British Library cyber incident review [pdf]

A lot of this sounds like they were under-resourced and the business increasingly adopted new technology with no ongoing support for their IT infrastructure.<p>&gt; These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.<p>&gt; There is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current, with increased levels of lifecycle investment in technology infrastructure and security.<p>&gt; Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack.<p>A lot of lines like the following, also indicate to me IT was increasingly were involved in fighting fires and maintining operational systems (&quot;keeping the lights on&quot;) rather than deploying new infrastructure and automation, updating software etc.<p>&gt; Some of our older applications rely substantially on manual extract (...) which in a modern data management and reporting infrastructure would be encapsulated in secure, automated end-to end workflows.<p>Modern business is IT, I know that I am preaching to the chior but this sounds a lot like their IT was seen as a cost.

Good report. Well written incident summary useful for cyber-students to follow and learn.<p>&gt; The Library utilises numerous trusted partners for software development, IT maintenance, and other forms of consultancy<p>&gt; increasing complexity of managing their access was flagged as a risk.<p>&gt; first detected unauthorised access to our network was identified at the Terminal Services server. This terminal server had been installed in February 2020 to facilitate efficient access for trusted external partners<p>Sadly their response seems to be using <i>more</i> cloud infrastructure and outsourcing more.<p>trusted != trustworthy<p>The essential lesson - that good IT and security people <i>within</i> your company cost money. It is worth paying for vigilance, loyalty and care - has not been heeded.

I happened to be there while this attack was in progress (ocotober 23). And all there systems were really offline, POS didnt work, wifi didn’t work, literally anything connected to a computer didnt work.<p>What’s unfortunate is that they flagged this vulnerability in 2022 and planned to review it in 2024 ???<p>Does it usually take this long to identify impact of users? They mentioned they paid for identity protection for their staff &amp; ex-staff as well.

&gt; The increasing use of third-party providers within our network, some of which has been due to capacity and capability constraints within Technology and elsewhere in the Library, was noted by the Library’s Corporate Information Governance Group (CIGG) in late 2022, and the increasing complexity of managing their access was flagged as a risk. A review of security provisions relating to the management of third parties was planned for 2024; and the tightening of access provisions that would be enabled by improvements to underlying computer and storage infrastructure and the migration of storage to the cloud, which is currently being implemented. Unfortunately, the attack occurred before these necessary pre-requisites for this work were completed.<p>Price of everything and value of nothing. Outsource everything, underfund everything from systems renewal to staff salaries.

So Tom, Dick and Harry all have Terminal rdp access into the core infrastructure and they slept well knowing that they had - what was it? Ah, yes, - prevented clipboard copying as a hardening measure. That&#x27;ll stop them pirates in their tracks. Nicely written post mortem. Though I can&#x27;t help but notice the amount of committees and acronyms. Is it a British thing?

I have to applaud the library for releasing this report. In Canada, the most likely response to cyberattacks is mealy mouthed platitudes like &quot;Please be assured that we take your privacy very seriously and are doing everything possible to recover the data and ensure that something like this does not happen again.&quot; and on and on.<p>So refreshing.

&quot;Our major software systems cannot be brought back in their pre-attack form, either because they are no longer supported by the vendor or because they will not function on the new secure infrastructure that is currently being rolled out.&quot;<p>Ouch.

A few naive questions:<p>I see a few comments indicating that connecting Microsoft (? not mentioned anywhere in the report??) t Terminal Services to the internet was a wholly bad idea.<p>Aside: is the report using &quot;Terminal Services&quot; generically, or do they mean that the server hasn&#x27;t been updated since before 2009 (? when it seems Terminal Services became Remote Desktop Services (RDS))?<p>Is there something inherently insecure about remote desktops, or is MS software here known to be particularly insecure, or ...? RDP is default enabled on MS Windows installs (I always disable it), is that more of a problem than one might imagine?<p>Do they say anywhere where the access was from (maybe only GCHQ know that). Presumably the firewall would only allow known connections - did they report on analysis of all the remote clients?

&quot;The Library utilises numerous trusted partners for software development, IT maintenance, and other forms of consultancy&quot; ... &quot;this terminal server was protected by firewalls and virus software, but access was not subject to Multi-Factor Authentication (MFA)&quot;<p>¯\_(ツ)_&#x2F;¯

&gt; This paper provides an overview of the cyber-attack on the British Library that took place in October 2023 and examines its implications for the Library’s operations, future infrastructure, risk assessment and lessons learned.<p>For a report from British--and a library, no less--the lack of Oxford comma cocnerns me.

Nice job on publishing this detailed report, I wish after every attack all organizations disclosed in such detail so we can create future defence and counter measures in an open source way.

Herein lies the kicker:<p>&gt; In common with other on-premise servers, this terminal server was protected by firewalls and virus software, but access was not subject to Multi-Factor Authentication (MFA).

I object to the word &quot;utilises&quot; instead of just plain &quot;uses&quot;, especially from a library.

<i>&gt; When alerted by the Library following discovery of the attack, Jisc (who provide the Library’s internet access and monitor movement of data across their networks) identified that an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on 28 October.</i><p>&quot;Jisc is the UK digital, data and technology agency focused on tertiary education, research and innovation.&quot;<p>State-owned quango asleep at the wheel. Unsurprising.

This report is a joke.<p>No root cause. On other forums it is understood they were running very old and unpatched VMware os. Which is simply embarrassing and everybody within their IT team should be fired immediately for gross negligence.<p>They can&#x27;t inform people whos data has been compromised because they refuse to pay the ransom and have no other way to tell what was stolen. Farcical.<p>Their ability to rebuild in a timely manner was hampered by not having any spare servers and presumably because all their server hardware was compromised and couldnt be used for restore.