The British Library on Saturday, October 28, suffered what the institution has described as a ‘major ransomware attack’. It was featured in the March print edition of Professional Security Magazine. The Library, based at St Pancras, central London (pictured; their gates before morning opening), with stores at Boston Spa in Yorkshire (whose holdings in automated vaults are still not available), has released an 18-page document as a ‘cyber incident review’, to offer ‘learning lessons’ to others.
The review described the impact of the attack as ‘deep and extensive’. Among those lessons was that you ought to keep infrastructure and applications current, ‘with increased levels of lifecycle investment in technology infrastructure and security’. While it’s recovering, the Library is finding its older, ‘legacy’ IT is ‘unsupported and therefore cannot be repurchased or restored’, or ‘simply will not operate on modern servers or with modern security controls’.
Although the attackers encrypted or destroyed much of the Library’s IT servers, the Library has identified a server considered likely to have been the point of entry. The attackers took some 600GB of files – in plainer English, ‘just under half a million individual documents’, ‘including personal data of Library users and staff’. The Library refused to pay a ransom; the data was put up for auction and dumped on the dark web. The review addresses other publicly-funded institutions with the point that the UK’s national policy, articulated by the UK official National Cyber Security Centre (NCSC), ‘is unambiguously clear that no such payments should be made’. However, as featured in Professional Security Magazine last summer, info-security people are debating in public whether ‘to pay or not to pay’.
Where the taken material is sensitive, the Library says it’s contacting those affected ‘with advice and support’; and has offered ‘a credit monitoring and identity protection product’ in case staff need ‘protection of their personal finances’. The document says that the ‘destruction of some servers’ to inhibit system recovery and whereby the attackers covered their tracks ‘had the most damaging impact’, the review states. In human terms, it’s meant ‘frustration for researchers’ and an impact on staff morale. Among physical impact, the Library is famed as an institution that by law has to take printed material (including the monthly edition of Professional Security magazine); ‘legal deposit continues to be received but cannot be accessioned or sent to shelf’, the review states.
The Library began re-building its IT in December and is still at work. Cloud-based systems, including finance and payroll, have functioned normally. The Library says it expects to shift more to the cloud in the next 18 months, ‘which will come with its own risks that need to be actively managed’.
We can say that the Library was mirroring other fields, such as academia and the National Health Service, besides corporate business, in that it what it termed an ‘unusually diverse and complex technology estate, including many legacy systems’. Later in the document it lists some: including online (and onsite) shop, box office, Reader Registration system and a multitude of back office support systems’. That IT mix was echoed by the physical world mixing over decades of ‘many collections, organisational cultures and functions’. The review suggests that this legacy infrastructure ‘contributed to the severity of the impact of the attack’, by allowing the attackers wider access. As a further sign of how even high-profile sites may have old IT, the review also says that the library management and some other IT systems ‘cannot be brought back in the form that they existed in before the attack, either because they are no longer supported by the vendor and the software is no longer available, or because they will not function on the Library’s new secure infrastructure’, being installed.
The recovery work since December will, the review says, ‘embed security across the IT lifecycle and reduce risk in key areas such as data loss, disaster recovery and business continuity’. That cyber response is not only a technical matter is hinted at where the document adds that the Library will have to make ‘significant changes to our applications, our culture and ways of working, and our policies and processes’.
Given the Library’s standing in UK culture, on the day the incident began, the NCSC came in. A cyber consultancy NCC Group was procured ‘immediately’. As a sign of how an attack on IT makes response more difficult, a ‘Gold Crisis Response Team’ had to convene on the morning of the attack by WhatsApp video call, ‘in the absence of email’. Until the crisis ‘stabilised’ in mid-January, it ran crisis management, made up of ‘senior technical staff, independent cyber-security advisors, and the Library’s statutory Data Protection Officer, as well as members of senior management’. The Library also received what the review termed ‘strong and consistent support’ from the Department for Culture (DCMS), the Library’s sponsor body, including from their specialist cyber team. The Library’s Communications and Marketing staff played a part in response, to keep staff and others interested informed, ‘without sharing detail that could aid the attackers’. At first marcoms used the Library’s social media channels, given that its website and intranet were out of action. An interim website has been in place since December. As the review touches on, it matters that staff feel they are kept particularly up to date; ‘staff always saw updated external communications (e.g. external statements, blog posts by the CEO) before the public’.
The review gives a timeline of the attack; the Wednesday before, an ‘initial intrusion’ is now considered to have been hostile reconnaissance of the Library network, ‘as a precursor to the major attack’. Jisc (which provides IT services to universities; and the Library’s internet access and monitors movement of data) identified that an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on the Saturday.
As for the most likely source of the attack, the document suggests ‘the compromise of privileged account credentials, possibly via a phishing or spear-phishing attack or a brute force attack where passwords are repeatedly tried against a user’s account’. The Library had noted increasing use of third-party providers on its network; and a review of IT security relating to the management of third parties was planned for this year.
The Library brought in Multi-Factor Authentication (MFA) in 2020 ‘to increase protection of all remote activities relating to cloud applications such as email, Teams and Word, but for reasons of practicality, cost and impact’, the Library decided that connectivity to the Library domain (including machine log-on access and access to on-premise servers) would be out of scope. The review reckons that the attackers’ first detected unauthorised access to the Library network was against a server that was part of the domain.
While much of the exfiltration of data was wholesale – such as, from the finance department – some was as a result of a ‘keyword attack’, the scanning of the Library’s network for any file or folder that had sensitive keywords in names, such as ‘passport’ or ‘confidential’.
The document points out that thanks to the Library’s payment card industry data security standards – PCI DSS – controls, no credit card data was compromised; ‘the storage of customer card data is not permitted anywhere on our network and is regularly scanned for and eliminated where present’. The Library had gained the UK official Cyber Essentials Plus accreditation in 2019, ‘but changes to the standard in 2022 meant that we ceased to be compliant pending replacement of some of our older core systems’.
The review also offers a risk assessment; including that ‘a successful cyber-attack can encourage opportunistic attackers’. While the document points to the need for a cyber-secure culture, it warns of a risk ‘that the desire to return to ‘business as usual’ as fast as possible will compromise the changes’ in technology, policy and culture required. The review airs what others have, particularly in the public sector; how it’s difficult to recruit and keep IT staff in general and cyber in particular; the Library admits its tech department was ‘overstretched before the incident and had some staff shortages’. The review significantly points to ‘reconsideration of how the Library remunerates high-demand IT skills’; in plainer English, it may have to pay more. Nor does a move to the cloud necessarily remove cyber-risks, the review admits; ‘it simply transforms them to a new set of risks that should be easier to manage given the necessary resources and capacity’.
