Charlie looks at what lessons can be learnt from the recent cyber-attack at Hackney Council.
Kim, my wife and cyber security MSc apprentice, has been suggesting for a few weeks that I write about the cyber incident at Hackney Council. The council suffered a cyber-attack on the 13th October 2020 and has not yet recovered all their systems five weeks later. They have stated that some systems may take months to restore. I also noticed an article in the Hackney Gazette about how those trying to sell their property in the area were unable to do so, as the council were unable to process land searches. Since researching the incident, I thought I might write something on how they approached their public communications and whether there are lessons for the readers of this bulletin on how to respond if their organisation was hacked.
The first thing I noticed in their response was that the council very much portrayed itself as a victim and Philip Glanville, the Mayor of Hackney was quoted on a number of news sites and in articles of his condemnation of those who attacked the council, he said:
“I am incredibly angry that organised criminals have chosen to attack us in this way, and in the middle of dealing with a global pandemic. It is morally repugnant and is making it harder for us to deliver the services you rely on”.
The use of the words ‘morally repugnant’ worked well as this was then picked up in a number of articles reporting on the incident. The council also said this was a ‘serious and complex criminal attack’, again reinforcing the point that they were a victim of a very clever criminal.
This communications strategy is an extremely good way of deflecting questions about the ‘victims’ culpability for the hack. It is often those who underinvest in IT and follow poor patching practice who are hacked. A good example of this is the NHS during ‘WannaCry’ as their budgets had been under severe pressure for a long time and money was often spent on front line services rather than IT. The Hackney Council area is not one of the wealthier areas within London, and all councils have had severe budget cuts over the last few years. There has been no indication in what I have read that the underinvestment or poor IT practice played a role in this attack, but I personally can't help but speculate it might have. Portraying your organisation as a victim helps craft the narrative you were helpless in the face of a very clever and technically brilliant criminal hacker and helps deflect the more awkward questions about whether this hack was due to lack of investment or poor management by the council IT staff.
In their communications they talked about working with the ‘Government, National Cyber Security Centre, National Crime Agency’, by saying that these organisations are supporting their response it again adds to the narrative that they are victims and that the government, and cyber agencies are rallying around to support them. The subtext here is that these agencies may not be supporting them if they thought they were negligent or culpable.
Kim asked me whether there was any information on the hack and what had actually happened from a technical point of view. Again, I think the council has been very clever here, they have said they can’t release information on how the hack happened as they don’t want to ‘invariantly assist its attackers’. As very little information has been released on the technical elements there has been a lot of commentary from the cyber technical press on the event, but speculation has been limited to that the event has all the hallmarks of a ransomware attack. Most technical commentators on the incident mainly talk about the need to have cyber prevention measures in place and talk up their products or the general importance of cyber measures. By giving little information away the council is not giving technical people any information which they could try and use to work out how the attack happened, and which could then possibly lead to some blame being laid at the feet of the council.
The council did follow good practice when responding to the incident. There has been a steady stream of updates on their website, giving detailed information of the effect on their services and some of the difficulties people will face when accessing them. They have been honest in saying that the recovery could still take several months. They also stated that anyone who has been affected will not be ‘financially penalised because of this attack’. The Mayor, Philip Glanville, has been very visible and has been the main face of the incident.
This attack in many media articles is being compared to the attack on Redcar and Cleveland, which happened earlier in the year in February and is estimated to have cost the council £10.4m. As far as I can see there has been no comment from Hackney Council on the cost of this incident and where the money to pay for it will come from. This is an area which I suspect will become an issue sooner or later, so the council needs to think through how it will deal with and what are its ‘lines to take’ when the comparison is made.
For me, these are the lessons identified from this incident which you may want to build into your cyber response planning:
- It works to portray yourself as a victim when hacked.
- In your communications, do provide the government agencies that you are working with.
- Don’t give any technical information away and reveal how the hack happened.
- Do follow all the usual good practice in terms of communicating and managing a cyber incident.
- Take note of other similar events that your incident might be compared to and then think about how you will reply to any comparisons.
If you would like to learn more about how to respond to cyber incidents, come along to our Live Online GCHQ Certified Managing and Preparing for Cyber Incidents course on the 1st-2nd March 2021.