Each customer environment is in a discrete private vLAN and has its own dedicated SAN LUN to ensure data separation from other customers.
The eFinancials hosted customer environment includes at minimum an Oracle database server (for additional security, each customer has their own Oracle database server rather than a share on a farm) and an application server, both running Red Hat Enterprise Linux operating systems.
Storage is provided from an IBM Storewize SAN platform. Backups are encrypted and transmitted to the secondary datacentre for full location resilience.
The eFinancials hosting platform is not open to any direct Internet traffic. Customers connect to their own vLAN via either a dedicated circuit or a VPN, which in turn can be transmitted across the HSCN network (NHS customers).
The eFinancials HSCN connection shares the HSCN circuit and a firewall pair with the Advanced Health and Care hosting platform, which is why eFinancials HSCN connection was indirectly impacted by this incident - the eFinancials hosted platform itself is completely separate from the health and care one.
Preparing to Reconnect
Mandiant has deployed HX agents (AXGT) on eFinancials and HSCN endpoints. These agents provide real-time monitoring and provide Mandiant the capability to quarantine and isolate specific endpoints, if required. Mandiant will conduct 24x7 monitoring of Real Time Alerts across these systems.
At this time, based on Mandiant scanning, real time monitoring and detection capabilities, we have no evidence that eFinancials customers would be at risk when they reconnect and resume normal business operations.
We know that you will be wanting to reconnect to your Advanced services as quickly as possible, but we do recommend that you think about your reconnection process and whether a test with a small number of users would be beneficial. Should you wish to carry out any testing with us, please raise a case via the customer Support Portal titled ‘Reconnecting to eFinancials’ and stating which users you will carry out testing with.
I would like to take this opportunity to thank you once again for your patience and understanding as we have worked through our response to this incident.