The Scottish Environmental Protection Agency (SEPA) has confirmed it is responding to an ongoing ransomware attack launched by a highly organised, international cybercrime group.
The cyber-attack was launched on Christmas Eve and has knocked a number of key systems offline since, causing great disruption for the government agency.
Last week, SEPA revealed that business continuity arrangements had been enacted and that it was working closely with the Scottish Government and law enforcement to resolve the issue.
In a statement yesterday (14th January), SEPA confirmed that around 1.2GB of data has been stolen as a result of the ransomware attack.
Currently, exact details on what data has been stolen are unavailable. However, early indications suggest this could be information related to “a number of business areas”, the agency said.
“Some of the information stolen will have been publicly available, whilst some will not have been,” said Terry A’Hearn, Chief Executive of SEPA.
The organisation was keen to insist that services will continue to operate despite the disruption.
“Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
“Regulatory teams continue to prioritise the most significant environmental events, high hazard sites and sites of community concern,” the agency said.
A’Hearn also revealed SEPA has been working closely with specialists from the National Cyber Security Centre throughout the incident.
“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident,” he said.
“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”
Some internal systems and external data products remain offline. According to SEPA, the decision was made to protect both the criminal investigation and it’s computer systems.
Although infected systems have been isolated, the agency warned that recovery “may take a significant period” and that a number of systems will remain “badly affected for some time”.
It is believed that new computer systems will be required as a result of the ransomware attack.
- Illegal product platform DarkMarket shut down by police
- Signal | How to use the popular secure messaging app
- Covid-19 has accelerated the use of digital technology by councils
SEPA said: “Email systems remain impacted and offline.
“Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.”
Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at the Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident.
“Enquiries remain at an early stage and continue to progress including the deployment of specialist cybercrime resources to support this response.”
In recent years, ransomware has become one of the most popular attack methods for cybercriminals and state-sponsored hackers. The infamous WannaCry and NotPetya attacks, which occured in quick succession in 2017, sparked a surge in ransomware attacks globally.
Throughout 2020, global cybersecurity threats also evolved amid the disruption of the coronavirus pandemic, with highly sophisticated, state-sponsored groups targeting public services, vaccine research and local authorities across the UK.
Jude McCorry, CEO at the Scottish Business Resilience Centre, said the current threat landscape is a cause for serious concern looking ahead in 2021.
“Ransomware is one of the fastest growing threats in cybersecurity, with global damages predicted to reach billions by mid-2021,” she said.
“Conventional ransomware attacks work by denying an organisation access to its own data until it pays a ransom. In 2020, however, we saw attacks grow in sophistication, which will continue this year and prey on organisations because of the rise in homeworking in response to the pandemic.”
Recent high-profile incidents have also escalated in severity, McCorry warned. The cybercriminals behind the Maze ransomware attacks, for example, copied stolen data and threatened to release it publicly. Others, such as REvil, threatened to delete seized data.
“We are seeing the actors/criminals ramping up demands – in some cases, seeking payment of one sum in five days, but then demanding more every few days following that,” McCorry explained. “Some groups charge an organisation to unlock access to its data, but also go on to sell data they have harvested, giving them a continued revenue stream.”
McCorry advised any business that believes it has been a victim of cybercrime to contact the relevant authorities, as well as the SBRC’s cyber incident helpline.
The helpline helps organisations confirm they have been the victim of an attack and, if so, provides expert guidance to get them back to secure operation.