A report into the British Library cyber attack has highlighted the likely cause as a compromise of third-party credentials coupled with a lack of multifactor authentication (MFA) to thwart the threat actors.
The October 2023 incident caused a shut down of digital services and led to a breach of personal data in the attack that was attributed to the Rhysida ransomware group who placed data allegedly extracted from the library’s servers up for sale.
Unauthorised access to the library's network was initially detected at its Terminal Services server, installed in February 2020 to enable remote access for third-party providers and internal IT administrators during the COVID-19 pandemic.
Third-party employees from software development, IT maintenance, and consultancy firms were granted varying levels of network access, including privileged administrator access to specific servers or software.
The British Library, in its report published on March 8, stated that the probable source of the attack was the compromise of privileged third-party account credentials, likely through phishing, spear-phishing, or brute force attacks – a risk to organisations globally.
Concerns regarding the increased use of third-party providers were raised by the library’s Corporate Information Governance Group (CIGG) in late 2022, with a review of security measures for managing their access scheduled for 2024.
Unfortunately, the attack occurred before these security measures could be fully implemented. The absence of Multi-Factor Authentication (MFA) on the domain was identified as a risk when MFA was introduced to other parts of the library in 2020.
However, the potential consequences were underestimated. Implementing MFA for connectivity to the British Library domain was deemed impractical due to cost and impact on ongoing programs, potentially contributing to the success of the threat actors.
After gaining access, the threat actors copied 600GB of data, including personal information of library users and staff. The attack involved targeted copying of specific network drive sections, keyword scanning for sensitive files, and hijacking native utilities to create backup copies of databases. Servers were destroyed to impede recovery and forensic analysis, causing significant damage to the library's infrastructure.
Despite the extensive impact, the library decided not to negotiate with the attackers or make any payments, following UK government guidance. It was announced in January 2024 that the library would commence a “Rebuild & Renew” program with an aim to enhance cyber resiliency and embed security into all aspects of their operations.
This includes updates to the IT infrastructure featuring role-based access control, enhanced MFA capabilities, improved management of third-party access, proper segmentation, and development of a comprehensive security suite.
It is clear from the actions being taken as part of the recovery process, that the cyber attack could have been prevented, or at least considerably frustrated, had better security controls been in place earlier.
The controls highlighted should be considered by any organisations as part of their cyber resilience plans and could prevent a costly and hugely disruptive cyber attack and, where such improvements are identified, they should be implemented without undue delay.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).