Sepa: Hackers target Scottish government agency for second time after £21m Christmas ransomware attack

Cybercriminals who attacked the Scottish Environmental Protection Agency (Sepa) tried to sabotage recovery operations with a second attack, according to a new report.

Around 1.2GB of data, or at least 4,000 files, was stolen in the Christmas Eve ransomware attack last year.

An investigation by Police Scotland concluded it was likely that a major international organized crime group was responsible for the extortion attempt.

The environmental regulator did not respond to the ransom demand.

The attack “demonstrated significant stealth and malicious sophistication”, according to a report by the Scottish Business Resilience Center (SBRC).

The SBRC noted that the backups were performed in accordance with best practices in that there were three copies of the data, kept in two separate locations, with one copy stored offline; however, the network design meant that both sites were affected.

The report states, “This attack demonstrated significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise Sepa systems as the team worked to recover and restore backups.”

Sepa commissioned independent audits from Police Scotland, SBRC and business advisory group Azets after the attack.

The Azets review concluded that Sepa’s response to the ransomware outbreak on December 24, 2020 was “effective”.

READ MORE: Scottish public bodies hit by dozens of cyberattacks

However, he also noted that emergency and incident management procedures were not stored offline and offsite.

This meant that procedures became inaccessible when access to the system was lost, and staff had to rely on their knowledge and experience to complete emergency and incident management steps.

Sepa Chief Executive, Terry A’Hearn, said: “Ten months ago, on Christmas Eve, Sepa was the victim of a heinous, internationally orchestrated crime that affected our organization, our staff, our public and private partners and the communities that rely on our services. .

“The audits clearly show that we were well protected but that no cybersecurity regime can be 100% secure. A number of learnings have been identified that will help Sepa further improve its cybersecurity. All were accepted.

He added, “The majority of organizations affected by cyberattacks around the world don’t publicize the attack much, and that’s their right. We know we’ve taken an unusual approach, but we believe it’s the right thing to do.

“We publish reviews wherever possible so that as many organizations as possible can use our experience to better protect themselves from this growing scourge of cybercrime and we are committed to supporting Police Scotland and Scottish Business Resilience Center in their work. highlighting the support offered to organizations to be cyber-ready, resilient and responsive.

The SBRC report determined that Sepa’s cyber maturity rating was “high” and said sophisticated defense and detection mechanisms had been implemented and were working properly prior to the incident.

READ MORE: Scottish ransomware attack will ‘likely’ aim to extort public funds

Detective Inspector Michael McCullagh, Cybercrime Investigations, Police Scotland, said: ‘Police Scotland have always been clear that Sepa was not and is not a poorly protected organisation. The organization had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others.

“The recent attacks on Sepa, the Irish Health Service and wider public, private and tertiary organizations are a reminder of the growing threat from international cybercrime and that no system can be 100% secure.

“They also serve as a reminder of the growing importance for organizations to be ready, resilient and responsive.”