British Library Cyber Attack: Lessons Learned

The British Library has released a report into October's cyberattack by the Rhysida "Ransomware-as-a-Service" (RaaS) group.

The attack involved hostile reconnaissance followed by a major ransomware attack on 28 October 2023. Approximately 600GB of files were exfiltrated, including personal data of Library users and staff. The data was later auctioned and dumped on the dark web. The attack severely impacted the Library's systems and services, with significant disruption to research services, staff operations, and the inability to restore digital collections due to damaged infrastructure. A rebuild of the Library's infrastructure is underway, with a focus on enhancing security and resilience.

There is no evidence that the attackers were able to access the unedited Electoral Roll database, which has enhanced levels of encryption due to the sensitivity of the data, nor where they able to access credit card information, due to PCI-DSS controls.

The root cause seems to be under-investment in IT and security. The British Library were unable to roll out MFA, their network was not well segmented, and from the context it is likely that cybersecurity resourcing was insufficient for the task. Recovery was made more difficult due to a large amount of legacy software.

Here is a timeline of the attacker and defender activities:

?? 2023-10-25T23:29:00Z: External presence on the Library network detected, marking likely initial access by the attackers (forensics after the fact).

?? 2023-10-25T23:32:00Z: First evidence of attackers moving around the network (forensics after the fact).

??? 2023-10-26T00:21:00Z: The Library's Monitoring System automatically blocked suspect activity on the network.

??? 2023-10-26T01:15:00Z: The Library's IT Security Manager was alerted to possible malicious activity, extended the automatic block, conducted a vulnerability scan (which found no results), and actively monitored the activity log. No repeat activity was observed.

??? 2023-10-26T07:00:00Z: The incident was escalated to the IT Infrastructure team, who conducted further investigations, including a detailed analysis of activity logs. They did not identify any obviously malicious activity but performed a password reset before unblocking the account.

?? 2023-10-28T01:30:00Z: An unusually high volume of data traffic (440GB) leaving the Library's estate, equated with the tranche of data illegally exfiltrated by the attackers (forensics after the fact).

??? 2023-10-28T04:35:00Z: First signs of the major ransomware attack detected, with unusual activity observed on the Library's systems.

??? 2023-10-28T07:15:00Z: The Library's IT team confirmed the presence of ransomware on the systems.

??? 2023-10-28T07:35:00Z: The intrusion was first identified as a major incident when a member of the Technology Team was unable to access the Library's network.

??? 2023-10-28T07:45:00Z: The decision was made to shut down all systems to prevent further spread of the ransomware.

??? 2023-10-28T08:00:00Z: All systems were successfully shut down, and the Library's incident response plan was activated.

??? 2023-10-28T09:15:00Z: The Library's Crisis Management Plan was invoked by the Business Continuity Manager.

??? 2023-10-28T09:21:00Z: The Accounting Officer and Chief Officers were contacted and informed of the incident.

??? 2023-10-28T10:00:00Z: The Gold Crisis Response Team convened via WhatsApp video call.

??? 2023-10-28T14:00:00Z: NCSC attended a Gold meeting, providing early advice on incident handling, including communications strategy. NCC Group were procured to support the Library's response process.

?? 2023-10-29: First ransom demand.

??? 2023-10-29: Ransom demand rejected.

?? 2023-11-20: Rhysida launched a 7-day auction on its website, with a starting bid of 20 BTC.

?? 2023-11-27: The auction for the stolen British Library data concluded.

?? 2023-11-30: Rhysida published a 573GB tranche of data, indicating that some data had been sold while the rest was dumped.

What can SOC teams learn from this incident?

The report contains a list of 16 Lessons Learned. Specifically relevant to cybersecurity operations teams are:

1. Network monitoring is (still) important. Legacy network topology may prevent modern security tools from having full coverage or being fully effective. It's important to ensure that network monitoring tools can effectively monitor and protect the entire network.
2. Having a specialist external security advisor on retainer allows for additional resilience, improved speed of response, and depth of analysis in the earliest stages of an incident.
3. An in-depth security review should be commissioned after even the smallest signs of network intrusion to ensure that any potential threats are thoroughly investigated and mitigated. Attackers know how to cover their tracks and maintain persistence.
4. All IT security risks accepted at an operational level should be flagged to the appropriate levels of senior management to create a holistic overview of risk. Senior decision-makers and Board member need to have a clear and holistic understanding of cyber-risk, in order to make optimal strategic investment choices.