Earlier this week the London borough council of Hackney was revealed to have suffered an attack which knocked out some of its IT systems and prevented residents from making online payments.
The Mayor of Hackney described the incident as a “serious cyber attack.”
The assumption amongst many in the IT security community is that the council’s servers have suffered a ransomware attack – something which is sadly far from unusual.
For instance, earlier this year, Redcar and Cleveland Borough Council was hit by a ransomware attack which left approximately 135,000 people without access to online public services. That attack is said to have ended up costing £10.4 million.
Hackney Council, however, notably chose not to elaborate on the nature of the attack it is suffering from, let alone confirm whether it is related to ransomware.
All the council continues to do is describe it as a “serious cyber attack”, as their services remain disrupted by “technical problems.”
In a new “update” posted on the Hackney Council website, all that is confirmed is what was pretty much known already:
Council staff continue to work with the National Cyber Security Centre, National Crime Agency, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the cyberattack on our servers.
Our investigation remains at an early stage, and there is limited further information available at this point.
We have reported this incident to the Information Commissioner’s Office. We understand that residents will be anxious about the risk to their data, and we are working closely with the ICO, police agencies and other experts. We are committed to sharing further information about this as soon as we can, including what, if any, actions residents may need to take.
We know that residents may be concerned and will have questions. We are learning more about the attack but are choosing not to share any more information at this stage in order to make sure we do not inadvertently assist the attackers. We want to share as much information with residents as possible, and as soon as we are able to safely do so we will.
The attack is continuing to have a significant impact on council services and we ask residents to not contact us unless absolutely necessary.
There’s no confirmation in that statement that malware was involved in the attack, let alone ransomware. But it’s also not denied, despite the widespread speculation.
If I was heading up an organisation that had suffered a cyber attack and I had been hit by ransomware, I can see a scenario whereby I may not want the attack to become public knowledge. If, for instance, the extortionists had made threats that they would cause even bigger problems if I went to the authorities to investigate.
But the Hackney Council security incident is already very public knowledge, because of its payment systems being down and the initial acknowledgement of a “serious cyber attack.”
We just don’t know if it’s ransomware or not.
And if it is ransomware, is it one of the more unpleasant strains of ransomware attack where malicious hackers don’t just lock up your files and demand a ransom, but have also exfiltrated data from the network and are threatening to release it to the wider world if a sizeable ransom is not paid.
Another possibility might be that Hackney Council knows that, aside from its systems being disrupted by malware, some of the sensitive data it stores has been accessed – but they simply don’t know if the hackers quite understand the nature of what they have grabbed, or have worked out how to crack any encryption in place.
If that’s the case there might be a desire to hold off revealing much more about the breach, just in case it encourages a hacker to take a closer look at what they have grabbed.
Or maybe, just maybe, the authorities think that they have a solid lead as to who might be responsible – and have asked Hackney Council to share as little information as possible while they pursue those lines of investgigation.
The decision to not share any more information in this so-called “update” is both fascinating and frustrating. I do hope we find out more in due course.
And lets be sure to remember that the real villains of this story are not the IT folks in Hackney who presumably are working flat-out to bring services back online, but instead those criminal scumbags who launched the attack in the first place.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
If only Fatima had been in the council's cyber security team Graham!