The British Library ransomware attack was likely caused by the compromise of third-party credentials coupled with no multifactor authentication (MFA) in place to stop the attackers, despite previous warnings about these risks.
This is according to a British Library report that sheds new light on the October 2023 attack, which shut down digital services and breached the personal data of Library users and staff.
The attack was claimed by the Rhysida ransomware group, who placed exfiltrated data for sale on the dark web after the British Library refused to pay the ransom demand.
The first detected unauthorized access to the Library’s network was at its Terminal Services server. This server was installed in February 2020 to the facilitate remote access to third-party providers and internal IT administrators during the COVID-19 pandemic.
Employees of third-party software development, IT maintenance and consultancy firms are therefore given various levels of access to the network, including in many cases privileged administrator access to specific servers or software.
The British Library said in its report, published on March 8, 2024, that the most likely source of the attack was the compromise of privileged third-party account credentials, possibly via a phishing or spear-phishing attack or a brute force attack.
The increasing use of third-party providers within the network was flagged as a risk by the Library’s Corporate Information Governance Group (CIGG) in late 2022, with a review of security provisions relating to the management of their access planned for 2024.
“Unfortunately, the attack occurred before these necessary pre-requisites for this work were completed,” the Library stated.
Lack of MFA Helped Attackers’ Access
While the terminal server was protected by firewalls and virus software, access was not subject to MFA.
The lack of MFA on the domain was identified and raised as a risk when MFA was introduced to other parts of the Library in 2020, “but the possible consequences were perhaps under-appraised,” the report stated.
It was decided that connectivity to the British Library domain would be out of scope for MFA implementation for reasons of practicality, cost and impact on ongoing Library programs.
“It is considered likely that the absence of MFA contributed to the attackers’ ability to enter the system via this route,” the Library admitted.
The systems’ monitoring software did not automatically isolate the intrusion at source but did prevent further intrusion into parts of the Library’s technology estate.
“Deep and Extensive” Impact of the Attack
The report found that following access, the attackers successfully copied 600GB of data, equating to just under half a million individual documents.
This included personal details of Library users and staff. A detailed analysis of this data is ongoing and due to be completed by the end of March.
The attackers used three methods to identify and copy these documents:
- A targeted attack copying entire sections of network drives belonging to Finance, Technology and People teams. These files comprised 60% of the total content copied.
- A keyword attack scanning the network for any file or folder that used certain sensitive keywords in its naming convention, such as ‘passport’ or ‘confidential,’ making up around 40% of the data copied. This included files from corporate networks and from drives used by staff for personal purposes.
- Native utilities were hijacked and used to forcibly create backup copies of 22 databases, several of which were believed to contain contact details of external users and customers.
In addition to exfiltrating and encrypting data, Rhysida and its affiliates also destroyed servers to inhibit system recovery and subsequent forensic analysis.
The destruction of servers has had the most damaging impact on the Library, as it currently lacks viable infrastructure on which to restore its systems and data.
“This infrastructure is in the process of being rebuilt or renewed, with work due to complete by mid-April,” said the report.
While the Library acknowledged that the impact of the incident has been “deep and extensive” across all areas of activity, a decision was made not to make any payment to the attackers, or engage with them in any way, in line with UK government guidance.
The report also noted that the Library’s “unusually diverse and complex technology estate,” with a large number of legacy systems, allowed the attackers wider access than would have been possible in a more modern network design.
The Library added that the process of calculating the financial impact of the attack is ongoing.
Learning Security Lessons to Aid System Rebuild
In January 2024, Sir Roly Keating, Chief Executive of the British Library, announced that the institution had begun restoring its online services, but warned that the broader program of a full technical rebuild and recovery will take time.
This includes accelerating plans to invest in its core technology infrastructure that were originally announced in May 2023.
The new report said the Library is currently undertaking a ‘Rebuild & Renew’ program to restore its systems, which is designed to boost cyber resiliency and “to ensure its future ability to respond to incidents of a similar scale in a consistent and structured way.”
This program aims to embed security more deeply than ever into everything the Library does.
Among the planned cybersecurity updates to the Library’s IT infrastructure are:
- A role-based-access control setup for domain and storage services to enshrine the principle of least privilege across the organization
- Substantially enhanced MFA on-premises capabilities
- A substantially enhanced management of third-party network access via Privileged Access Management (PAM) policies
- Implementing proper segmentation with a defense-in-depth approach
- The development of a holistic, integrated security suite that covers the whole organization
- A backup service providing immutable and air-gapped copies, offsite copies, and hot copies of data with multiple restoration points
As part of these modernization efforts, there will be a “considerable shift” away from on-site technologies to the cloud over the next 18 months.
The report acknowledged this shift will come with a new set of cybersecurity risks, but these should be easier to manage.
“Previously approved investment updates and changes are already being implemented that will reduce the impact of a future attack, reduce operating overheads by replacing legacy systems, embed security across the IT lifecycle and reduce risk in key areas such as data loss, disaster recovery and business continuity. Implementation will require significant changes to our applications, our culture and ways of working, and our policies and processes,” the report stated.