Key Takeaways From the British Library Cyberattack
Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.
In October 2023,?the British Library underwent a crippling cyberattack ?that took down its website, a majority of its online services, including card transitions, reader registrations, and ticket sales, along with access to its digital library catalog.?The attack cost the library £7 million ?(US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year.?
Analyzing the British Library's initial response reveals that it effectively executed a carefully planned response strategy. With its vast store of 170 million items, the national library of Great Britain acknowledged a critical oversight in not having a security team on retainer and readily available,?resulting in overreliance on an external team unfamiliar with the environment and scrambling in the eleventh hour.?
Welcoming transparency,?the institution issued its report ?outlining details of the attack and sharing valuable lessons of benefit to other organizations in their cyber preparedness and mitigation efforts.?
How Did Attackers Breach the British Library?
While the exact method of entry is unknown due to the extensive damage caused by the attackers, investigators were able to trace unauthorized access at the Terminal Services server, which was installed in 2020 — COVID era — to facilitate remote access for external partners and internal IT administrators.?
Many of these outside parties had privileged access to specific servers and software. It is believed that the root cause behind the attack could have been the compromise of privileged account credentials, possibly via phishing, spear-phishing, or brute-forcing credentials. The library admitted to having an unusually diverse and complex technology estate comprising a stack of legacy tools and infrastructure that led to the severity of the incident. Although the Terminal Services server was protected by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection — a gross oversight.
What Did Hackers Steal?
Like most ransomware attacks, these adversaries stole sensitive data that could be either monetized on underground marketplaces or used to demand a ransom payment. Threat actors are said to have copied 600GB of files. Attackers used three methods to identify sensitive data:?
领英推荐
What Else Is Known About the Attackers?
The infamous?ransomware-as-a-service provider Rhysida claimed responsibility ?for the attack. This criminal group is also known for its?attacks on the Chilean army ,?as well as attacks on?schools, power plants, universities , and?government institutions ?across Europe. Rhysida and its affiliates have an attack methodology that typically involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. It uses a host of anti-forensics tactics, covering its tracks by deleting log files, making it difficult to trace its activities.?Rhysida demanded some 20 bitcoins ?from the British Library. UK government policy forbids the payment of ransom, so when the library refused to cooperate with the extortionists, the gang released images of?employee passports?and leaked most of the material to the Dark Web.?
Takeaway Lessons Learned From the Library Attack
The British Library attack is a wake-up call for all?knowledge institutions ,?libraries , and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow the above best practices to help protect themselves from sophisticated and destructive cyberattacks.
Are your suppliers putting you at risk? Manage suppliers across their entire lifecycle with the ISF Supplier Security Suite