The Belgian military and the European Space Agency (ESA) are among organisations that have sought assurances from Serco, the company behind NHS Test and Trace, following a cyber attack.
The outsourcing firm told them their information has not been compromised. Images of stolen files circulating on social media only indicate the criminals accessed a non-disclosure agreement between Serco and a third party regarding potential ESA contracts.
Last weekend, Serco confirmed that its mainland European businesses were targeted by hackers operating the Babuk ransomware. The company refused to comment on the impact of the attack, nor on whether the firm had paid the ransom demand.
Serco was tasked by the government with the oft-criticised NHS Test and Trace scheme
Sky News learned of the attack on Serco through a sample of the ransomware that was uploaded to a platform used by anti-virus companies to compare malware.
The malware leaves an extortion message for Serco after encrypting the files of the victim computer network, which claims: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
It continues, in an attempt to extort the company: “Your partners such as NATO, or Belgian Army or anyone else won’t be happy that their secret documents are in free access in the internet.”
Sky News did not see any evidence that such documents were stolen by the criminals, who had deleted the page inviting Serco to negotiate the extortion.
A spokesperson for NATO said the organisation “works with a wide range of commercial companies from around the world,” but added they “do not go into details of business contracts”.
“In general terms, we count on all companies to ensure that potentially sensitive or private information as part of a business contract is properly protected,” they said.
“For NATO, cyber defence is a core part of our collective defence and NATO’s own networks are secured around the clock.”
The involvement of Serco in the test and trace scheme has been controversial
A spokesperson for the Belgian military told Sky News: “The Belgian Defence is aware of this problem. According to the information made available by Serco to the Belgian Defence, there is currently no compromised data.
“Nevertheless, an assessment of the consequences is in progress in collaboration with Serco.”
Following Sky News’ initial report, images of documents stolen from Serco have been posted on social media, including a non-disclosure agreement regarding ESA contracts signed between Serco and British space consultancy Grafton Technologies.
John Harris, Grafton’s managing director, told Sky News his company regularly signed NDAs with other organisations as part of business discussions, and was unconcerned about the leaked information being potentially sensitive.
On its website, Serco says it has “over 40 years’ experience in supporting the space sector” and adds its “employees have been providing everyday [the] technical, scientific and management skills” to support ESA missions.
A spokesperson for the European Space Agency (ESA) told Sky News: “ESA was promptly informed by Serco about the incident and there is no evidence that any ESA information or ESA services have been affected by the breach.
“ESA continues to maintain close co-ordination with Serco as they deal with the matter.”