3.142
Striker
Sounds like a guess to me
British Library Cyber Attack
- Thread starter Monty Pigeon
- Start date
Giving it lots of press just gives the perpetrators more oxygen.
People will be surprised at how common ransomware attacks are in the private sector many with supposedly exceptional security.. they just don't get reported because of the reputational damage to that business
I have a friend who runs a cyber security business which does penetration testing and he is often amazed how easily somebof his team get into systems.
People will be surprised at how common ransomware attacks are in the private sector many with supposedly exceptional security.. they just don't get reported because of the reputational damage to that business
I have a friend who runs a cyber security business which does penetration testing and he is often amazed how easily somebof his team get into systems.
Monty Pigeon
Striker
The fallout continues. The library is likely to spend 40% of its reserves repairing the damage. Still no estimate for how long it'll take to get things back to normal.
(Typical that when it comes to royalties, the media highlight millionaire celebrity authors, not those for whom the annual payments are absolutely vital.)
www.standard.co.uk
www.theguardian.com
(Typical that when it comes to royalties, the media highlight millionaire celebrity authors, not those for whom the annual payments are absolutely vital.)
Ransomware cyber attack on British Library ‘set to cost £7m’
National Cyber Security Centre and Metropolitan Police support investigation
www.standard.co.uk
Richard Osman among authors missing royalties amid ongoing cyber-attack on British Library
Writers’ much-needed ‘annual windfall’ of up to £6,600 delayed as library in London struggles to restore crippled systems
www.theguardian.com
DaveH
Striker
Are you aware of any details of how it was breached? I've not seen any of that yet.The fallout continues. The library is likely to spend 40% of its reserves repairing the damage. Still no estimate for how long it'll take to get things back to normal.
(Typical that when it comes to royalties, the media highlight millionaire celebrity authors, not those for whom the annual payments are absolutely vital.)
Ransomware cyber attack on British Library ‘set to cost £7m’
National Cyber Security Centre and Metropolitan Police support investigation
Richard Osman among authors missing royalties amid ongoing cyber-attack on British Library
Writers’ much-needed ‘annual windfall’ of up to £6,600 delayed as library in London struggles to restore crippled systems
Exapno Mapcase
Striker
To be fair the article emphasises the people really impacted by this and using a famous author's name will draw more attention to it than Wendy Erskine's.The fallout continues. The library is likely to spend 40% of its reserves repairing the damage. Still no estimate for how long it'll take to get things back to normal.
(Typical that when it comes to royalties, the media highlight millionaire celebrity authors, not those for whom the annual payments are absolutely vital.)
Ransomware cyber attack on British Library ‘set to cost £7m’
National Cyber Security Centre and Metropolitan Police support investigation
Richard Osman among authors missing royalties amid ongoing cyber-attack on British Library
Writers’ much-needed ‘annual windfall’ of up to £6,600 delayed as library in London struggles to restore crippled systems
I noticed the other day that there are no British Library telephone numbers advertised on their temporary website. It is catastrophic and has been a really low key story. It illustrates just how vulnerable organisations are.
Monty Pigeon
Striker
The Chief Executive put out a statement in December, though the attack took place in October. I presume, because it was ransomware, they were advised not to make too much fuss at the time. They didn't pay the ransom by the deadline, and now a lot of the data is being released on the 'dark web'.
Loading…
blogs.bl.uk
DaveH
Striker
Doesn't give any technical details. I'll do a bit of digging.
Good that they didn't pay. Essentially if you pay you are funding cyber crime against more victims.
Ethos is the first place I looked. Mine's gone, meaning the world has been done a favour (services to humanity, save it from boredom).
Redcar Council reckons it cost them over £11 million to recover from their ransomware attack. They didn't pay the ransom but were initially told to keep quiet by central government. Are these public sector institutions viewed as softer targets by cyber criminals?
DaveH
Striker
In some cases soft targets and a lot of it is high value targets. Things like the British Library and universities have a high value both in terms of research capability and also some of the research data and innovations they hold. Along with that, like councils, they are a major embarrassment to the sitting government to lose one for a while. Many attacks appear to be state sponsored and designed for a destabilising effect.
All of the above run a massive number of services. Some big companies run only 10 main services where a council, I’m guessing 50-100 services, universities 300+. That gives a lot of ways in.
The other thing in common is lack of investment in IT and an inability to make tough decisions in any sensible time frame. For example most universities have just (or in the process of) closing alumni accounts. That is any student who has left, for a long time was able to keep their account and login to use resources. Some staff were permitted, but what still causes problems is very few have got rid of accounts for Emeritus Professors. Same thing, retired academics who they don’t even know if they are alive, still has user accounts.
All this gives a number of ways into systems. But supporting these people over which you have no contractual obligation with, will often govern stricter security policies, because you don’t want to make life difficult for them. Really these sorts of things should have gone 15 years ago. Get a group of university cyber security managers in a room and all will share the same stories of pain.
I’m one and I don’t think I’d work for a local council, because everything I hear is they pay far less, don’t have enough staff and have even less backing or are even slower at making the tough by necessary decisions.
They had no choice about the ransom - they're forbidden from paying one as they're an 'arms-length body' governed by the DCMS.
DaveH
Striker
Good.
There was a story over Christmas (on The Register I think) about two Vegas casinos who got hit by ransomware. One paid and was back within two days, the other didn't and was back in 7-10 days. The one who didn't pay had bigger losses but at least they didn't fund crime.
It will be interesting to see what the long term effect of that is. The one who did pay, if they had their systems back within two days, I have serious doubts if they did a thorough analysis of how the attackers got in. I wonder if they will be hit again soon.
DaveH
Striker
The British Library have published a detailed report of their cyber attack.
Looking at the point of view of the technology and the management side, my summary is. It looks like a failing of stretched technology teams, management and insufficient funding to maintain all the systems they were running. I suspect it started with a single compromised account which then led to access to a remote desktop service, without multifactor authentication configured. It would not surprise me if the initial compromised account was done so via a phishing email.
Report at https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
Sorry some of the formatting has gone a bit odd there
Looking at the point of view of the technology and the management side, my summary is. It looks like a failing of stretched technology teams, management and insufficient funding to maintain all the systems they were running. I suspect it started with a single compromised account which then led to access to a remote desktop service, without multifactor authentication configured. It would not surprise me if the initial compromised account was done so via a phishing email.
Report at https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
- They were unable to restore some systems as they were out of support.
- This highlights the importance of keeping everything at a supportable level.
- This was the major reason for the length of the recovery.
- It looks like a program of work was underway to replace these systems, but progress had been slowed due to resourcing issues, both funds and staffing.
- "The Technology department was overstretched before the incident"
- They called their recovery phase Rebuild & Renew because so many systems needed redeveloping. They had a recruitment surge to support this.
- Attackers had gained access 3 days prior to the ransomware payload being deployed. Once inside they took around 3 minutes to gain lateral movement to other systems.
- The event was detected the next day, but the team incorrectly thought there was no malicious activity.
- It was believed the entry point was a remote desktop type application. Accounts were not protected by multifactor authentication. This had been set up to facilitate remote working during Covid-19.
- Copying personal and sensitive data was a primary goal, with 440Gb of data being downloaded early on the morning of the main attack.
- Servers were then encrypted to create maximum disruption and to cover traces of the attack methods
- The website was down, limiting communications. Social media, email and WhatsApp (cascading down) was used to keep staff informed.
- Trade Unions were used to give advice to affected staff.
Sorry some of the formatting has gone a bit odd there
monkeytassle
Striker
My wife's team were phished and almost all of them fell for it. Her boss had to send an email to ask people to stop clicking on it. Genius stuff.
We get phishing email sent all the time from the security team..
Some are getting better and better. I've fallen for one . You have to sit a ten minute course
Ones that get people is if it's about renumeration.. people get blinded by $$#
Turner the Cat
Central Defender
I worked for a company and we had a public sector client and we ran their IT. We wanted to do some phising testing to check vulnerability and look how secure. Anyway iirc they wouldnt let us. HR concerns about making judgements on employees. Seemed crazy to me.
monkeytassle
Striker
Yeah same. Blindingly obvious most times.
Hardyman's Yugo
Striker
So they didn’t want people to have an insight into the competence of their employees?
Turner the Cat
Central Defender
Nope. HR or unions too concerned about how that data might be used against employees. Like I say, seemed crazy to me.
Had similar problems when we wanted to deploy a tool that tracked usage by users on their computers including applications and websites visited as part of preparing for an application modernisation programme.
Not so long back I saw an instance where a new password strength rule was brought in. 14 or more digits, upper, lower case, no repeating characters etc. Loads of people were flummoxed by it and were complaining. Someone, who has a bit of a reputation as a know it all, replied saying "I just use the names of my three dogs with an exclamation mark and the year." 
I think security teams can go too far at times, but I feel for them when they are dealing with this level of stupidity.
I think security teams can go too far at times, but I feel for them when they are dealing with this level of stupidity.
