Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Details and Lessons Learned From the Ransomware Attack on the British Library

Although the attack on the national library of the UK occurred five months ago, the Library’s infrastructure won’t be rebuilt until mid-April 2024, and then the full restoration of systems and data can begin.

Inside the cyberattack in the British Library

The British Library has shared details on the destructive ransomware attack it experienced in October 2023. Although the attack on the national library of the UK occurred five months ago, the Library’s infrastructure won’t be rebuilt until mid-April 2024, and then the full restoration of systems and data can begin.

The attack

The attack was destructive. Apart from exfiltrating around 600 Gb of data, the attackers deleted logs, encrypted systems, destroyed servers, and locked out all users.

Rhysida claimed responsibility and published data to prove its involvement. Rhysida is relatively new – active since May 2023. It was the subject of a joint FBI/CISA advisory on November 15, 2023. The advisory notes discovered similarities between Rhysida and Vice Society. This includes similar TTPs, and inactivity on the Vice Society’s leak site from shortly after the appearance of Rhysida.

By January 2024, Rhysida had claimed more than 70 victims. More recently it was involved in the MarineMax attack. It is believed to operate as a RaaS organization.

After exfiltrating data, the attackers encrypted information and systems and destroyed some servers to inhibit recovery and cover their tracks. The damage to servers has been the most impactful aspect of the attack – recovery from backups has been hampered by a lack of infrastructure for recovery. Major software cannot be brought back in its original form either because it is no longer supported by the vendor, or it simply won’t run on the new hardware.

The burnt earth approach from the attackers against the British Library means it is unlikely the point of entry and means of access will ever be definitively proven. However, the first detected unauthorized access was found on a Terminal Services server. This had been installed to cope with the hugely expanded remote access requirements caused by the Covid pandemic.

The Library suspects that access was gained here through “the compromise of privileged account credentials, possibly via a phishing or spear-phishing attack or a brute force attack.” MFA was in use across the network, but notably not on this server — its implementation had been delayed for reasons of practicality and cost. “It is considered likely that the absence of MFA contributed to the attackers’ ability to enter the system [although] the exact point and method of entry cannot be stated with certainty,” says the report.

If the Library’s assumed timescale is accurate, the damage was done in three days. “Forensic investigation and analysis of records indicates the strong likelihood that the criminal actors initially gained access at least three days before the incident became apparent,” says the report.

The Library neither paid the demanded ransom nor contacted the attackers. As a publicly funded organization, it had no scope for maneuver against the UK government policy disseminated by the NCSC: never pay. With no payment, the stolen data (which included personal data of users and staff) was put up for auction by the attackers and later dumped on the dark web. According to Rhysida, the exfiltrated data amounted to 573 Gb and 490,191 files. The group sold 10%, and dumped the remaining 90% with the message, ‘data hunters enjoy’.

Advertisement. Scroll to continue reading.

The lessons

Use MFA. The most likely access point for Rhysida was a new server with no MFA implementation. “It is considered likely that the absence of MFA contributed to the attackers’ ability to enter the system,” says the report. The Library intends to ‘substantially improve’ both its MFA and PAM implementations.

Be wary of the threat from legacy systems. The threat from legacy systems is that you cannot always patch them to prevent an attack, nor can you recover them after an attack. The result can be greater cost and time to rebuild from new.

Implement network segmentation. This had not been possible on the Library’s legacy network topology but will be included after the ‘rebuild and renew’ program. The lack of segmentation, says the report, “meant that the attack was able to cause more damage than would have been possible in a modern network design.”

Use the cloud. “Our core email, finance, HR and payroll systems are cloud-based and are functioning normally, having been largely unaffected by the attack,” notes the report. The new infrastructure will have a hybrid compute landscape that leverages the benefits of cloud for development, application, and virtualization. It doesn’t eliminate risk but changes it into something more manageable.

Understand the value and benefit of secure backups. The Library’s new backup system will comprise “a robust and resilient backup service, providing immutable and air-gapped copies, offsite copies, and hot copies of data with multiple restoration points on a 4/3/2/1 model.”

Be financially prepared. As a publicly funded organization under the aegis of (that is, funded by and accountable to) the UK government’s Department for Culture, Media, and Sport (DCMS), the Library could have, in extremis, called for additional restorative funds. Private companies have no similar safety net, but the Library did not require such aid. It had already set aside funds for future infrastructure spending (its Knowledge Matters Strategy) and was able to bring forward this planned expenditure. 

Ransomware Attack on the British Library

Access to these funds were happenstance for the British Library, but ensuring access to emergency funds is an important part of future planning.

The report makes no mention of cyberinsurance, either past, present, or intended. It may be that the DCMS is effectively the insurance provider, or it may be a condition of insurance that its use is not disclosed. For most private companies, however, cyberinsurance should be considered as potentially relevant to future financial and risk planning.

Have the right salary scales. The report notes that its ‘rebuild and renew’ program will be difficult “without reconsideration of how the Library remunerates high-demand IT skills.” There is some acceptance that the capacity and capability within the Technology department was already overstretched prior to the attack.

Grasp and maximize the silver lining. “The substantial disruption of the attack creates an opportunity to implement a significant number of changes to policy, processes, and technology that will address structural issues in ways that would previously have been too disruptive to countenance,” says the report.

Related: Cyber Insights 2024: Ransomware

Related: EquiLend Ransomware Attack Leads to Data Breach

Related: Recent TeamCity Vulnerability Exploited in Ransomware Attacks

Related: Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.