Notes from The Gloucester City Council Managing a Cyber Attack – Case Study

In this week’s bulletin, Charlie gives an insight into Gloucester City Council’s cyber attack that took place in late 2021 and discusses what we can learn from the incident.

The report on Gloucester City Council’s cyber attack was published in December 2023, and I have just got around to reading it. I thought that, after looking at the British Library’s cyber attack report last week, it might be good to continue the same theme and see what we can learn from this report. Although there were lots of interesting learning points and facts and figures from the British Library report, most of them were lessons already identified in other attacks, and the report followed a familiar path. In reading the Gloucester City report, there are some interesting lessons for all of us who may have to respond to a cyber incident.

So, what are the lessons that can be learned from this report?

1. The attack was ‘sophisticated and well organised’. No attack I have ever read about was unsophisticated and chaotic, even if it was!
2. The data exfiltrated was sent to a file-sharing website in New Zealand and then on from there. Attackers are using different time zones to hinder coordination between law enforcement agencies.
3. ‘Some business partners responded by blocking all electronic communications with the council’. I think we need to have alternative communications methods set up in advance with partners as this is a natural reaction to an outside organisation having a cyber incident.
4. The council decided, as many other organisations did, to ‘build back better’, which took them longer but gave them more robust systems going forward.
5. Some of their applications were highly customised as opposed to off-the-shelf versions. When trying to recover these systems, there were difficulties recovering them, and the variations were not fully documented.
6. The importance of having a separate cyber plan which has a communications plan within it was stressed, and this should be in addition to BCPs and DR plans.
7. The council had lost control of their domain controller and had to send someone to their data centre and physically disconnect the cables.
8. The NCSC helped establish alternative communications channels so that if the hackers were still within the system, then they couldn’t see the response communications.
9. ‘The council notified its business partners about the incident, an action delayed based on advice from NCA’. I am not sure whether this was mutually agreed and whether the Council were happy with this direction. I think we need to be aware that law enforcement may determine the timing of our external communications.
10. ‘As the Christmas break drew closer, NCSC advised that it would not be possible for the issues to be resolved in a matter of days, so staff should go ahead and take time off while the forensic investigation into the incident continued’. I think there always will be a conflict between law enforcement’s desire for forensic analysis and the organisation’s desire to get their systems up and running.
11. The phishing link, which was the start of the incident, was in an attachment in message 10 of a series of emails back and forward with a supplier; it wasn’t a one-off single email. To me, that seems that the third party’s email must have been compromised, and then the attackers watched email exchanges and then inserted their phishing link into an email exchange.
12. In 2014, the council suffered a cyber attack and was fined £100,000 by the ICO for the data breach.
13. The democratic services team were not able to process changes or additions to the electoral roll. This was both updates from the register-to-vote website and residents contacting the council directly. The council were lucky that the elections in May 2021 had happened before the attack. Approximately 21,000 postal voters were asked to complete their application forms again.
14. The public-facing services had to cope with increased complaints from those affected by the disruption.
15. Staff became fatigued due to the realisation of the long-term nature of the response and the extra work associated with using workarounds.
16. ‘Based on advice from the NCA, the council had to carefully manage its communications with the public to ensure messaging did not interfere with the ongoing criminal investigation. The council also received guidance from NCSC in relation to the content and timing of its press releases’. Again, those responding should be aware of the limitations law enforcement may place on their communications.

I think the most interesting learning point from this report is the limitations law enforcement put on the organisation’s communications. The council may have been happy to accept this advice, but different organisations may have wanted to be more open and transparent. Circumstances on the day will determine how much this could cause a conflict, but I think as responders, we should all be aware of it.

A full copy of the report can be found here.