One of the biggest libraries in the world and the National Library of the United Kingdom, the British Library, has confirmed that internal data was stolen as a result of a ransomware attack.
The British Library initially announced in late October that it was going through an unidentified cybersecurity incident that resulted in a “major technology outage” throughout its locations in Yorkshire and London. This outage affected the library’s phone lines, website, and on-site services, including visitor Wi-Fi and electronic payments.
The British Library outage is still in effect after two weeks. The organization has since acknowledged that a ransomware attack carried out “by a group known for such criminal activity” is what caused the disruption. Some internal data that “appears to be from our internal HR files” has been leaked online, according to the British Library.
A cyber-attack is still causing a significant disruption to our technology, impacting not only our website but also our online systems and services, as well as certain onsite services. Many services should be restored in the coming weeks, though some disruption might take longer, he tweeted.
The British Library was mentioned on the Rhysida ransomware group’s dark web leak site just hours prior to this confirmation. TechCrunch was able to access the listing, which exposed the cyberattack’s purported author and threatened to release data taken from the British Library in exchange for a ransom demand. At the time this article was written, the gang was demanding Bitcoin valued at over $740,000.
Work documents and passport scans appear to be among the data shared by the Rhysida ransomware gang, though the group has not disclosed the quantity or kind of information it has taken from the British Library.
The group uses external-facing remote services, like VPNs, to compromise organizations in the government, education, and IT sectors, according to a joint CISA and FBI advisory released last week about Rhysida. The advisory also stated that there are similarities between the ransomware gang known as Vice Society and Rhysida, which was first discovered in May. The Vice Society hacking group is notorious for using ransomware to extort victims that are in the medical and educational fields.
Researchers Colin Cowie and Morgan Demboski of Sophos stated in a recent analysis of Rhysida, “Notably, according to the ransomware group’s data leak site, Vice Society has not posted a victim since July 2023, which is around the time Rhysida began reporting victims on its site.”
Ransomware groups frequently split up, change their names, or produce new malware variations in order to get around legal restrictions or prevent being apprehended by the authorities.
The British Library said it has “no evidence” that any of its customers’ data was compromised in a statement posted on X (formerly Twitter) on Monday. However, as a “precautionary measure,” the library advises users to change their passwords, especially if they use the same passwords for multiple services.
The British Library may not have the technical resources to ascertain whether or not customer data was stolen.
It is still unknown how the British Library was breached, how much employee data was taken, or if it has heard from the hackers or received a ransom demand. Despite the uncertainty surrounding its email service access, the British Library did not reply to TechCrunch’s inquiries. As of this writing, the library’s website is still unavailable.
It might take weeks, or possibly longer, for the British Library to recover from the ransomware attack, according to their most recent statement. Although some disruption may last longer, the statement stated that “we anticipate restoring many services in the next few weeks.”
“We’re continuing to investigate the attack with the assistance of the Metropolitan Police, the National Cyber Security Centre, and cybersecurity specialists. In the interim, they have taken targeted protective measures to ensure the integrity of our systems.”
Authorities are roused by Rhysida
In an effort to raise awareness of the ransomware strain that has been opportunistically targeting organizations since May 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on November 15.
Using outdated vulnerabilities like ZeroLogon to obtain access to victims, Rhysida primarily targets the education, healthcare, manufacturing, information technology, and government sectors. She then uses phishing and stolen credentials to authenticate to VPNs belonging to companies that do not use multi-factor authentication by default.
Due to similarities in the strategies and techniques used in Rhysida-linked attacks, some security researchers have connected the group’s activities to Vice Society.
According to research, Rhysida is considered a ransomware-as-a-service (RaaS) group in and of itself. Vice Society, which is thought to be responsible for significant attacks such as the one on the LA Unified School District, may be utilizing Rhysida’s equipment.
The British Library attack seems to support the double extortion model that it uses, and the group often uses living off-the-land tactics, in which they use pre-loaded admin tools to blend in with normal network traffic.