Key Takeaways From the British Library Cyberattack
In October 2023, the British Library experienced a major cyberattack that took down its website, most of its online services, including card transactions, reader registrations, and ticket sales, as well as access to its digital library catalogue. The attack cost the library £7 million (US$8.9 million) in recovery expenses, approximately 40% of its reserve budget. While the online catalogue was restored in January, full recovery is not expected before the end of the year.
How Did Attackers Breach the British Library?
Although the exact method of entry remains unknown due to extensive damage, investigators identified unauthorized access at the Terminal Services server, which was installed in 2020 to facilitate remote access for external partners and internal IT administrators. Many external parties had privileged access to specific servers and software. It is suspected that the compromise of privileged account credentials, possibly through phishing, spear-phishing, or brute-forcing, was the root cause of the attack.
Despite being protected by a firewall and antivirus software, the Terminal Services server lacked multifactor authentication (MFA) — a critical oversight.
What Did Hackers Steal?
Like most ransomware attacks, the adversaries stole sensitive data that could be monetized on underground marketplaces or used to demand a ransom. Hackers copied 600GB of files. They deployed three main methods to identify sensitive data:
- Copied network drives from finance, technology, and HR departments.
- Used keyword attacks to scan the network for sensitive words such as "passport" and "confidential."
- Obtained files from the personal drives of staff members.
Attackers used native utilities to create backup copies of 22 databases, including contact details of external users and customers.
What Else Is Known About the Attackers?
The ransomware group Rhysida claimed responsibility for the attack. Known for its attacks on the Chilean army, schools, power plants, universities, and government institutions across Europe, Rhysida and its affiliates use defense evasion, data exfiltration, and server destruction to inhibit recovery. They demanded 20 bitcoins from the British Library. UK government policy forbids ransom payments, so when the library refused to cooperate, the gang published images of employee passports and leaked much of the material to the Dark Web.
Takeaway Lessons Learned From the Library Attack
- Assess your technical debt: Using outdated hardware and software can create significant security risks. Organizations must evaluate this technical debt to avoid greater recovery costs. Example: If a computer system is too old to update, it could be easier to hack.
- Maintain a holistic view of cyber-risk: Essential business stakeholders must understand the cyber risks to allocate resources effectively and prioritize necessary actions. Example: Consider all possible security threats when deciding on budget cuts.
- Practice good information governance: Contemporary threat actors target specific assets for seizure. Running simulation exercises frequently helps identify weaknesses. Example: Regularly practice how to protect important files from hackers.
- Adopt a defense-in-depth approach: Using layered security can limit damage even when an attacker infiltrates your environment. Example: Had the British Library implemented MFA, it could have detected the attack sooner.
The British Library attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations. With similar risks in terms of legacy infrastructure and limited resources, it is crucial to adopt best practices to repel sophisticated and destructive cyberattacks.
