The British Library encountered a severe cyberattack in October 2023, resulting in the shutdown of its website and a range of online services, including card transactions, reader registrations, and ticket sales, in addition to access to its digital library catalog. The attack had grave financial repercussions, costing the library £7 million (US$8.9 million) in recovery expenses, amounting to about 40% of its reserve budget. Although the online catalog was reinstated in January, complete recovery is not anticipated until the end of the year.

Upon an evaluation of the initial response by the British Library, it became apparent that the institution executed a meticulously planned response strategy. With its extensive collection of 170 million items, the library of Great Britain acknowledged a critical inadequacy in not having a dedicated security team readily available, leading to excessive dependence on an external team unfamiliar with the environment and rushing to contain the situation at the eleventh hour.

Embracing transparency, the library released a comprehensive report detailing the attack and sharing valuable insights that can aid other organizations in their cyber preparedness and mitigation efforts.

Investigations post-attack revealed that the attackers gained unauthorized access through the Terminal Services server, which was set up in 2020 during the COVID era for remote access by external partners and internal IT administrators. The compromise of privileged account credentials, potentially through phishing or brute-forcing, is suspected to be the main cause of the breach. Despite the Terminal Services server being safeguarded by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection, which was a significant oversight.

The attackers involved in the ransomware incident targeted sensitive data, copying 600GB of files, which included information from network drives in finance, technology, and HR departments. Keyword attacks were conducted to scan for specific terms such as “passport” and “confidential,” with files also being duplicated from personal drives of staff members. Moreover, native utilities used for network administration were exploited to create backup copies of 22 databases, including contact details of external users and customers.

The notorious ransomware-as-a-service provider Rhysida claimed responsibility for the attack on the British Library. This criminal group is known for its cyber assaults on various entities, including the Chilean army, schools, power plants, universities, and government institutions across Europe. Rhysida and its affiliates adopt a methodical approach involving defense evasion, data exfiltration for ransom purposes, and server destruction to impede recovery efforts. The group demanded 20 bitcoins from the British Library, but due to UK government policy forbidding ransom payments, the library declined to cooperate, prompting the release of employee passport images and dissemination of most of the material on the Dark Web.

The British Library cyber incident serves as a wake-up call for all knowledge institutions, libraries, and government-funded bodies that face similar risks due to legacy infrastructure, resource constraints, and a significant portion of their assets existing in digital form. These entities are advised to adhere to best practices such as assessing technical debt, maintaining a comprehensive view of cyber risks, practicing good information governance, and adopting a defense-in-depth security strategy to shield themselves from sophisticated cyberattacks.

Source link