Computers belonging to the UK’s National Health Service have been hit with data-stealing malware, although it doesn’t appear patient information was stolen, according to security vendor Symantec.
The computers were infected with Qakbot, a type of malicious software that can steal credit card information, passwords, Internet search histories and other data from machines, wrote Patrick Fitzgerald, senior security response manager at Symantec, in a blog.
The Register reported early Friday that the infection affected “the National Health Service (NHS) network,” taking a direct quote from the blog. It appears the blog was revised at some point on Friday morning to take out the reference to the NHS.
When contacted, Symantec said it usually gives organizations eight hours ahead notice of a problem before they will blog on the subject, according to a spokeswoman for the company. The blog post was changed and will stay changed, the spokeswoman said, but confirmed it was the NHS that had been hit.
“Logs show that there is a significant Qakbot infection on a major national health organization network in the UK,” Fitzgerald’s post now reads. “This threat has managed to infect over 1,100 separate computers that are spread across multiple subnets within their network. We have attempted to contact the affected parties and have no evidence to show that any customer or patient data has been stolen.”
The NHS did not have an immediate comment.
Qakbot monitors computers and then uploads stolen information to an FTP server, Fitzgerald wrote. Symantec was able to gain access to two of the servers receiving the data. In one week, more than 4GB of data was uploaded to those servers, including credentials from online services such as Facebook, Twitter, Orkut, Bebo, Adult FriendFinder plus e-mail providers such as Hotmail, Gmail and Yahoo.
“Qakbot records the contents of information that is stored and used by the auto-complete feature,” Fitzgerald wrote. “In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen.”
Symantec found evidence that more than 100 computers on a “Brazilian regional government network” were compromised in addition to computers on other corporate networks. A map of the infections showed that infections are worldwide.
Fitzgerald wrote that a Qakbot infection can result in the attackers gaining a broad view of a user’s online activities.
“For example, one woman, after chatting on Facebook, bought some items online at the retailers Argos and WHSmith,” he wrote. “She then posted updates about her activities on that day. If required, the attacker can then log in to the above sites and can gain access to the orders, which gives access to the home address where the items will be ultimately delivered.”