Headline
Key Takeaways From the British Library Cyberattack
Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.
Source: Ianni Dimitrov Pictures via Alamy Stock Photo
COMMENTARY
In October 2023, the British Library underwent a crippling cyberattack that took down its website, a majority of its online services, including card transitions, reader registrations, and ticket sales, along with access to its digital library catalog. The attack cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year.
Analyzing the British Library’s initial response reveals that it effectively executed a carefully planned response strategy. With its vast store of 170 million items, the national library of Great Britain acknowledged a critical oversight in not having a security team on retainer and readily available, resulting in overreliance on an external team unfamiliar with the environment and scrambling in the eleventh hour.
Welcoming transparency, the institution issued its report outlining details of the attack and sharing valuable lessons of benefit to other organizations in their cyber preparedness and mitigation efforts.
How Did Attackers Breach the British Library?
While the exact method of entry is unknown due to the extensive damage caused by the attackers, investigators were able to trace unauthorized access at the Terminal Services server, which was installed in 2020 — COVID era — to facilitate remote access for external partners and internal IT administrators.
Many of these outside parties had privileged access to specific servers and software. It is believed that the root cause behind the attack could have been the compromise of privileged account credentials, possibly via phishing, spear-phishing, or brute-forcing credentials. The library admitted to having an unusually diverse and complex technology estate comprising a stack of legacy tools and infrastructure that led to the severity of the incident. Although the Terminal Services server was protected by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection — a gross oversight.
What Did Hackers Steal?
Like most ransomware attacks, these adversaries stole sensitive data that could be either monetized on underground marketplaces or used to demand a ransom payment. Threat actors are said to have copied 600GB of files. Attackers used three methods to identify sensitive data:
Network drives were copied from finance, technology, and HR departments.
Keyword attacks were launched to scan the network for sensitive words such as “passport” and “confidential.” Files were also copied from the personal drives of staff members.
Native utilities used to administer networks were hijacked, then used to create backup copies of 22 databases, including contact details of external users and customers.
What Else Is Known About the Attackers?
The infamous ransomware-as-a-service provider Rhysida claimed responsibility for the attack. This criminal group is also known for its attacks on the Chilean army, as well as attacks on schools, power plants, universities, and government institutions across Europe. Rhysida and its affiliates have an attack methodology that typically involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. It uses a host of anti-forensics tactics, covering its tracks by deleting log files, making it difficult to trace its activities. Rhysida demanded some 20 bitcoins from the British Library. UK government policy forbids the payment of ransom, so when the library refused to cooperate with the extortionists, the gang released images of employee passports and leaked most of the material to the Dark Web.
Takeaway Lessons Learned From the Library Attack
Assess your technical debt: When a decision is made to use hardware and software beyond their supportable or useful life, it can leave gaping holes in the security posture. It is important that organizations know and evaluate this technical debt from a cyber perspective. Remember that recovery times and costs are far greater than building something new from scratch.
Maintain a holistic view of cyber-risk: Ensure that essential business stakeholders tasked with deciding on whether to accept, mitigate, or transfer cyber-risks have a thorough understanding of these risks. Such comprehension is crucial for effectively allocating resources, prioritizing necessary actions, and determining the order in which they should be conducted.
Practice good information governance: Contemporary threat actors often target specific assets for seizure. Lacking a solid grasp of your information governance can result in uncertainty regarding the location and significance of your most critical assets, leading to a protracted, arduous, and costly recovery process. That’s why it’s advisable to run simulation exercises frequently, just to understand where weaknesses reside. By urgently mobilizing needed resources within the first hour, organizations can significantly limit the blast radius.
Adopt a defense-in-depth approach: A defense-in-depth security approach is a type of layered security that can help curtail the blast radius and limit the damage even when an adversary infiltrates your environment. For example, had the British Library activated MFA on its servers, or had it segregated its network into multiple segments, it would have been in a superior position to detect the attacker’s presence early, limiting their progression to make lateral movements, and preventing data exfiltration.
The British Library attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow the above best practices to help protect themselves from sophisticated and destructive cyberattacks.
About the Author(s)
CEO, Information Security Forum
Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions that meet the business needs of its members. He is a frequent speaker on the board’s role in cybersecurity and technology.