The British Library has confirmed that user data was exfiltrated and leaked by the ransomware cartel behind the October cyber attack on its systems, which remain offline weeks later, leaving the library able to operate only a minimal barebones service.
The institution confirmed last week that it had fallen victim to a ransomware attack by the emerging Rhysida operation – most likely an affiliate – after the cyber criminals posted evidence they had stolen internal documents, mostly human resources (HR) files, and begun a seven-day auction which ended on Monday 27 November.
After the expiry of this deadline, the British Library stated via Twitter/X that it now appears the extent of the data breach arising from the attack was worse than thought.
“Following last week’s confirmation that this was a ransomware attack, we now have evidence that indicates the attackers might have copied some user data, and additional data appears to have been published on the dark web,” a spokesperson said.
“We will continue to work with cyber security specialists to examine what this material is and we will be contacting our users to advise them of the practical steps they may need to take.”
British Library chief executive Roly Keating said: “We appreciate this is an unsettling time for our users and partners and are immensely grateful for their patience and support as we work around the clock to understand the impact of this criminal attack.
“It is too soon to offer an exact timetable but we will provide regular updates and precautionary guidance to our users as we work to identify what we need to do to restore the Library’s online systems in a safe and sustainable manner.”
The British Library has been riding a wave of goodwill from its users despite the problems they have faced in accessing services over the past month, but will now face additional challenges and the possibility of legal or regulatory consequences.
It has already informed the Information Commissioner’s Office (ICO) per its legal obligations, and is working extensively with London’s Metropolitan Police and teams from the National Cyber Security Centre.
Jake Moore, global cyber security advisor at ESET, commented: “The scale of the attack on the British Library highlights the importance of continuous improvement in cyber security practices to effectively combat such sophisticated attacks. The length of time this has been affecting the organisation and its users also underlines how companies struggle in the aftermath of an attack.
“The use of unique passwords is also impacted and noticeable when the British Library is left reminding people to change their passwords for other sites which could also be affected.”
Moore added: “Now the stolen data is on the dark web it will be impossible to remove it so the clean-up process involves working with the authorities as well as informing those affected on the best practices going forward. The small positive that can come from this attack is that there is now the hope that other organisations will fear this could just as easily happen to them and will therefore improve their protection where possible.”
Rhysida: an indiscriminate threat
Rhysida, which emerged earlier in 2023 and takes its branding from a genus of centipedes native to India, Southeast Asia and Australasia, is a ransomware-as-a-service (RaaS) operation that takes a somewhat indiscriminate approach to its work.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the group impacts “targets of opportunity” and has struck in sectors including education, government, healthcare, IT, and manufacturing.
It predominantly exploits external-facing remote services to access and establish a foothold in its targets’ networks, and has been frequently seen authenticating to internal VPN access points using compromised valid credentials, in instances where victims have not paid sufficient regard to credential hygiene.
It has also been seen exploiting CVE-2020-1472, or Zerologon, a privilege escalation flaw in the Microsoft NetLogon remote protocol that was described on disclosure as a “near perfect” vulnerability in its impact.
Like many others, the group is an enthusiastic abuser of living-off-the-land binaries or LoLBins – legitimate executables that enable it to blend into its victims’ environments and avoid detection.
It is possible, according to CISA, that the gang bears some relationship to the Vice Society ransomware operation that gained notoriety for its persistent targeting of schools and colleges.