In October 2023, the British Library’s servers were compromised and around 600GB of files were exfiltrated from the servers and held for ransom. This included personal data of Library users and staff. In this BLOG Chris McGee analyses the attack and considers what actions could have been taken to mitigate it.
Source of the attack
The source of the attack was believed to have been a phishing, spear-phishing, brute force or a combination of the three. The entry point is difficult to determine as the attackers removed log files from the server in an attempt to prevent any digital forensics from taking place. Unfortunately, there was a lack of multi-factor authentication (MFA) in place which would have prompted the attackers for a second method of authentication, typically a six-digit code sent to another device, before they could gain access.
What preventative measures could have been used?
It is possible that MFA could have stalled or prevented the attack. At this point, any compromised user may have hesitated and reported the phishing attempt as suspicious potentially preventing the attack.
Would Cyber Essentials have protected against this attack?
As one of the key parts of Cyber Essentials is implementation of MFA. alongside enforcing robust password length policies, having the certification may have prevented a successful attack. MFA is a key control of Cyber Essentials.
Another measure which may have helped prevent this attack is allowing server access only from trusted IPs. Restricting access to IPs in an allow list, would have prevented access to this server directly.
What is phishing/spear-phishing?
Phishing is a type of attack of that is common, especially within emails. Where an attack will attempt to obtain sensitive information via fraudulent emails. Spear phishing is a more tailored attack, where the attacks will become more customised for their target individuals or organisation.
What is brute forcing?
Brute forcing is the process of attempting to guess credentials which can be as simple as automating login attempts. Which may use a dictionary of common passwords or may have a more bespoke dictionary of words using targeted information.
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)