How cyber criminals crippled the British Library – and are now selling users' personal details
When a shadowy cybercrime gang attacked the British Library last month, the institution was plunged back into the dark ages. Suddenly, it found itself locked out of its website and digital catalogue.
Readers could no longer order what they needed from its 150 million-strong collection of items, and those visiting the main building, beside London’s St Pancras Station, had no WiFi.
The cybercrime group, known for its ransomware attacks, had prevented the British Library from accessing its IT system by encrypting files and was demanding money in return for a unique decryption key.
Today, events took a darker turn, when those behind the ransomware variant, known as Rhysida, said they had begun an online auction for what they called “unique and impressive data” taken when they hacked into the system – and were starting bids at 20 Bitcoin, or almost £600,000.
“Open your wallets and be ready to buy exclusive data,” it said on its website.
The library issued a statement saying that, while there was no evidence users’ data had been compromised, if “you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure”.
Rhysida has been linked to cyberattacks against education, healthcare, manufacturing, information technology, and government sectors in the United States. That the hackers are now threatening to sell data suggests the library has not paid their ransom.
Meanwhile, at the library, readers can still request some items via its printed catalogues, by completing paper forms, but this excludes anything stored at the library’s West Yorkshire outpost in Boston Spa (where three-quarters of the collection is kept).
On a visit last week, I met Elizabeth Prochaska, 42, who is using the library to research her forthcoming book on the history of childbirth. Or at least she is trying to. “It’s still possible to get some books but everything has to be done by hand and only certain types of books can be ordered – ones that are here,” she says as she leaves the library’s Terrace Restaurant.
About half the books she needs for her research are located in Yorkshire, and are thus unobtainable.
“The reading rooms are like ghost rooms. The staff look really demoralised,” she says. “But people have been understanding because everyone knows these cyber attacks are a vicious act of vandalism. People have asked for timelines [for when services might be up and running again], but I think they understand it takes time to sort these things out.”
The problems have persisted for almost three weeks now, and the library can only offer vague assurances. It anticipates restoring many services “in the next few weeks”, while warning that some disruption may persist for longer. “It is too soon to offer an exact timetable, but we will provide regular updates as we progress this vital work,” says library chief executive Sir Roly Keating.
A modern malady in an age when almost everything is digitised, and thus potentially vulnerable, ransomware attacks tend to be indiscriminate. The perpetrators – generally cybercriminals based in Russia and its neighbouring countries – simply target whichever systems they can access. They are now estimated to be carrying out hundreds of attacks in Britain each year.
In fact, in some instances, the attackers do not realise the identity of their victim until the whole attack has happened. “The fact it’s the British Library is beside the point from the cyber criminals’ perspective,” says a source working in cyber security.
Their motivation is financial. As the name of the crime suggests, the aim is to hold organisations and businesses to ransom. Their method of attack is ransomware, a type of malware (software designed to disrupt, damage or gain unauthorised access to a computer system) that prevents the victim from accessing their device and the data stored on it, usually by encrypting their files.
The hackers then post a message on the system, outlining their financial demands and promising to provide a unique decryption key upon payment.
Back at the British Library, with no clear end in sight, students, academics, freelance workers and straightforward readers are growing frustrated. Zoe Tweed, 35, is due to submit her PhD thesis on the playwright Samuel Beckett and performance artists Marina Abramović and Ana Mendieta in mid-December.
“This is just an absolutely crucial time for me in terms of research,” says the Reading University theatre performance postgraduate. If she needs to check something in a book, it’s no longer a simple process.
“Before, I could see if that book was available and order it in the next hour. It’s been really frustrating that I haven’t been able to do that…It’s been really unsettling.”
Despite the limitations on what they can currently do here, almost every available seat in the library’s atrium is, as usual, occupied – mostly by young people staring at laptop computers. But with the Wi-Fi down, they can only get online by tethering their mobile phones.
Meanwhile the reading rooms have fallen “really quiet”, says Peter Moffat, 61, the Bafta-winning television writer behind the legal dramas Silk and Criminal Justice, whom I come across during my visit. “The drop in numbers is profound.”
Time, for those with deadlines to meet, is in short supply. But the damage caused by the attack on a library which contains everything from two of the four surviving copies of the original Magna Carta to original handwritten Beatles lyrics cannot be rapidly resolved. The remedy either requires a lot of time or a lot of money.
The ransom charged for a decryption key varies depending on what the criminals think the victim can afford. And it’s become big business, with the ransom typically in the order of millions of pounds.
Some victims will simply pay out, in the hope of resolving matters as quickly and quietly as possible. Others “rule it out on moral grounds and won’t consider it”, says the cyber security source. There is also a third group who, with their business on the line and despite feeling ill at the prospect, feel they have no choice but to comply with the criminals’ demands.
The Government opposes paying ransoms. Given the British Library’s status as a non-departmental public body sponsored by the Department for Culture, Media and Sport, it is unlikely to hand over the money to the attackers. Instead, it may face weeks of rebuilding its systems.
“The chances of decrypting the encryption [yourself] are zero,” says the source. “You can’t hack it back to normal again so you have to start from zero and rebuild everything. That means you have to have offline backups and go back to where you’ve stored everything. If you’ve taken the right precautions and made offline backups, you can get around it. But it’s a very lengthy and costly process and it often costs more than the cost of the ransom.”
Fighting the crime itself is not straightforward. The perpetrators, operating from overseas office blocks, run their activities like businesses. “They’re pretty professionalised,” says the source. The threat, moreover, continues to evolve, from encryption-only to data theft too, and the threat that this data will be leaked. In the long run, data extortion could become much more profitable than the actual encryption even.
At the end of last month, the 50 member states of the International Counter Ransomware Initiative (including the UK) met in Washington DC and reaffirmed its joint commitment to building collective resilience and cooperating to pursue cybercriminals. But in its annual review this week, the National Cyber Security Centre (NCSC) warned that Britain’s cyber resilience still isn’t where it needs to be.
In August last year, an attack on a firm called Advanced, which provides software for parts of the health service, caused widespread outages across the NHS. Patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions were all affected.
Along with the Metropolitan Police, the NCSC is supporting the investigation into the attack on the British Library.
Meanwhile, some regular library users have found a silver lining. An academic working on an article about 19th-century British theatre is eating a sandwich on the second floor, looking down at the stream of visitors in the main lobby.
“The flipside of being unable to access what you need is that you have to think for yourself,” he muses. No longer can he put off the actual execution of his work. “Now,” he shrugs, “I just sit and write.”