NHS Scotland-linked domains caught serving pr0n and dodgy sports streams
Two practice web addresses appear to have been compromised
Multiple domains belonging to Scottish healthcare providers have been hijacked and are now pushing links to adult content and illegal sports streams, according to a researcher.
First spotted by Nick Hatter, a former cybersecurity engineer turned psychotherapist and life coach, an influx of links hosted on a domain belonging to The New Surgery in Kilmacolm, near Glasgow, flooded Google's index in recent days.
On closer inspection, some seem to have been created as far back as January.
REG AD
The landing page for the domain is not the one currently used by the practice, but it was likely used previously, given the scot.nhs.uk namespace appears to belong to a US-based web developer as a guise for the illicit content it now hosts.
REG AD
- The New Surgery's current domain: www.thenewsurgery.scot.nhs.uk
- The domain hosting illicit links: thenewsurgery-kilmacolm-langbank.scot.nhs.uk
The Register asked NHS Greater Glasgow and Clyde (NHSGGC), Scotland's largest health board and the one that oversees The New Surgery, to comment.
A spokesperson for NHSGGC said: "NHS Greater Glasgow and Clyde's cybersecurity team is working with Public Services Delivery Scotland's Cyber Centre of Excellence to support an independent GP practice after being made aware that a legacy website had been compromised. This affects a legacy website that was independently set up and managed by the GP practice, and there is no evidence the practice's primary website, or any NHS Scotland systems locally or nationally, were compromised."
We also contacted NHS National Services Scotland (NSS), which administers the scot.nhs.uk domain.
In a statement, Scott Barnett, Chief Information Security Officer, Public Services Delivery Scotland, said: "Our NHS Scotland Cyber Centre of Excellence (CCoE) was made aware of a security issue affecting a legacy website associated with a local GP practice.
"At this time, we are not aware of personal or sensitive data exposure as a result of this incident. There is also no evidence the practice's primary website, or any NHS Scotland systems locally or nationally, were compromised.
"Our CCoE teams are continuing to work closely with NHS Greater Glasgow and Clyde's cyber security team to understand the cause of the issue and to ensure it has been fully contained."
Hatter also told The Register that after unearthing the initial compromise related to The New Surgery, he found similar activity at the domain for Lerwick GP Practice, located in the remote Shetland Isles.
REG AD
In Lerwick's case, the domain currently in use by the practice is the one serving the illicit links. The New Surgery's compromised domain has not been used for the practice's primary website in years.
A search using the Wayback Machine shows that as of 2019, one of the sites now serving dodgy links was indeed the one used to access The New Surgery, suggesting it was compromised at some point more recently.
In discussions related to the original The New Surgery findings, Alan Woodward, professor of cybersecurity at the University of Surrey, told The Register: "The big question is, is it a real surgery or is someone putting up a dodgy URL to automatically redirect?
"Either way, the scot.nhs.uk subdomains are managed by NHS Scotland, so somehow someone has managed to set up a subdomain of scot.nhs.uk, which should be under NHS Scotland's control.
"The most obvious way I can think someone would have done that is to steal credentials of a system admin, access the DNS controller, and add in the redirect from a URL that looks like it could be a particular GP surgery but actually isn't. That suggests a deeper penetration than just one surgery being hacked. It also means that the usual users of that GP's website won't have noticed anything, so how long it's been there, who knows."
Because the nhs.uk and scot.nhs.uk domains are closed, an everyday cybercrook cannot simply register a copycat of a GP practice within these namespaces and begin hosting questionable content.
Registering a website using these namespaces requires official authorization through the NHS directly, so the question for NHS Scotland is how a domain under its control was apparently compromised.
The same applies to DNS record changes, and NHS domains are also eligible for protection under the UK NCSC's Protective DNS scheme, although each public sector organization must apply for it, rather than it being applied automatically.
REG AD
Hatter told The Register: "My guess is this could be a DNS attack of some sort or a compromised WordPress setup, which is more likely."
Domain Information Groper (dig) queries show that the NHS domains are correctly and safely pointing to WP Engine, suggesting the compromise was on the WordPress side.
Hypothetically, if the hijackings were caused by exploitation of a plugin vulnerability, for example, it would hardly be the first time something like this had transpired as a result.
"In my opinion, it is quite possible other NHS Scotland practices are vulnerable to this attack," Hatter added. ®