The Prolonged Recovery Process of the British Library After a Cyber-Attack
5 min read
The British Library, a national treasure and an essential institution for researchers and scholars, was hit by a cyber-attack in October 2023. The attack, carried out by the Russian hacker group Rhysida, paralyzed the IT systems and resulted in the leak of nearly 600 GB of private information on the dark web. The attack caused significant disruption to the library’s services, leaving many users frustrated and unable to access the resources they needed.
The British Library was once a favorite place for writer Christine Ro, who used to argue that it was the best aspect of living in London. However, the library now feels like a throwback to pre-internet times. Many of its digital resources are inaccessible, and users are required to order books in person using paper slips. The problems trace back to the cyber-attack, which caused extensive damage to the library’s IT infrastructure.
The attackers demanded a ransom of 20 bitcoin, equivalent to £600,000 at the time. After the British Library refused to pay up, the hackers leaked the stolen data on the dark web. It wasn’t until January 2024 that the online catalog became usable again, but even this was an incomplete version. The library has prepared users for a lengthy recovery process, noting that it could take several months just to analyze the leaked data. The organization has not specified a timeframe for further recovery, but outside observers believe that it could take a year.
The good news is that the British Library’s recovery process is unusually long compared to other cyber-attack victims. According to data site Statista, the average amount of downtime following a ransomware attack in the US from 2020 to mid-2022 was 24 days. A UK government survey conducted in 2022-23 found that 88% of businesses and 84% of charities were able to restore their operations within 24 hours of their most devastating cyber breach or attack.
However, protracted recovery is not unheard of. The process of identifying affected IT systems, decrypting servers, uninstalling non-functional applications, blocking connections, and disabling accounts can create bottlenecks. The longer-term recovery depends on the amount of rebuilding or new system construction an organization does following a cyber-attack.
For instance, the Scottish Environment Protection Agency (SEPA), which was hit by a ransomware attack back in December 2020, is still in the process of rebuilding. “SEPA made the decision to build back better from new rather than re-establish legacy systems,” according to a spokesperson for the agency.
There are many variables determining the length of cyber-attack recovery. These include the type and number of systems affected, the quality and quantity of backups, the experience of IT staff, and the sophistication of both the attack and the initial response.
One trend that is becoming increasingly common is the targeting of hypervisors, which generate digital versions of physical computer systems. Ransomware attackers can encrypt the hypervisor, locking up multiple systems and programs in one go. This trend is being seen by Mandiant, a cybersecurity firm that is now a subsidiary of Google Cloud.
“The impact is more significant and in some cases can actually impact the underlying infrastructure that the organization would use to be able to get back up and running more quickly,” says Kimberly Moody, the head of cyber crime analysis at Mandiant.
A larger organization could also take a longer time to recover due to the higher staff to systems ratio. In the anomalous cases where recovery drags on into months or even years, one potential reason is that an organization’s backups might have been encrypted and they haven’t been able to restore them. For instance, it may be a painfully slow process to obtain a decryption key.
Ensuring that backups are created and tested frequently is one way that organizations can make themselves more resilient to cyber attacks. Another way is to avoid reliance on a single type of prevention. Just one reason that antivirus fails is that today there is a whole underground marketplace where criminals can cheaply test out malware samples against different antivirus programmes. If they see that their malware isn’t detected by a particular antivirus product, they can target an organization with those weak defenses.
Shoring up defenses would include investing in cybersecurity staff and tools. Ms. Goody also offers some advice to organizations overwhelmed by the array of cybersecurity products on the market. “The only way to know how effective they are for you, and how relevant they’re going to be for you and your team, is to test that in your own environment,” she emphasizes.
Even well-prepared organizations may fall victim to cyber-attacks. In these cases, cyber-risk insurance can help to absorb financial losses. Ms. Goody calls this “a really valuable component of an organization’s broader risk plan given the evolving nature of cyber-attacks.”
Financial losses from disrupted operations can dwarf the initial ransom demand. “The majority of the costs can be on the business interruption side of things, not actually the extortion,” says Simon West, the cyber-advisory lead at Resilience. This is the case for the British Library, whose digital rebuilding will cost millions of pounds, requiring the organization to use its reserves.
Preparation is essential given the inevitability of future cyber-attacks. Ciaran Martin, the former head of the UK’s National Cyber Security Centre, has predicted that a cyber-attack as severe as the one that has debilitated the British Library is likely for every one of the next five years. Mr. West says, “Even though our research shows that the ransom amounts are decreasing, it’s still very lucrative for criminals. It’s now easier than it ever was before” – with cyber-attackers able to outsource phishing attacks and other services to third parties, and with AI presenting them with new opportunities.
“While the going’s good for them, I don’t see it stopping.”
In conclusion, the British Library’s prolonged recovery process following a cyber-attack is a reminder of the significant disruption that these attacks can cause. The lengthy recovery process is due to the extensive damage caused to the library’s IT infrastructure, as well as the need to rebuild and strengthen defenses to prevent future attacks. The British Library’s experience highlights the importance of preparation, testing, and investment in cybersecurity to mitigate the risks of cyber-attacks and minimize the impact on organizations.
