The British Library ransomware attack was likely caused by the compromise of third-party credentials coupled with no multifactor authentication (MFA) in place to stop the attackers, despite previous warnings about these risks.
This is according to a British Library report that sheds new light on the October 2023 attack, which shut down digital services and breached the personal data of Library users and staff.
The attack was claimed by the Rhysida ransomware group, who placed exfiltrated data for sale on the dark web after the British Library refused to pay the ransom demand.
The first detected unauthorized access to the Library’s network was at its Terminal Services server. This server was installed in February 2020 to the facilitate remote access to third-party providers and internal IT administrators during the COVID-19 pandemic.
Employees of third-party software development, IT maintenance and consultancy firms are therefore given various levels of access to the network, including in many cases privileged administrator access to specific servers or software.
The British Library said in its report, published on March 8, 2024, that the most likely source of the attack was the compromise of privileged third-party account credentials, possibly via a phishing or spear-phishing attack or a brute force attack.
The increasing use of third-party providers within the network was flagged as a risk by the Library’s Corporate Information Governance Group (CIGG) in late 2022, with a review of security provisions relating to the management of their access planned for 2024.
“Unfortunately, the attack occurred before these necessary pre-requisites for this work were completed,” the Library stated.
Lack of MFA Helped Attackers’ Access
While the terminal server was protected by firewalls and virus software, access was not subject to MFA.
The lack of MFA on the domain was identified and raised as a risk when MFA was introduced to other parts of the Library in 2020, “but the possible consequences were perhaps under-appraised,” the report stated.
It was decided that connectivity to the British Library domain would be out of scope for MFA implementation for reasons of practicality, cost and impact on ongoing Library programs.
“It is considered likely that the absence of MFA contributed to the attackers’ ability to enter the system via this route,” the Library admitted.
The systems’ monitoring software did not automatically isolate the intrusion at source but did prevent further intrusion into parts of the Library’s technology estate.
No tags.
