Guide Hacking Stories

Real Life Hacking Stories: British Library cyber attack explained 

Real Life Hacking Stories: British Library cyber attack explained 


Greetings readers! 


These are mini stories from real-world incidents of cyber-attacks! 

Through these stories, we will dive deep into how the attack was orchestrated, their implication on the organizations, how the organization dealt with the attack, and some learnings.

Our main objective behind these stories is to help businesses with an insightful first point of view into attacks. We hope that these stories help you COME UP WITH YOUR OWN LESSONS and enable you to take proactive steps toward security. 

So, without further ado, here is the real-life hack story! 

When it all happened? 

  • It was on the 28th of October 2023 that the British Library was aware that they had been affected by a major ransomware attack that had a significant impact on their online systems that stored terabytes of valuable information 
  • Through the investigations done by forensic experts, it was found that the attackers had initial access at least three days prior to the incident, with the first evidence of external presence on The Library network at 23:29 on 25th October 2023 
  • The IT Security Manager was alerted of the malicious activity at 01:15 on 26 October 2023 which came from The Library’s Monitoring System that blocked malicious activity at 00:21 
  • The IT Security Manager performed a vulnerability scan which gave zero results. The manager also monitored the activity log which didn’t show any repeat activity. 
  • It was escalated to the IT Infrastructure Team who did not find any malicious activity upon a detailed analysis of the activity log 
  • Jisc (which provides The Library’s internet access and monitors data movement across networks) identified unusually high data traffic (440 GB) at 01:30 

How did the attackers gain entry? 

  • The first detected unauthorized access was at the Terminal Services server that was installed in 2020 to give access to external trusted partners and internal IT administrators 
  • The Library relies on multiple trusted external partners for software development, consultancy, IT maintenance, and other expertise 
  • Experts have analyzed and concluded that the most likely source of the attack is a compromise of privileged account credentials through phishing, spear phishing, or brute force attack 
  • The risk associated with the management of third-party access was noted in 2022 by the Library’s Corporate Information Governance Group. Tightening of access controls was planned for 2024, the attack took place a year before 
  • The Terminal server was protected by a firewall and antivirus software but there was no Multi-Factor Authentication in place for access 
  • Experts have stated that the lack of MFA contributed to the attackers bypassing the defenses to gain entry. The exact point of entry is still under speculation. 
  • The attackers engaged in copying & compromising of data, encryption, and destruction of infrastructure using Rhysida ransomware. 
  •  Rhysida ransomware’s method involves the destruction of trails using anti-forensic methods, exfiltration and encryption of data and destruction of servers to prohibit recovery. 

What were the impact

  • The attack had a significant negative impact on all the areas of Library operations, highly affecting its stakeholders, including users, staff, and other key parties 
  • The Library was open with ongoing exhibitions and events, with the operations severely restricted for the first two months 
  • A major part of the staff found it highly challenging to perform their primary roles, relying heavily on manual processes 
  • It experienced a major downtime of key software systems including the library management system that can never be brought back to its original state  
  • Core functions like email, finance, HR, and payroll are cloud-based, having remained majorly unaffected by the attack, allowing the Library to be open to the public 
  • The financial impact of the entire attack is still under analysis. 
  • The qualitative impact of the attack on the Library’s purpose was high some of them include: 
  • Access to all the collections was limited for the staff, with disruption in multiple library functions 
  • All the partnership projects and commercial income were highly impacted 
  • Researchers were affected highly by disruption due to high reliance on The Library  
  • 50% of the total volume of the physical collection is still inaccessible 
  • Website downtime has made raising future funding  and marketing a challenge 

How they Response & Recovery from it 

  • All major crisis response plans were implemented, with Gold/Silver committees overseeing all the operations of incident response, providing operational and strategic management 
  • All the users, staff, and stakeholders were updated via social media channels on the said incident as per the NCSC guidelines 
  • The Rebuild & Renew Programme was formed and governed by the Programme Board with a mission to transform The Library into a more secure and resilient institution, implementing the lessons learned from the cyber attack 
  • The Gold and Silver Committees comprised senior technical staff, independent cybersecurity advisors, members of the senior management, and a Data Protection Officer 
  • These committees gained strong support, extended from the cybersecurity wing of DCMS from the start to the end and recovery of the incident 
  • Operational lessons have been developed by these committees that were implemented in future procedures, policies, and measures 

Learnings/ conclusion 

Lack of Multi-Factor Authentication can have a cascading effect on security  

The cyber-attack on The British Library is one of the most prevalent examples of how not essential measures like Multi-Factor Authentication having can have a domino effect on security. It emphasizes on the importance of having a dedicated team that can periodically assess the posture for cybersecurity hygiene measures like enabling MFA.  

CIS Benchmarks are industry standards for a reason 

It highlights the critical need for proactive hardening of security using CIS benchmarks and integrating globally recognized security measures recommended by NIST since they are tried and tested defense measures against modern attacks. Organizations struggle with setting up their own Security Operations Center. It is mainly due to challenges like high cost, and struggle setting up a team & retaining experts, that can help them implement the recommended measures in globally recognized security frameworks.  

PAMS are essential to prevent privilege escalation based attacks 

One of the vulnerable points in security exploited by attackers was taking over accounts of external service providers and escalating high level privileges.  

It proves the necessity of having an effective Privileged Access Management System in place that is implemented by an in-house team of experts who periodically work on keeping up the cybersecurity posture with evolving threats.  

Periodical checkup of vulnerabilities and testing of defenses is a must 

It is an incident that reflects how vulnerabilities, if undiscovered and unaddressed, for long can escalate into an attack of such proportion. It emphasizes the significance of periodical vulnerability assessment and pen testing of the cybersecurity posture. 

Quick and effective incident response necessitates proactive Incident Response Planning  

Another big takeaway from the incident is that expert-led Incident Response Planning is a prerequisite for quick and precise response in fire-fighting situations like the attack.  

A small flame can cause a big fire incident– awareness gaps can be disastrous 

The attackers exploited the awareness gaps in employees and external partners regarding security best practices to secure their accounts. It points towards proactively addressing the gaps in awareness through periodical training.  

Measures of Action 

  • Enhance all the network monitoring capabilities  
  • Fully implement Multi-Factor Authentication 
  • Bridge the gap in the cybersecurity team 
  • Enhance the processes of network intrusion 
  • Segment networks to limit damage 
  • Regular practice of business continuity plans to prepare for total outages 
  • Maintain an overview of cyber risks 
  • Regularly invest in the lifecycle of critical systems and eliminate legacy technology 
  • Legacy technology-specific issues are to be prioritized 
  • Bridge awareness gaps in staff regarding cybersecurity risks through training 
  • Prepare a plan to proactively manage the wellbeing of users and staff for post-attack situations 
  • Collaborate with experts to stay informed and implement best practices in security 
  • Adhere to government standards and review compliance regularly 

Why does an organization need 24×7 SOC? 

There are no closing hours for cybercriminals 

SharkStriker’s Security Operations Center offer ensures 24×7 monitoring, quickly responding to suspicious activities with precision.  

Cybersecurity needs more than just a limited team 

SharkStriker provides a dedicated round-the-clock cyber army with experts like threat experts, incident responders, DevSecOp engineers, and security analysts to provide holistic cybersecurity services. 

Uninterrupted productivity needs proactivity 

Through periodical security assessments using real-world techniques, SharkStriker helps businesses boost their cyber resilience, helping them prepare for the worst. 

Adherence to global security frameworks is a starting point for building resilience

Global security frameworks contain effective industry best practices in security that help in building resilience. SharkStriker provides end-to-end expertise in compliance that helps businesses keep up with the latest best practices recommended by globally recognized entities like CIS and NIST. 

Thank you for reading!

We have discovered how attackers gained entry by leveraging the security weaknesses in The Library’s posture and how the Library responded to the attack, along with some important takeaways.  

In Chapter Two, we dive deep into how hackers attacked Ireland’s biggest healthcare system Health Service Executive. We look at the techniques used and the weaknesses leveraged by attackers, along with some essential lessons.  

Read More

Endpoint Security