Cyber Attack - The Day the NHS Stopped Horizon

On the morning of May 12th,

NHS staff were about to be confronted by a major outbreak...

..as an epidemic swept like wildfire across the country.

But the disease didn't infect patients, and it wasn't biological.

Instead it attacked the central nervous system of the NHS itself.

Across the country,

computer systems were knocked out by a highly contagious computer virus.

Hello, can I speak to IT, please?

It became known as WannaCry.

There's a message on my screen, it says my files have been encrypted.

This is the story of a uniquely challenging day

for the National Health Service.

A day when the NHS itself became a patient.

It was attacked by a particularly vicious piece of computer code

which took down its networks,

its computers and anything attached to them.

And that meant patient record systems, CT scanners,

even MRI machines,

putting not just data but also patients' lives at risk.

The surgeon looked very forlorn and very sorry,

and that was when he then told me that he couldn't do the operation.

We were unable to book appointments,

we were unable to see who would be coming in tomorrow,

so we were really paralysed and at a loss of what to do.

Horizon unpicks the science behind the recent widespread cyber attack

that hit our National Health Service.

And, in his first television interview, we meet the 22-year-old

cyber security specialist who stopped it in its tracks.

I checked the message board.

There were maybe 16, 17 reports of different NHS, sort of,

organisations being hit.

And that was sort of the point where I decided, "My holiday's over,

"I've got to look into this."

The outbreak exposed a vulnerability at the heart of the NHS.

I am a doctor, and all of this is a worry.

I want to know what happens, I want to know why it happens,

and I want to know how I can protect my patients

from this new strain of infectious disease.

I found out about the attacks the way most people did,

through news reports.

Now, mercifully, the hospital that I work for wasn't affected,

but as details emerged, it became clear that colleagues all

over the NHS were getting into work that day,

setting up their computers

and being greeted with a screen that looks like this.

Now it's very polite - it tells you what it's done, it's encrypted

all of your data, tells you what you have to do, which is pay some money,

and it tells you that if you pay the money now,

you won't have to pay quite so much.

Otherwise you're going to lose everything.

On 12th May 2017, the cyber attack wrought havoc across the NHS.

It hit many hospital trusts,

and some A&E departments even closed their doors to ambulances.

Operations were cancelled.

Patients were diverted.

But the story of the virus itself

goes back far further than the events of that day.

With all outbreaks, there's always a point of origin.

A moment when the virus first emerges.

DRAMATIC MUSIC PLAYS

Down! Down! Hands on your head!

Down, down, down!

Cuff him!

For over 20 years,

Harold Martin worked as a contractor for US government intelligence.

On the day of his arrest, agents found stolen drives

containing more than 50 terabytes of classified data...

..allegedly including top-secret hacking tools

stockpiled by the National Security Agency.

Harold Martin's arrest followed a tweet

by a mysterious group calling themselves the Shadow Brokers.

They were offering National Security Agency hacking tools

to anyone prepared to pay the 580 million asking price.

According to reports,

once they found out about the Shadow Brokers' demands,

the NSA triggered an internal investigation and,

just a couple of weeks later, Harold Martin was arrested.

Now, there's no evidence at all

that he passed on information to the Shadow Brokers,

but, interestingly, on the hard drives in his home,

was found the hacking tool, Eternal Blue.

Now, Eternal Blue is a kind of key that allows you to prise open

the Windows 7 operating system, and it is that which allowed hackers to

cause havoc across organisations all over the world, including the NHS.

When it comes to attribution,

in other words identifying the true source of attacks,

the world in cyber is a lot more difficult than,

say for example, physical, because, you know, you can make your attack

appear to come from anywhere in the world.

So, Shadow Brokers is an anonymous entity,

we don't really know who's behind Shadow Brokers.

It's generally assumed in the security research community

that the Shadow Brokers are, in effect, an arm of the Russian state.

35 days before the cyber attack,

it was business as usual across the NHS.

But at this moment, the Shadow Brokers made a fateful decision.

With no buyer coming forward,

they dumped their trove of stolen cyber-weapons online, for free.

They were now available for anyone to use.

Cal Leeming is someone with unique insight into the cyber underworld.

He taught himself to hack, and he started young.

When I was about nine years old,

my grandparents got me my first computer.

A proper computer.

My eyes were opened when I started using these chatrooms

and started talking to this wider audience.

People were talking about being able to share PlayStation games.

They were sharing credit card information.

Attracted to free games as an escape from his hard upbringing,

he soon graduated to something more serious.

There wasn't much money at all.

So I found myself using credit cards that I had got from hacking

to send food deliveries to the house.

So it was a mixture of 50% just utter curiosity

and wanting to learn more,

and the other 50% survival.

At the age of just 12, Cal was arrested.

He became the UK's youngest ever cybercriminal.

It was very, very traumatic.

And they sat me down and said,

"Cal, do you understand what you have done was against the law?"

My answer to them was, "All I've done was typed on a keyboard."

Because that's my mind-set, at the time.

I was like, "Why is it that I'm typing on the keyboard to

"survive and I'm now getting arrested?"

And I thought that was very unfair at the time.

Cal continued to hack until 2005,

when he was caught again for using over 10,000 stolen identities

to purchase goods worth £750,000.

Eventually, when I was 18, I handed myself in,

and the arresting officer in my case gave me a chance

to turn my life around in exchange for going to prison

for a little bit.

I owe that guy a lot.

After serving a 15-month jail sentence, he changed sides,

and now runs a cyber security firm.

Why do hackers do what they do? Why do hackers hack?

People have their own motivations for wanting to get into hacking.

Sometimes it is financial, other times criminal,

and sometimes it's just pure curiosity.

Right now we don't know who started this attack, at least not for sure.

Do you think, at any level, the people who carried out this attack

would have felt slightly appalled that this attack spilt over

into the National Health Service?

That's a difficult one to answer,

because it's not a single group that does all hacking in the world,

it's lots and lots of very tiny groups,

sometimes a single person, sometimes lots of people,

and with each group, within each environment,

you have your own set of rules,

conditions and social etiquette and all these things.

So, in some cases, yes, there are going to be some people

that are outraged, even on the criminal side, that they've...

That it went this far.

And in other cases, they might have purposefully wanted it

to go that far. It depends on the individual.

Whatever their motivation, what we know for sure is that someone

did use the alleged NSA exploit Eternal Blue

to create a devastating cyber-weapon.

Within four weeks of Eternal Blue being released,

the attack was ready.

Eternal Blue was mashed together with other pieces of malicious code

and then unleashed on the world, and it was given a name.

A security patch against Eternal Blue

had been made available by Microsoft.

But on the night before the cyber attack,

any machine that hadn't installed the update was still vulnerable...

including many in the NHS.

Infection was now just a matter of time.

On the morning of the cyber-attack,

22-year-old Marcus Hutchins was in the middle of his holiday.

If there was any surf, I might have been surfing.

It's so dynamic, the waves are never the same on two days.

Marcus works remotely for an LA-based cyber intelligence company.

I track malware. I track malicious code that affects users,

and I find ways to track and stop it.

And despite being on leave,

he was still monitoring the global malware outbreak.

I woke up, I checked the message board, there were a couple of

reports of ransomware infections, but I didn't think much of it.

From his home in Devon,

his curiosity would play a crucial role as the day's events unfolded.

In London, Patrick Ward had spent the night

in St Bartholomew's Hospital.

Like thousands of others,

in operating theatres across the country,

he was in for planned surgery,

in his case to correct a serious heart problem.

They woke me at six o'clock,

as they do in hospital,

and one of the nurses came round and shaved my chest, ready for,

obviously, the opening of the chest cavity.

I was nervous, but I was very excited, very...

confident about the operation and what was going to happen.

I'd...yeah, mentally got myself in the right place

to have open heart surgery,

and was, yeah, fantastic, ready to go.

PHONE RINGS

The condition I have is hypertrophic cardiomyopathy,

which is an enlarged heart.

It means I struggle to do normal things, - walk,

I can't do any sporting activities, lifting heavy objects

obviously puts a big strain on the heart.

It makes me feel extremely useless.

I've had some very dark moments over the last couple of years,

so I'd like to, yeah, get back to leading

a normal fit and healthy life.

But before surgery could start, Patrick needed some tests.

They wanted to check out my arteries,

so they sent me down for a cardio angiogram in the morning.

So after having the angiogram and some drugs, I was very...

I was even more relaxed and ready for the afternoon operation.

While Patrick waited for theatre,

in Devon, Marcus was keeping an eye out for global cyber-attacks.

I checked the message board. There were maybe 16, 17 reports

of different NHS, sort of, organisations being hit.

And that was the point where I decided my holiday is over.

By late morning, the attack had begun.

Somehow, a worm had got into the NHS.

And on the other side of the world,

somebody was tracking the progress

of the outbreak.

Marcen Kochinski runs a cyber security firm in California.

Their software is installed on machines across the world.

Every time we disinfect a machine, it pings that information back

to the labs teams. Real-time information was streaming in,

regarding these specific attacks.

We were able to actually create a live map,

where the infection is spreading. Very similar to a human infection

spreading worldwide. We were able to do that from a computer perspective.

So, we started detecting the attack.

Actually, our first detection was, according to this, Thursday.

We call that, kind of, day minus one, day one.

And one of the first computers that we disinfected was in Russia,

which was very interesting for us to see.

But then, you look at Friday and Saturday

and through the rest of the weekend,

the map just completely explodes.

We see infections all over the world, predominantly in Europe,

but also in the US and they do not relent.

They were witnessing the largest and fastest-spreading outbreak

anyone had seen in recent years.

The threat spread so quickly

that we actually would have to go

down to the milliseconds

to see when it first appeared

in the UK.

We think it is sometime Friday morning.

But we really have to slow this down

and look at the millions of data points we have here to isolate

the day we saw it in the UK first.

The first outbreak Marcen detected in London

showed up in the afternoon at 18 minutes past one.

Across the country, hospitals like this found themselves

either in the grip of the attack or desperately trying to switch off

systems in an attempt to prevent possible infection.

One of London's largest, most capable hospital trusts,

St Bartholomew's and the Royal London,

found itself amongst the most severely affected.

So, NHS staff put into place contingency plans,

working tirelessly to keep everything running.

But there were consequences.

The surgeon, he had been to see me, to say, "Pat, I'll be with you

"at one o'clock-ish, after I've done my rounds."

He then came back again and said, "How are you doing? Everything OK?"

I said, "Yeah, fine. I'm here, ready and waiting.

"I'm not going anywhere." And he said, "Great. We're all ready.

"Everybody is getting organised for you down in theatre.

"The team are there, they are looking forward to meeting you."

This was 10 o'clock, 12 o'clock

and then, at half past one,

he turned up again and looked very, yeah, forlorn

and very sorry. And that was when he then told me

that he couldn't do the operation.

With computer systems down, the surgeon was unable to access

Patrick's angiogram and blood results.

Without them, the operation could not go ahead.

I was numb. It is the only way I can describe it.

Yeah, I just felt nothing. I was absolutely...

I couldn't believe it. I was just absolutely flabbergasted.

It wasn't until the Monday, really,

that the realisation of "What do I do?"

I didn't have any idea as to whether I'd have to wait another year

for the operation. There was just no information available.

It's very frustrating.

Speak to my wife, she will tell you how grumpy I have been

since the operation was cancelled. Not having a date,

something to aim for. So it was extremely, extremely frustrating.

This is what makes me angriest about this whole thing.

This cyber attack isn't about an abstract piece of technology,

it's not about ransoms or ransomware.

It's not about firewalls or patches. It's about people and their lives

and how it affects them. It is about being forced, as a doctor,

to look someone like Patrick in the eye and to let him down

at the worst possible moment.

And Patrick wasn't alone.

The cyber attack had become national news.

The NHS is the victim of a major cyber attack.

At least 25 hospital trusts and GP surgeries have been affected.

Routine operations at some hospitals are being cancelled,

ambulances diverted and patients sent home.

I went out to lunch. I got back.

I then saw lots of reports from different sectors of the NHS.

They were all just simultaneously saying, "We're being hit."

I thought, "This one thing is hitting all these sectors,

"so it's got to be something pretty big",

so I went and I looked into it.

I asked a friend of mine in the industry if he had a sample

of the actual malware that was going around

and he sent it to me.

I use virtualisation software, which basically makes a computer

within your computer, so that it wouldn't affect me

and I saw what it did.

Marcus wasn't alone.

Cal, too, set to work examining the malware.

I wanted to find out from him what made this cyber attack

so ruthlessly effective.

So, what we've got is a machine

that is going to effectively act as patient zero.

We've got a second machine to reconstruct how this

particular variant of WannaCry spreads across multiple machines.

In here is what I have dubbed, "The internet in a box."

To make the malware reveal itself, we have to make it believe

these computers are connected to the real internet

and this box provide the necessary dummy signals, whilst protecting

the outside world from harm.

What we're going to do now is run the WannaCry ransomware.

There you go.

And that's the screen of doom.

-So, this is this machine out of action.

-Exactly.

With the files locked up,

the clock is ticking.

But as the victim decides whether or not to pay,

the malware is already planning its next attacks.

This particular strain has two components.

It has the ransomware itself,

which is what we see here, and it has the worm component,

which was taken from Eternal Blue,

which is a government weapons-grade exploit.

This machine here is actually giving us a bit of insight.

And what this is showing us is that it is trying

to spread across the network.

You don't really think about it, do you? All the output from

a machine isn't just what you see on your screen.

-There is a lot of silent chatter going on in the background.

-Exactly.

If you imagine a big room of people and you shout out, "Who's here?!"

And everyone puts their hand up. That is effectively what

these machines are doing. It shouts out and says, "Who's here?!"

and then, the machines reply. What it then tries to do is it hit

each of those machines with this payload. This worm is now spreading

out across the network and in an instance where you have got...

-There we go.

-And as you can see, it's now spread onto this machine.

Eternal Blue had been expertly designed to silently move

from one machine to another across a local area network or LAN.

Groups of computers joined together inside a business or a hospital.

With the LAN infected, it spread to the internet.

If you imagine you have got your big internet cloud down here

and each dot represents a machine and there is billions

of these machines, OK? And what it does is

the attack will make a direct connection to your machine

and if you are exposing this port to the internet, someone could

infect your machine without needing to have local access to it

or be on the same network.

What is even more disturbing from there is,

if you look at the research tools that actually analyse the internet,

you can go and query today, right now, how many of these machines

on the internet have got this vulnerable service open.

Through the internet, anyone can go and try and exploit them

and there are hundreds and hundreds and hundreds of thousands

of these machines.

The malware sought out these weaknesses

and wormed its way into all manner of networks.

From companies like Nissan in the UK to Renault in France,

from a postal service in Russia to a German railway operator.

And to be clear, this does not depend upon any human interaction?

It's automatic propagation. There is no human interaction here required

at all. And that is why the ransomware itself was

relatively low-key, to be fair. There wasn't anything particularly

special about it, but when combined with

a government weapons-grade exploit, the impact has been devastating.

No-one needed to click on a link or open a dodgy e-mail.

The worm spread all by itself,

exploding across networks in a matter of hours.

Across the country, the surprisingly virulent attack meant that

several hospitals were beginning to struggle.

And wherever the ransomware was found, they would switch off

machines in an attempt to contain the outbreak.

Nevertheless, some of those networks went dark.

Now, even that was not a complete disaster,

because in the NHS, we have contingency plans

for almost every conceivable emergency,

from power outages, terrorist attacks,

even a cyber attack of this kind.

So, what was it that forced some accident and emergency departments

to close their doors that day? A&E relies upon support

from state-of-the-art technologies and specialities.

And these were some of the hardest hit,

among them, doctors and their systems in radiology.

It is packed with the latest kit.

X-rays, MRI scanners and CT machines that allow doctors

to investigate the hidden extent of injury inside the body.

When time is critical, such as with a stroke,

radiologists like Navin Ramachandran help us to make quick, accurate,

life-saving decisions.

When a patient comes in,

they turn up with typical symptoms,

you can see they may not be able to feel an area, they may not be able

an area, they may not

be able to speak. That gives us an idea that there is something

going on in the brain, but it doesn't necessarily tell us

what the underlying cause is.

So, it could be, if we look at this case,

where a vessel to a part of the brain has got blocked off

by a clot and that area is the part that has been

-deprived of blood currently.

-The treatment is to give

a clot-busting drug as fast as possible,

but there is jeopardy involved. You have to be sure precisely

what type of stroke you're dealing with.

The one thing you have to be aware of is that, once in a while,

patients that come in with exactly the same symptoms,

they are getting the same symptoms not because of the blocked vessel,

but because of a bleeding vessel. In this case, this vessel

has bled. With this patient, if you give them the clot-busting drug,

that is catastrophic and can lead to death.

And these two patients would look very similar at presentation?

Without doing these scans, you really wouldn't know the difference?

Exactly. The only thing that makes it possible is having access

to these scans, to allow others to triage people into the right

-treatment pathway.

-The same is true for the whole

of emergency medicine, from car accidents to cancer.

Radiology is an essential front line asset.

The whole department relies on computers.

They run the scanning machines, display the images

and send them on to doctors in A&E.

If these computers were infected,

hospital managers would have little choice but to close A&E.

It simply wouldn't be safe to stay open.

We were very lucky in that it didn't hit our services at all.

We have had fully digital systems for over 10-15 years,

whereas most of the rest of the hospital still uses paper.

But we were completely unaffected.

No change to the day.

Some hospitals, like mine, UCLH, got away unscathed,

but for those unlucky enough to be affected,

there was still enough flex in the system to compensate.

Nevertheless, patients were on the move,

being transferred from hospital to hospital.

The infection continued to spread

and began to show up in GP surgeries across the country.

So, this is one of the consulting rooms we are going into now.

Dr George Farrelly is a GP working at a surgery in Tower Hamlets.

This is our standard desktop PC and so on.

Each consulting room has one of these.

We have 15 machines. We do consultations with this.

We access people's notes, we are able to make appointments,

we send prescriptions to the chemist and plan care.

So, this is our reception area.

A lot happens here. This is like the information hub of the practice.

We take our computer system a little bit for granted, I think,

and only realised

how reliant we are on it when we lose it.

On Friday, 12th of May, we got a phone call

from a neighbouring practice and they told us that they had been hit

by some virus.

So, we printed out the appointment for that day,

which would give us some information, just in case

we had the same problem.

I was in a meeting with some colleagues discussing patients

and the PC we were using suddenly blanked out.

We had to shut all our computers down, to hopefully stop any more

of them becoming infected.

It was complete paralysis.

Along with the hospitals, some GP surgeries were now struggling, too.

They connect with the rest of the NHS via a network known as N3.

N3 is the NHS's national broadband network,

connecting all NHS locations

and its 1.3 million employees across England.

It's one of the largest networks in Europe,

with in excess of 51,000 connections.

N3 allows us to communicate with our colleagues

who we share care with other people.

For example, when we send e-mails to each other

from our NHS net e-mail account, it's more secure.

Our security antivirus and so on is done centrally,

it's not something we worry about.

We never have to do patches ourselves.

They didn't know it at the time,

but the N3 network was actually unaffected.

However, Windows 7 machines without the patch WERE going down.

So some teams disconnected their computers...

..cutting off access to essential clinical systems,

deepening the disruption.

The people who've done this

don't understand the implications of what they're doing.

They hadn't thought them through.

My guess is their project is to make money

and they just send this stuff out and it lands wherever it lands

and they don't give any thought to it.

What they DID give some thought to is how they got paid.

With the ransomware hitting thousands of computers,

the hackers needed a secure, globally accepted form of payment

that ideally would be untraceable.

They decided to use Bitcoin -

an entirely electronic form of so-called cryptocurrency.

I've never used Bitcoin.

But it's easy enough to buy some on a phone.

And once loaded, you can spend it in all manner of places.

-So, can I get a flat white and a mint tea, please?

-Sure.

I've come to a cafe in east London to meet Sarah Meiklejohn,

an expert in Bitcoin,

to find out why it's such an attractive currency for hackers.

-Perfect. Can I pay with Bitcoin?

-Sure.

-OK. And I just...

-£3.50, please. You just scan this.

OK, I'll lean over and scan that.

-That's it.

-And it's as easy as that.

-That's it.

-Perfect, thank you very much.

-Thank you.

-Thank you.

Marvellous, right.

Explain to me, then, as a complete non-initiate,

what Bitcoin is and how it works.

Right, so, Bitcoin is basically a purely digital form of currency.

So it's just a currency, like the dollar, the pound.

The main differences are that it's not backed by any government,

there's no central bank involved in generating Bitcoins

and you don't need a bank account to use it.

If I want to use Bitcoin, you know,

I want to send people Bitcoins,

I'm going to download a piece of software,

and in doing that,

I'm going to join Bitcoin's peer-to-peer network.

So this network is basically collectively responsible for

playing all the traditional roles

that we're used to in traditional banking.

The recent WannaCry attack, which affected many organisations,

including the National Health Service,

was conducted using Bitcoin as the currency of ransom.

Why did they use Bitcoin?

Opening a Bitcoin wallet, saying we're open for business,

we can accept Bitcoins, takes very little time and effort,

and then getting paid in Bitcoin equally takes very little effort.

If I want to pay someone on the other side of the world,

I can do that using Bitcoin

and they'll get the payment instantaneously.

It's the convenience and speed that makes it easy for hackers

to gather their ransom.

But as cyber security expert Mikko Hypponen explains,

Bitcoin also offers a certain level of anonymity.

The only thing we can see is that someone is sending money

from one address to another address, and these addresses are

these long lists of numbers and letters which look really random.

They are tied to a user, but we have no idea who these users are.

What was invented to ensure an individual's privacy

had unforeseen consequences.

So we very quickly started seeing Bitcoin being used in online crime.

First, in online drug trade,

cos when you're buying illegal drugs online,

you don't want to use your credit card

because the credit card will lead back to you and Bitcoins don't.

And then we started seeing ransom attacks.

Ransomware has been around for years and years,

way before Bitcoin.

But the megatrend which really made ransomware

such a big problem is cryptocurrencies, like Bitcoin.

By allowing transactions to take place between pseudonyms

rather than real identities,

Bitcoin became the go-to currency for cyber crime.

But it turns out that the details of Bitcoin's original design

could, for some criminals, actually be their undoing.

Bitcoin was invented by a figure called Satoshi Nakamoto

around six years ago.

It's based on an innovation called blockchain,

and blockchain basically means a public ledger of transactions.

When a transaction is made between two Bitcoin users,

the details of that transaction are locked into a permanent ledger,

known as the blockchain.

And the blockchain data isn't kept on a single computer or server -

it's distributed across the entire network.

Which means, even if an individual machine goes down,

it can never be erased.

So the entire history of every Bitcoin transaction

is accessible to all users now and for ever.

Until this point,

what I understood by Bitcoin was that it was fully anonymous

and therefore it's the perfect currency

in which the underworld can operate.

Is that not true?

No, it's definitely not true.

Bitcoin exchanges are what's responsible for trading Bitcoin

with traditional, government-backed currencies.

But the second you send your Bitcoins to this exchange,

you've created a link between your activities in the Bitcoin network

and your identity as a real person.

The second I know that a given pseudonym

belongs to a criminal or belongs to anyone,

I can then start trying to understand what that user

has done with that money.

We've seen in the past

that attackers have stolen Bitcoins

and then they've sat on them for years,

probably because they don't really know what to do with them next.

Attribution is hard,

this could have been anybody in the world

carrying out this attack.

If you're looking for my opinion,

it's some script kiddie in a basement somewhere,

not a government agency.

And if he's got any sense whatsoever,

he'll take his hard disk, smash it up with a sledgehammer

and burn it in a bonfire.

And he will not, whatever he does,

go and try spend of those Bitcoins that ended up in his wallets,

cos if he does, there's quite a number of governments

would like to offer him some hospitality

for quite a long period of his life.

As the ransomware continued to spread,

thousands of people faced the same dilemma -

should they pay the ransom or not?

It's a question that Moti Cristal has given a lot of thought.

I'm a negotiator, by profession.

I started my career in the political negotiations

between Israel and the Arab world.

And later on, I do hostage negotiations

in high-intensity conflicts.

In a hostage situation, you negotiate with a person

but if you have the opportunity

to talk him to come to the window and then shoot him in the head

because he just killed three kids, you will do it,

and without any moral hesitation.

But in the cyber world, you cannot do that.

The reliance on talk is

significantly more important.

Extortionists, like the people behind WannaCry,

are increasingly abandoning the real world and moving online.

It's lower risk and more profitable.

But whilst the setting may have changed,

Moti's job remains the same,

and much of his work is now in cyber crime.

There's always a human being behind the keyboard.

So at the end of this ransomware attack,

there are people that have feelings,

logics, emotions...

There's always a human being

to whom you can, and you should try to, connect.

No-one has been able to reach out to those behind WannaCry.

But perhaps Moti can help shed light

on how these criminal organisations think.

In October 2015, he was called in

to negotiate for a financial institution

that had been attacked by another piece of malware.

The hackers attempted to portray themselves

as an arm of the Russian state, APT28.

Moti reached out to them.

You know, I teased them.

I said, "Are you really APT28,

"the Russian...proclaimed Russian team?"

"Yes, correct."

And I said, "If you are APT28,

"why you start to do this low stuff of extortion

"instead of the very fascinating cool government stuff?"

Through this kind of engagement, over many months,

Moti created a dialogue with the attackers.

We already start moving towards a deal

and they write to me.

"The way we can do it..."

Pay attention to the language -

"the way WE can do it," we're already a team.

"..is two equal payments.

"After the first one, we tell you exactly how you were breached

"and which systems are most vulnerable."

So suddenly, after the first payment,

they start actually to be my consultant, my advisers.

They start to tell me how my system was breached,

which is very valuable information.

"This is something we never do.

"But consider it as a gesture..."

And then I immediately reply,

"I never recommend moving forward

"based on a virtual contract,"

I'm telling them.

"But with you, I feel we have this otnoshenya."

The Russian word for relationship.

To signal them that, "we are on the same page,

"I do appreciate this."

Though the ransom was paid, by negotiating with the hackers,

Moti successfully ensured that the company's data were not released.

But for those facing the ransom on the 12th of May attack,

was paying the right thing to do?

There are several costs involved when you pay the ransomware.

And I do think, most important,

is that you feel bad

that, actually, you surrendered

to this type of criminal.

So if you pay, you feel bad.

And there's another risk to paying.

You open yourself up to further cyber attacks.

I do believe, in the darknet,

dark in the darknet,

people do exchange lists

of people who paid.

Why? Because that's, again,

a human pattern.

If you've paid once, you might pay again and again.

Ransoms paid in Bitcoin, hostage negotiators...

It's all fine if you're a high-net-worth individual

or a private mega-corporation,

but none of that is going to work in the NHS.

Even if it could pay -

which it can't, because there's no money -

it wouldn't be allowed to pay.

The best you can hope for in that situation as a hacker

is that you don't inadvertently kill somebody

and, instead of the local cyber crime division,

suddenly find the murder squad kicking down your front door.

Those hospitals and GPs that had been infected

had no option but to keep their computers off

and hope that something could stop the spread.

And incredibly, an answer was found,

thanks to a bit of luck and Marcus's inquisitive nature.

By late afternoon,

he'd spotted something curious in the malware's code.

It was trying to connect to one specific web address.

A domain.

I saw this domain was not registered,

so my first idea was to just go and reserve it, just in case.

By registering it, we could track the infection across the globe.

Straight after registering the domain,

we were seeing thousands of queries per second.

Maybe 100,000 unique infections within the first hour.

It was sort of, like, a bingo moment.

He didn't yet realise it, but by registering the domain,

at a cost of just 10,

Marcus wasn't just tracking the infection -

he was also preventing it from spreading.

The plan was to track it and then look for a way to stop it,

but it actually turned out the tracking it was stopping it.

It was like finding a vaccine.

For now, WannaCry could do no further damage.

The NHS didn't realise it yet

and were still relying on emergency systems,

but the cyber attack was over,

the malware defeated.

"Kill switch" was, sort of, the term the media ran with.

It sort of makes a lot of sense, cos it is a kill switch.

It stops the malware.

It seems silly that simply registering a domain

would stop a global cyber attack, but it happened.

In the days following the cyber attack,

the NHS slowly came back online.

Machines were given the patch,

backup data was used to restore the encrypted files,

and news of Marcus's cure spread.

Well, as we've been hearing,

the global cyber attack was halted almost by accident.

It was a 22-year-old in the UK who checked the code

and found a reference to an unregistered website name.

With systems restored,

Patrick finally got the news he was waiting for.

I'd gone back to work, then I had a phone call to say

that they had managed to get an operation date for me

for next week, which...

I was with a customer and I was, yeah, absolutely delighted.

I can't describe the people who did the ransomware.

I'm sure that wasn't in their thought process,

to attack individual people,

but that's the result of exactly what's happened.

In a detached sort of way,

you've got to have at least a bit of respect for the malware.

As poorly constructed as it was,

it still did a lot of damage.

That's not unlike a real infection.

Real viruses have a lot of flaws,

and yet still go on to wreak havoc.

Like a real infection, the malware was able to hide,

evade natural defences,

avoid surveillance, go dormant,

and then go on to cause

all of that chaos.

But like a real infection,

there was, in the end,

a way to fight it,

and so the NHS survived...

At least this time.

WannaCry soon disappeared from the front pages,

but at a gathering of cyber security experts

a fortnight after the attack, it was still making waves.

WHISPERS: This is a long-planned cyber security conference.

It predates the NHS cyber attack by many months,

but it's clearly dominating the agenda here.

Every single speaker has mentioned it.

I wanted to know why, in this country,

it was the NHS that seemed to bear the brunt

of the ransomware infection.

Thank you. I'm Kevin Fong. I'm a doctor in the NHS.

We still can't quite understand how worried we should be

or how vulnerable we continue to be.

We had the person responsible

for one of the trusts

talking about her experiences and day-to-day life

of running IT in the NHS.

It really stuck with me and resonated that, actually,

the amount of budget that she had to protect the IT

was vanishingly small.

They have one support person for 1,000 machines

and things like that.

That's just not a sustainable investment.

I think the NHS really does need to think about

its balance of investment.

It must put more money into this.

It's always a hard trade-off, to think patients versus IT,

you know, but actually, you've got to have that infrastructure

to be able to do a good job on the patients, I would say.

Spending varies across the NHS, but it's been reported that in 2015,

seven trusts spent nothing at all on IT security.

If this is true, surely this needs urgent attention,

now that weaknesses have been exposed by the WannaCry attack.

I was shocked by what happened to the NHS.

I think the shock is more in the vulnerability of the hospitals

than it was in the way that the attack was executed.

We are always afraid of the next attack

hitting critical infrastructures,

so now health care systems were hit,

we are afraid that the electricity, the water departments,

you know, those types of infrastructures being hit...

That didn't happen, but it can happen,

so I think that this is what we're kind of waiting for.

I think there has to be a recognition that it's not an IT

or a computer issue, this is about everyday life now.

In a world where everything's online and where there are ever more

online threats and where government agencies involved in security

are much more interested in adding to the threat level

than in adding to the defence level,

there's an awful lot of conflicts there

that we're going to have to manage.

This attack affected Russian banks, Chinese universities,

Spanish telecoms companies, even FedEx.

The vulnerabilities were there for all of us

across countries and continents, private and public sector,

all walks of life.

The NHS was simply one in a long list of casualties.

Collateral damage in a global cyber war.

The new reality is that we're all at risk.

It's not only businesses and governments -

anyone who's connected could be a target.

As the world of network technology gets ever more complex,

it opens up whole new realms of vulnerability.

It's no longer just our computers that are at risk.

Our homes and offices are now filled with devices

that are online and ripe for hacking.

-Which one are you pinning our hopes on being...?

-The... Yeah, that one.

Ken Munro leads a team of ethical hackers

that test the security of internet-enabled household devices,

the so-called internet of things,

to find out where their weak spots are

and to see how much havoc they could wreak.

This is kind of the most fundamental aspect of hacking.

You're in there at the nitty-gritty, at the level of the circuit board.

Yeah, so that's what's different about the internet of things.

Unlike, say, an eCommerce site,

which is safely hosted in a data centre on a server somewhere,

with the internet of things, you can go and buy the kit,

you can dismantle it.

You can find the chips and the hardware and then connect to it.

So literally put logic probes,

electric wires onto the circuit cables

and then pull off the software and reverse-engineer

how it works from 1s and 0s.

Once you've got that, you can find security flaws.

As Ken discovered, some devices are far easier to hack than others.

This is your hackable shop of horrors.

What have you got here?

Probably the first one we look at, this is My Friend Cayla,

she's an interactive kids' doll.

She works over Bluetooth with an app,

but the manufacturer forgot to put security

on the Bluetooth connection, so, as a result,

it means that someone could be sat on the street outside,

could be listening to what's going on in the room,

so snooping on your child,

or potentially speaking to the child through the speaker.

Our interest was we wanted to see

if we could bypass her protection measures.

You can't make her swear.

But, of course, we discovered you could hack her,

and she swears like a docker now.

-RECORDED MESSAGE:

-Hey, calm down or I will kick the shit out of you.

Creepy, but it's a really serious issue.

The German telecommunications regulator

has now classified her as a covert bugging device

and has banned her.

It's illegal to own her in Germany now.

All right, OK. So this is a wireless kettle,

but I don't actually care if someone hacks my kettle.

I mean, what can they possibly do with that?

This is a Wi-Fi kettle, though.

How else would you boil a kettle from the car home?

So this is the scary bit. This is the Wi-Fi Module.

We're going to show you how we managed to hack that.

Imagine I'm outside your house.

If I want to get your Wi-Fi key from your kettle,

it's really surprisingly easy.

All I need to do, I'm going to connect to it.

I need to put a password in.

You think, "Password - great security."

Unfortunately, the password on these kettles is,

believe it or not, six zeros.

Once I connect to it, all I have to do is send one command,

-and I can retrieve your wireless network encryption key.

-No!

That's the key that secures all of your traffic on your Wi-Fi network.

So if I was a malicious hacker on your network,

I can now intercept everything you do on your home wireless network.

Online banking, your social media -

everything you do, we can see,

because we've got your wireless network key.

I can see a thermostat over here.

I think I have something similar in my house.

What's the problem with a wireless thermostat?

Unfortunately, we found some pretty shocking security

on some brands of Smart thermostat.

This one we managed to actually hold it to ransom.

So just like you've heard with the NHS ransomware issue,

holding critical devices to ransom, actually,

we've found you can even hold your SmartStat to ransom,

-to lock you out of heating unless you pay cash.

-So...

That would be quite unpleasant, but in the end,

surely you just take it off the wall and reset it.

I'm not so worried about that.

What I'm more worried about is actually taking control

of lots of Smart thermostats.

Imagine you've got several hundred thousands of these

and someone finds a way to compromise them, which we have.

They could switch them on and off, synchronously.

You can create unexpected power spikes

using people's thermostats.

So, in theory, you could knock out the grid on a bad day,

if you wanted to.

So, I mean, that's fascinating and terrifying.

This is not about what it does to the individual.

This is about what it might do to an entire nation's power grid.

Damn right.

Imagine you were a foreign power and you wanted to soften up

a country on a particular day.

I don't know, maybe an election day. You knocked out the power.

That's going to influence the outcome of an election.

All right.

The internet of things has also arrived in health care.

Devices that regulate drug dosages

can now be operated over the internet,

and some of the latest pacemakers are controlled by Bluetooth.

A recent study revealed that there might be thousands of exploits.

Do you think this fundamentally limits how useful

the digital revolution might be in health care?

Well, I think we've got things out of step.

I think we've got amazing technical advances,

fantastic technological steps forward, which are brilliant,

which allow us to do cool stuff,

that allows us much better diagnostics - brilliant.

But we've got that out of step with the security.

We're in a catch-up game.

Once the security has caught up with the technological advances, great -

we get fantastic medical benefits.

But until then, it's all a little bit dangerous to me.

We can't go back to the Stone Age.

We need digital technology and all of its promise

to push back the frontiers of medicine,

so we have to learn how to protect ourselves.

But there is hope.

Hope, because there are people on our side in this fight.

We've met some of them.

Hope too because of all professions,

medicine should be able to learn how to deal with this,

because this is the feat of host immunity -

of taking the hit from an infection, recognising it,

and then continually evolving your defences until, eventually,

you're impervious.

Hope as well because, despite reports,

the NHS never stopped.

Yes, parts of its network were severely affected,

but it kept doing what it always does.

If the last few terrible weeks have taught us anything,

it's that the NHS can take whatever you throw at it.

It has a plan, it will learn

and it will be ready for the next time.