The British Library Cyber Incident Report – Standard or New Lessons?

In this week’s bulletin, Charlie looks into the cyber attack on the British Library and discusses what organisations can take away from the attack.

It’s difficult to extract lessons learned from cyber response when you are not the responder. Most organisations don’t like to share their lessons, or when they do, they mainly do so behind closed doors. I often have to glean what happened from articles written on the response or from my own review of the organisation’s response and crisis communications. Occasionally organisations, particularly those in the public sector, share their learnings. The British Library published their report on the 4th of March with a view to ensuring a ‘common level of understanding of key factors that may help peer institutions and other organisations learn lessons from the Library’s experience’.

In this bulletin, I will examine the lessons identified within the report and identify which elements of the attack were fairly standard for this type of ransomware attack and where there were differences from the usual modus operandi of ransomware attacks. For my definition of standard elements of the attack, I have drawn from what I teach on my two-day cyber course, BCT Certificate in Cyber Incident Management (NCSC Assured Training).

The British Library cyber attack took place on Saturday 28th October 2023. The attackers encrypted or destroyed most of the organisation’s server estate, as well as exfiltrating 600GB of data. As no ransom was paid, the attackers put the data up for auction and subsequently made it available on the dark web. The organisation is still in the process of recovery.

Which elements were standard?

1. The attack was discovered at 07:35 on a Saturday morning — often cyber attacks take place at the most inconvenient time for the victim.
2. This was the typical double extortion ransomware attack with data locked out and files exfiltrated. In the report, there is no mention of any other organisation being approached to try and put pressure on the organisation to pay.
3. There was both data encryption and data destruction for the attackers to cover their tracks. Data backups were also attacked and rendered useless.
4. The restoration of systems was hampered by the lack of viable infrastructure on which to restore them. This slows down the whole recovery. A similar instance happened to the Scottish Environment Protection Agency (SEPA) after their cyber attack, and so they used this as an opportunity to ‘build back better’.
5. Many of the systems couldn’t be brought back in their pre-attack form as they were no longer supported by the vendor or wouldn’t work on the new infrastructure. This was reminiscent of the impact of WannaCry on the NHS, as many outdated and unsupported systems were impacted.
6. Cloud-based systems were unaffected.
7. At the beginning of the incident, there was tight control of information leading to staff frustration and an impact on staff morale.
8. The plan was to build back systems better and make them ‘more secure, resilient and innovative’.
9. The rebuilding of a new infrastructure is bringing ‘risk of capability and capacity’ within the Library’s Technology department ‘due to the complexity of restoring, modifying, consolidating, retiring, rebuilding or replacing a large number of systems at the same time’. This point was echoed in the SEPA report and presentations by Maersk after NotPetya was the strain and a huge workload of IT personnel were working on the response.
10. They were attacked by a known cyber gang, the Rhysida ransomware gang.
11. The organisation provided advice to those whose data had been exfiltrated and ‘on the assumption that staff personal data was likely to have been compromised, we also immediately purchased a credit monitoring and identity protection product for all staff, including some ex-staff, board members, and users’.
12. Detailed analysis of the data exfiltrated aims to be completed by the end of March 24th 2024, five months after the attack.
13. The infrastructure to rebuild systems will take 6 months after the attack, and only then can many of the systems be restored.
14. Operations were able to be continued with either manual workarounds or those which didn’t involve the use of IT.
15. As the website and intranet were ‘out of action’, social media, emails, and WhatsApp, were used for staff communications. This was similar to Dundee and Angus College, who had to use these channels after a cyber incident.
16. It will take approximately 18 months to ‘create a new resilient infrastructure and deliver permanent solutions, either by upgrading or adapting existing systems or delivering new ones where necessary’.

Which elements were different?

1. In the timeline given in the report, the attack was discovered on the 28th of October 2023, but only on the 1st of November 2023, five days later, was the British Library advised by their third-party technical advisors NCC, to immediately stop using their laptops and desktops. In other reports I have read, users have been immediately told not to use organisation-supplied devices.

In conclusion, the British Library attack followed a standard pattern of attack and response, and I was surprised to find only one difference to many of the other attacks I have learned or read about. As these are standard facts about what occurs after a ransomware attack, I feel that all those responsible for managing one should be aware of them.