Ransomware Disrupts Scottish Environment Protection AgencyConti Gang Claims Credit for Christmas Eve Attack and Data Exfiltration
The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data.
SEPA is the Scottish government's principal environmental regulator, charged with protecting the nation's environment. The nondepartmental public body - meaning it largely operates independently - has a staff of about 1,200.
The agency says it's still responding to the ransomware attack, which continues to disrupt services, as attackers demand the organization pay a ransom in return for a key to unlock their systems as well as a promise to stop leaking stolen information online.
Data stolen by attackers has begun to be leaked online by the Conti ransomware operation, which has claimed credit for the attack.
SEPA says the attack is the "subject of a live criminal investigation," and that "a number of SEPA systems - including email - continue to be inaccessible." But it says many essential functions, including "priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate."
SEPA has created a dedicated web page to describe its response.
"What is now clear is that with infected systems isolated, recovery may take a significant period," says Terry A’Hearn, SEPA's chief executive. "A number of SEPA systems will remain badly affected for some time, with new systems required."
SEPA disclosed the attack on Dec. 24, 2020. The agency says it occurred "at one minute past midnight on Christmas Eve. The agency warned that its internal systems and contact center had been disrupted by the attack. It said it had implemented business continuity plans and was working with the Scottish government, Police Scotland and the U.K. National Cyber Security Center "to respond to what appears to be complex and sophisticated criminality."
"Communication into and across the organization is significantly impacted," David Pirie, executive director of SEPA, said at the time.
Stolen: 1.2GB of Data
In a Thursday update, SEPA detailed the continuing system disruption and said attackers also exfiltrated about 1.2GB of data. "Whilst … this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least 4,000 files may have been accessed and stolen by criminals," SEPA says.
"It's a significant cyberattack and a serious crime has been committed against SEPA," A'Hearn told BBC Scotland News on Friday. "We've lost, for the time being, access to most of our data systems, including things as basic as our email system."
SEPA Chief Executive @TerryAHearn spoke this morning to @BBCScotlandNews @mmgeissler about the ongoing ransomware attack— Scottish Environment Protection Agency (SEPA) (@ScottishEPA) January 15, 2021
Find out more at https://t.co/KBFs7KbyKM
Media statement at https://t.co/pLdeSfjIoP
Hear the full interview at https://t.co/u1UF8101pP pic.twitter.com/mSMFK0nVLN
But A'Hearn said SEPA has still been able to operate Scotland's flood-warning system and issue flood alerts, which it has done in recent weeks. He called issuing such warnings "one of our most important responsibilities."
Scotland's environment secretary, Roseanna Cunningham, says: “While a great deal of work is going on to support recovery of other services that SEPA staff and the public rely on, I want to stress that arrangements are in place to allow the public to continue to report pollution incidents online or via the dedicated pollution hotline. I would urge them to do so in the interests of continuing to safeguard our environment.”
SEPA couldn't immediately be reached for further comment on the attack, including the suspected identity of the attacker, beyond its assertion that a "serious and organized cybercrime group" was involved.
“This remains an ongoing investigation," says Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit. "Police Scotland are working closely with SEPA and our partners at Scottish government and the wider U.K. law enforcement community to investigate and provide support in response to this incident. Inquiries remain at an early stage and continue to progress, including deployment of specialist cybercrime resources to support this response."
Police have declined to release further details.
Conti Operators Claim Credit
But the attack appears to have been carried out by the ransomware-as-a-service operation called Conti.
That's because data allegedly stolen from SEPA has been posted to a leaks site dedicated to Conti ransomware victims.
Conti's leaks site now includes what the operators say is a partial dump of stolen SEPA data, comprising 7% of what they claim to have obtained. As yet, it's unclear if any of the stolen information might be sensitive.
"They released it to show that they have the data and to prompt the victim to negotiate and pay the ransom," Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, tells Information Security Media Group. Based on those claims, "we therefore assess with medium confidence that this is indeed an attack by Conti."
Conti ransomware first appeared in May 2020. Since then, the ransomware operation claims to have amassed more than 150 victims and generated several million dollars in illicit profits. Like more than a dozen other ransomware operations, Conti also runs its own leaks site, where last month it listed industrial IoT chipmaker Advantech as one of its victims.
"Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas," says SEPA's A’Hearn. "Some of the information stolen will have been publicly available, whilst some will not have been."***
Editor's note (Jan. 21): Conti's data-leaks site has been updated to list more than 4,000 files for download, saying 100% of what attackers exfiltrated has now been leaked.