The British Library cyberattack: what can organisations learn?
Charlie-Maclean Bristol reviews key factors that may help peer institutions and other organisations learn lessons from the British Library cyber incident report
Mathias Reding | Pexels
It’s difficult to extract lessons learned from the cyber response when you are not the responder. Most organisations don’t like to share their lessons, or when they do, they mainly do so behind closed doors. I often have to glean what happened from articles written on the response or my own review of the organisation’s response and crisis communications. Occasionally, organisations, particularly those in the public sector, share their learnings. The British Library published its report on March 4, with a view to ensuring a common level of understanding of key factors that may help peer institutions and other organisations learn lessons from the Library’s experience.
I have examined the lessons identified within the report and identified which elements of the attack were fairly standard for this type of ransomware attack and where there were differences from the usual modus operandi of ransomware attacks. For my definition of standard elements of the attack, I have drawn from what I teach on my two-day cyber course, BCT Certificate in Cyber Incident Management (NCSC Assured Training).
The British Library cyberattack took place on Saturday, October 28, 2023. The attackers encrypted or destroyed most of the organisation’s server estate, as well as exfiltrating 600GB of data. As no ransom was paid, the attackers put the data up for auction and subsequently made it available on the dark web. The organisation is still in the process of recovery.
Fairly standard elements: The attack was discovered at 07:35 am on a Saturday morning. Often, cyberattacks take place at the most inconvenient time for the victim. This was the typical double-extortion ransomware attack, with data locked out and files exfiltrated. In the report, there is no mention of any other organisation being approached to try and put pressure on the organisation to pay. There was both data encryption and data destruction for the attackers to cover their tracks. Data backups were also attacked and rendered useless.
The lack of a strong infrastructure on which to restore systems hampered their restoration. This slows down the whole recovery. A similar instance happened to the Scottish Environment Protection Agency (SEPA) after their cyberattack, and so they used this as an opportunity to ‘build back better’. Many of the systems couldn’t be brought back in their pre-attack form as they were no longer supported by the vendor or wouldn’t work on the new infrastructure. This was reminiscent of the effect of 'WannaCry on the NHS,' as many outdated and unsupported systems were affected. And cloud-based systems were unaffected.
At the beginning of the incident, there was tight control over information, leading to staff frustration and an effect on staff morale. The plan was to build back systems better and make them more secure, resilient and innovative.
The rebuilding of a new infrastructure is bringing a risk to capability and capacity within the library’s technology department owing to the complexity of restoring, modifying, consolidating, retiring, rebuilding or replacing a large number of systems at the same time. After NotPetya put a strain on IT staff, and a sizable workload of them were working on the response, Maersk reiterated this point in the SEPA report and presentations. They came under attack from the Rhysida ransomware gang, a well-known cyber gang. The organisation provided advice to those whose data had been exfiltrated and on the assumption that staff personal data was likely to have been compromised, we also immediately purchased a credit monitoring and identity protection product for all staff, including some ex-staff, board members, and users.
By the end of March 24, 2024 – five months after the attack – a thorough analysis of the extracted data had been completed. The infrastructure to rebuild systems would take six months after the attack, and only then can many of the systems be restored. Operations were able to be continued with either manual workarounds or those that didn’t involve the use of IT.
As the website and intranet were out of action, social media, emails, and WhatsApp were used for staff communications. This was similar to Dundee and Angus College, which had to use these channels after a cyber incident. It will take approximately 18 months to create a new resilient infrastructure and deliver permanent solutions, either by upgrading or adapting existing systems or delivering new ones where necessary.
Different element: In the timeline provided in the report, the attack was discovered on October 28, 2023, but only by November 1, 2023, five days later, was the British Library advised by their third-party technical advisors, the National Computing Centre (NCC), to immediately stop using their laptops and desktops. In other reports I have read, users have been immediately told not to use organisation-supplied devices.
In conclusion, the British Library attack followed a standard pattern of attack and response, and I was surprised to find only one difference to many of the other attacks I have learned about or read about. As these are standard facts about what occurs after a ransomware attack, I feel that all those responsible for managing one should be aware of them.
This article was originally published in BC Training Ltd.