New low… Ransomware gang publishes sensitive documents online, after crippling Hackney Council systems in October last year
The criminals behind the cyberattack on Hackney Council in London last year have sunk to a new low and published sensitive documents online.
The East London council had announced in early October it had suffered a ‘serious cyberattack’, and it is still feeling the impact of the intrusion.
The council did not confirm the attack was a ransomware attack, but in late November it did admit that the attack was still causing ‘significant disruption’ to services.
The attack was carried out by the ransomware gang known as Pysa/Mespinoza, and according to Sky News this criminal gang has now published what it claims to be a range of sensitive information held by the authority.
The file names of the documents suggest the stolen files contain very sensitive information, including those with titles such as “passportsdump”, “staffdata” and “PhotoID”, although Sky News has not downloaded the information to verify it.
It is reported the documents were posted on a darknet website, in which they list their victims and publish stolen data for extortion purposes.
Considering that four months have passed since Hackney were attacked and the fact that this information has reportedly been published online, suggests the council have not paid any ransom, in line with official and professional advice.
“We are angry and disappointed that the organised criminals responsible for October’s cyberattack have chosen to publish data stolen in October,” a spokesperson for Hackney Council was quoted by Sky News as saying.
“We are working with the NCSC, National Crime Agency, Information Commissioner’s Office, the Metropolitan Police and other experts to investigate what has been published and take immediate action where necessary,” the spokesperson added.
“It is utterly deplorable that organised criminals chose last year to deliberately attack Hackney, damaging services and stealing from our borough, our staff, and our residents in this way, and all while we were in the middle of responding to a global pandemic,” said Philip Glanville, Mayor of Hackney in an update on the situation.
“At this stage, it appears that the vast majority of the sensitive or personal information held by the Council is unaffected, but the Council and its partners are reviewing the data carefully and will support any directly affected people,” he added.
The council said that now four months on, at the start of a new year and as it is responding to the second wave, the criminals have decided to compound that attack and now release stolen data.
“I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected,” said the major.
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them,” he added.
“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can,” said Glanville.
Security experts have warned that public sector organisations are a prime target for criminal gangs such as these.
“The continued and increasing number of cyber-attacks on public sector organisations such as Hackney Council is a growing cause for concern,” noted Carl Wearn, head of E-Crime at Mimecast. “Especially considering the public sector impacts so many lives and often holds sensitive personal data for millions of people.”
“This makes the public sector a prime target for cybercriminals as attacks such as this can present significant consequences for society,” said Wearn. “The public sector relies on their reputation to gain the trust of the public to operate efficiently to successfully achieve running a town, region, or country with often limited budgets – which have been further squeezed due the pandemic.”
“Therefore, it’s imperative for public sector organisations to have a water tight security solution to limit the risk of a cyber-attacks and simultaneously reassure the public that their data is secure which in the long run saves organisations money instead of being forced to pay ransom,” said Wearn.
Another expert warned that once an organisation has been breached, there is never a guarantee that data can be safely recovered.
“Whenever an organisation is in the position of dealing with a demand of ransom from a cyber-attack, the time for securing data has passed,” explained Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center).
“At best there is a hope the attackers will do as they state and not release the data, but there is nothing to say that copies didn’t otherwise exist, and the attackers view the ransom as but one of a number of revenue streams associated with the data,” said Mackey. “While there is value in performing post-incident forensic analysis, the best analysis is performed prior to the incident.”
“Ultimately, the goal of these efforts should be a comprehensive threat model that includes an understanding of what monitoring actions and alarms should be in place to detect attempts to circumvent cybersecurity measures,” said Mackey. “While this effort might not prevent a ransomware attack, it could limit the scope of damage within the organisation and increase the difficulty an attacker might have when attempting to access any data.”
Another security expert has warned that ransomware attackers have spent time perfecting their attacks and are reaping huge financial rewards.
“Ransomware attacks will continue to be a serious threat to the public and private sector in 2021,” said Sam Curry, chief security officer at Cybereason. “Companies shouldn’t lapse into a sense of normalcy by any stretch of the imagination because even though the worldwide number of new ransomware strains continues to shrink, many cyber criminals have perfected their tactics and are reaping the benefits with massive ransoms being paid out.”
“For the Hackney Council and other organisations in the UK, a proactive security approach needs to be the priority in 2021,” said Curry. “What I mean is that security teams and IT professionals responsible for security need to be actively hunting in their own networks for malicious activity.”
“Taking the first punch in the battle with threat hunting that can root out suspicious behaviour is paramount in turning the tables on cybercrime,” said Curry. “In addition, Hackney Council employees and anyone associated with the organisation should never click on attachments in emails unless the source can be verified.”
“Also, never download content from dubious websites,” Curry concluded. “And implement security awareness training to yield meaningful results, when included with other cyber awareness training that becomes part of a company’s security culture.”
This sentiment was echoed by Chris Hauk, consumer privacy champion at Pixel Privacy.
“Unfortunate victims that are affected by the Hackney Council breach will want to stay aware of phishing attempts by the bad guys that downloaded the breached data,” said Hauk. “The bad actors will surely send targeted phishing emails and texts in an effort to leverage the data included in the breach to gain more personal information from the victims.”
Unfortunately, local councils remain a favoured target for cybercriminals.
In February last year IT systems at Redcar and Cleveland Borough Council were crippled for over three weeks, forcing staff to use to pen and paper, and which cost it at least £10m.
Prior to that in 2016, Lincolnshire County Council also had to use pen and paper after a malware attack.
Cities and local council systems in the United States have also suffered cyberattacks over the years.