British Library cyberattack explained

In October 2023 Rhysida, a hacker group, attacked the online information systems of the British Library. They demanded a ransom of 20 bitcoin, at the time around, to restore services and return the stolen data. When the British Library did not acquiesce to the attempt, Rhysida publicly released approximately 600GB of leaked material online. It has been described as "one of the worst cyber incidents in British history".[1]

The main catalogue returned online on 15 January 2024 in a read-only format, though some of the library's services are expected to remain unavailable for months. The British Library will use about 40 percent of its financial reserves, around £6–7 million, to recover from the attack.

Background

The British Library is a non-departmental public body which in 2023 held around 14 million books, as well as millions of other items.[2] [3] It is the largest library in the United Kingdom.[4] The Library was protected by firewalls that included both hardware and software components. Specific details about the software firewall used indicate that it was a Sophos XG Firewall, which provided comprehensive network protection and threat management. And was also protected by antivirus software also provided by Sophos, but was not using multi-factor authentication (MFA), and had installed a new Terminal Services server in February 2020 to facilitate remote access to third-party providers and internal IT administrators during the COVID-19 pandemic; this was the server on which unauthorised access was first detected during the attack. In 2020, the lack of MFA on the server was raised as a risk; a Library report later stated that "the possible consequences were perhaps under-appraised".[5]

Rhysida is a hacker group and "ransomware as a service" provider already known for its attacks on vital infrastructure such as schools, hospitals and government agencies, having become known to intelligence services in May 2023.[6] It had previously attacked the Chilean Army, a medical research lab in Australia, and health-care company Prospect Medical Holdings.

The British Library attack was part of a larger pattern of cyberattacks at this time against cultural institutions. These attacks had previously affected the Metropolitan Opera in New York City and Natural History Museum in Berlin.[7]

Timeline of events

2023

2024

Attack methods

The Library stated that the attackers probably used a phishing, spear-phishing or brute-force attack facilitated by a compromise of third-party credentials as well as a lack of use of multi-factor authentication by the library. After gaining access, Rhysida used three methods to identify and copy the 600GB of documents during the attack, including personal details of Library users and staff. These were:

  1. A targeted attack that copied full sections of network drives of the Library's Finance, Technology and People teams, which made up 60% of all content copied.
  2. A keyword attack which scanned for files and folders that used sensitive keywords in their names, including 'passport' or 'confidential', which constituted 40% of the copied data and included files from corporate networks and personal drives used by staff.
  3. A hijacking of native utilities, which were than used to forcibly create backup copies of 22 databases of data including contact details of external users and customers.

Furthermore, Rhysida and its affiliates destroyed servers to inhibit system recovery and forensic analysis.

Impact

While the process of calculating the full financial impact of the attack is ongoing, there were a number of impacts to the functioning of the library following the attack. These include:

See also

Notes and References

  1. News: Ash . Lamorna . 2024-02-06 . Thanks to a shadowy hacker group, the British Library is still on its knees. Is there any way to stop them? . 2024-02-22 . . en-GB . 0261-3077.
  2. News: Sherwood . Harriet . 22 November 2023 . Personal data stolen in British Library cyber-attack appears for sale online . 15 January 2024 . . en-GB . 0261-3077 . 9 December 2023 . https://web.archive.org/web/20231209004316/https://www.theguardian.com/technology/2023/nov/22/personal-data-stolen-in-british-library-cyber-attack-appears-for-sale-online . live .
  3. Web site: Uddin . Rafe . Stacey . Stephanie . 21 November 2023 . Cyber attack on British Library raises concerns over lack of UK resilience . 15 January 2024 . . 30 December 2023 . https://web.archive.org/web/20231230183853/https://www.ft.com/content/642ee014-4768-4c65-b1ee-0d4f39a8a63d . live .
  4. News: Rufo . Yasmin . 21 November 2023 . British Library: Employee data leaked in cyber attack . 16 January 2024 . . en-GB . 16 January 2024 . https://web.archive.org/web/20240116115449/https://www.bbc.com/news/entertainment-arts-67484639 . live .
  5. Web site: Coker . James . 2024-03-11 . Third-Party Breach and Missing MFA Led to British Library Attack . 2024-03-12 . . en-gb.
  6. Knight . Sam . 19 December 2023 . The Disturbing Impact of the Cyberattack at the British Library . 16 January 2024 . . en-US . 0028-792X . 20 December 2023 . https://web.archive.org/web/20231220114107/https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library . live .
  7. Web site: Harris . Gareth . 22 December 2023 . As British Library faces fallout of cyber attack—what can arts bodies do to combat ransomware threats? . 15 January 2024 . . 14 January 2024 . https://web.archive.org/web/20240114170007/https://www.theartnewspaper.com/2023/12/22/as-british-library-faces-fallout-of-cyber-attackwhat-can-arts-bodies-do-to-fight-off-wave-of-ransomware-threats . live .
  8. News: Sherwood . Harriet . 15 January 2024 . 'A 22-carat disaster': what next for British Library staff and users after data theft? . 15 January 2024 . . 15 January 2024 . https://web.archive.org/web/20240115210514/https://www.theguardian.com/books/2024/jan/15/british-library-cyber-attack-staff-users-analysis . live .
  9. Web site: Scroxton . Alex . 15 January 2024 . British Library cyber attack explained: What you need to know . 16 January 2024 . . en . 16 January 2024 . https://web.archive.org/web/20240116013818/https://www.computerweekly.com/feature/British-Library-cyber-attack-explained-What-you-need-to-know . live .
  10. News: Banfield-Nwachi . Mabel . 31 October 2023 . British Library suffering major technology outage after cyber-attack . 15 January 2024 . . en-GB . 0261-3077 . 8 November 2023 . https://web.archive.org/web/20231108142221/https://www.theguardian.com/books/2023/oct/31/british-library-suffering-major-technology-outage-after-cyber-attack . live .
  11. Web site: Adams . Geraldine Kendall . 20 December 2023 . Museums on alert following British Library cyber attack . 23 December 2023 . . en-US . 23 December 2023 . https://web.archive.org/web/20231223000618/https://www.museumsassociation.org/museums-journal/news/2023/12/museums-on-alert-following-british-library-cyber-attack/ . live .
  12. Web site: Uddin . Rafe . Thomas . Daniel . 5 January 2024 . British Library to burn through reserves to recover from cyber attack . 16 January 2024 . . 16 January 2024 . https://web.archive.org/web/20240116115449/https://www.ft.com/content/4be5d468-0cc3-4881-a5fb-b5d0163de93e . live .
  13. News: Gross . Jenny . 15 January 2024 . Months After Cyberattack, British Library Crawls Back Online . 16 January 2024 . . en-US . 0362-4331 . 16 January 2024 . https://web.archive.org/web/20240116115449/https://www.nytimes.com/2024/01/15/arts/british-library-cyberattack.html . live .
  14. News: Sherwood . Harriet . 15 January 2024 . British Library begins restoring digital services after cyber-attack . 16 January 2024 . . en-GB . 0261-3077 . 16 January 2024 . https://web.archive.org/web/20240116115450/https://www.theguardian.com/books/2024/jan/15/british-library-begins-restoring-digital-services-after-cyber-attack . live .
  15. News: Nanji . Noor . 15 January 2024 . British Library starts restoring services online after hack . 15 January 2024 . . en-GB . 15 January 2024 . https://web.archive.org/web/20240115194015/https://www.bbc.com/news/entertainment-arts-67976183 . live .
  16. News: Simpson . Craig . 15 January 2024 . British Library restoring online services after cyber attack . 16 January 2024 . . en-GB . 0307-1235 . 16 January 2024 . https://web.archive.org/web/20240116115449/https://www.telegraph.co.uk/news/2024/01/15/british-library-rhysida-hack-restores-online-services/ . live .
  17. Web site: Keating . Roly . Learning lessons from the cyber-attack . Knowledge Matters blog . British Library . 8 March 2024 . 8 March 2024.
  18. Web site: Learning from the cyber-attack: British Library cyber incident review . British Library . 8 March 2024 . 18 . PDF . 8 March 2024.
  19. Web site: Restoring our services – 30 July 2024 update . blogs.bl.uk.
  20. News: Barnett . David . 6 January 2024 . Richard Osman among authors missing royalties amid ongoing cyber-attack on British Library . 16 January 2024 . . en-GB . 0029-7712 . 16 January 2024 . https://web.archive.org/web/20240116115449/https://www.theguardian.com/books/2024/jan/06/authors-missing-borrowing-royalties-british-library-cyber-attack . live .
  21. Web site: Sorry we can't find that page . 2024-02-29 . British Library (bl.uk).