Royal Mail ransomware attack
- Date: Nov 2022-Feb 2023
- Type of attack: Malware | Ransomware
What began in November 2022 with the detection of Emotet malware on Royal Mail servers, turned into a full on ransomware attack by LockBit in early January 2023. Despite targeting only a single Belfast depot, it brought the Royal Mail international shipments to a halt, which in turn caused massive disruptions to the whole organisation. As the systems went down one by one, LockBit ransomware operator contacted the system admins demanding a ransom payment of $80mln.
To understand this attack we need to clarify a few terms. Emotet is a type of malware most often used to download the actual payload (target malware) onto the target machine. It can also be used on its own to gather information about the system it is on, any accounts that might have been used on the network, or to scrape saved browser passwords, to name a few functions. As it’s very modular, it can be tweaked to fill the needs of any specific operation. This very malware has been observed on Royal Mail servers in Q3/Q4 of 2022, which leads some to believe it could have caused the following ransomware deployment in 2023.
Ransomware as a Service (RaaS) is a business model in which a ransomware “operator” allows the use of their ransomware by less sophisticated “affiliates” (see our ransomware article). This is how LockBit, who attacked Royal Mail International, operates. After encrypting a network, either an “affiliate” or “representative” contacts the victim to extort money for a decryption key or program.
Thanks to the fact that the chat logs between Royal Mail and the hackers were leaked, we managed to get a better glimpse into the whole process. It is unclear who contacted the postal service after the attack took place, however, given their vernacular and negotiation skills it was most likely a LockBit representative instead of an “affiliate”. The negotiations were stretched over a month’s worth of messages, where the Royal Mail representative managed to buy enough time for the whole system to go back online before any data has been leaked to the public. This was most likely a professional ransomware negotiator in contact with the National Cyber Security Centre (NCSC) and National Crime Agency (NCA), as the level of strategic steps taken in order to stretch the chat was really impressive.
Though international shipping is restored as of writing this article (01/03/2023), Royal Mail are still battling with the fallout of the hack, as stolen data is being leaked online and ransom demands still stand, now at just below $40mln. This data includes HR and payroll documents and mostly pertains to the employees of Royal Mail International, but we are currently unsure of the whole scope of the leaks. As an official investigation into this breach will take months and we will most likely never learn all the details of the attack, it is hard to gauge what exactly went wrong, or what could have been done differently.
One major takeaway is to contact the relevant authorities as soon as ransomware is detected on your network to assure support in negotiations or at least some strategic advice (the whole process is outlined in our ransomware blog). Additionally, whenever any malware is discovered in your system, it is important to perform Incident Response (IR) and ensure it is fully purged from your systems. Whether you use a 3rd party (like our IR service as Aspire SOC) or do it in-house, it is crucial to establish the how, what, and when of the infection to prevent any major complications down the line.
Looking to secure
your business data?
your business data?
Atlassian employee data breach
- Date: Feb 2023
- Type of attack: Supply chain attack
Atlassian are an Australian tech company providing code versioning and collaboration software to countless businesses. Services like Jira, Bitbucket, and Trello are household names and key components of all parts of the software development stack and project management across the IT industry and beyond. Daily operations rely on these services working and working well. To give this some perspective, Atlassian earned $2.8 billion in revenue for the fiscal year 2022 and had close to a quarter million clients around August 2022 (source).
This creates a big target on their back for being part of a potential supply chain attack – which are attacks targeting a specific organisation’s trusted vendor or service provider in order to bypass their stronger defences and abuse the established trust between their networks. When news hit of their HQ floor plans and internal employee information being leaked online, a lot of their clients were understandably looking for answers and details, as fast as possible.
The group that took ownership of this breach is called SiegedSec. They leaked all of the data for free on Telegram, which might raise some eyebrows until you realise they are a hacktivist group. Hacktivists are threat actors who pursue their goals due to a specific cause or affiliation with a larger group – ecoterrorism and religious extremism are some of the more popular causes behind hacktivism. SiegedSec initially seemed to be defacing websites at random with crude juvenile language and imagery. In June 2022, amidst the abortion rights changes in the US, they broke into the networks of 2 pro-life state governments of Arkansas and Kentucky. They then leaked multiple gigabytes of data from the breached networks, which were claimed to include government officials’ PII (personally identifiable information) (source). Atlassian was their next target, seemingly with no reason behind the attack other than doing it “for fun”.
An initial statement from Atlassian claimed that their software provider, Envoy, was breached. According to it, this software was used internally for coordinating in-office resources (source) and no client data was at risk. It initially looked like Atlassian themselves were a victim of a supply chain attack. This was the main narrative in the media until Envoy came out with a statement advising that, following a full investigation, none of their systems was breached, and access was achieved using genuine credentials of an Atlassian employee. This was later confirmed by Atlassian, who added that they found the stolen credentials mistakenly saved in a public code repository by the employee in question. They also confirmed that the stolen data contained floor plans of 2 of their sites in the US and Australia, and up to date employee details – including full names, email addresses, and their work departments.
We do not know if this had any impact on their business, and it’s hard to theorise on this until their revenue and customer numbers are published in Q4 2023. We can however discuss how this could have been prevented. The posting of credentials on a public repository might have been caught in time if preventative data loss prevention (DLP) searches were performed. An example of a search engine which can be used for this is grep.app, which allows users to perform code searches across multiple repositories. This however is not a perfect solution, as there is always some delay before an update to a repository is posted and indexed by one of these search engines.
Even though genuine credentials were being used, if User Entity and Behaviour Analytics (UEBA) was implemented correctly, an alert would have been raised. UEBA uses various algorithms and machine learning in order to establish a baseline behaviour, and then alert on anomalies detected. A single user downloading the whole address book rapidly, followed by floor plan access for offices in different countries is far from normal. Finally, to prevent the risk of looking unprofessional, it is best practice to establish close communication with the vendor who is suspected of causing the breach and arrive at either a joint statement or one both parties agree on. This was done correctly by Atlassian, but only the second time around, which caused some understandable confusion.