Byte-size Bulletins

Sepa unable to access cyber incident response plan during cyber attack

Written by Rachael Brown | Oct 28, 2021
 
The Scottish Environmental Protection Agency (Sepa) faced a cyber attack by the Conti ransomware group on Christmas eve 2020 where they had more than 4,000 digital files stolen. 

Worst of all, the agency found that during the incident they could not access their cyber incident response plan, due to it being stored on servers affected by the attack.

The attack orchestrated on Sepa was a denial of service attack, described by the organisation as having "significant stealth and malicious sophistication". DDoS attacks work by flooding a website or online service with internet traffic in an attempt to throw it offline or otherwise make it inaccessible.

The attack worked to disrupt the organisation's online services and steal numerous highly confidential and important files.

For a more detailed explanation of what a denial of service attack is and how it works, we recommend you read our blog on the Microsoft Azure Cloud DDoS attack which contains a detailed explanation.

The hackers demanded Sepa pay a ransom to avoid their files being released online, which the Scottish agency refused to do. Then, the hackers not only released their files online but also attempted to sabotage Sepa’s efforts to recover and restore their backups.

Among these back-ups included their cyber incident response plan, which the organisation could not access.

This is due to the fact it was stored on the servers impacted by the attack, and the organisation lacked a hard copy.

Creating massive problems as the very plan designed to help Sepa survive an attack of this kind, could not be reached at the moment it was truly needed. What this should highlight for other organisations is the importance of always keeping hard copies of critical data, like your cyber incident response plan, available on site.

Sepa commented in response to the incident that it had been a “victim of a hideous, internationally orchestrated crime" and that reviews it had commissioned prove that “we were well protected but that no cyber security regime can be 100% secure".

Cybersecurity expert Michael McCullagh, who led one of these reviews agrees that Sepa “was not and is not a poorly protected organisation.”

He went on to say that the organisation has always had “a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others.”

As a testament to this, Sepa has restored the majority of its key services, building new IT systems to run features such as flooding forecasting. This process has been costly, with the organisation spending a shocking £800,000.

Despite this quick response by Sepa, experts are predicting that a complete recovery plan for them could take years, indicating the long-term damage an attack like this can cause for a business.

Photo by Bastian Pudill on Unsplash