Second net attack on Sepa’s computer systems
CYBER criminals who hacked a Scottish Government agency tried to sabotage recovery operations with a second attack, according to a report.
Around 1.2GB of data, amounting to at least 4,000 files, was stolen in the ransomware attack on the Scottish Environment Protection Agency (Sepa) on Christmas Eve last year.
An investigation by Police Scotland concluded it likely an international serious organised crime group was responsible for the extortion attempt. The environmental regulator did not respond to the ransom request.
A report by the Scottish Business Resilience Centre (SBRC) found the attack ‘displayed significant stealth and malicious sophistication’.
SBRC noted back-ups were taken in line with best practice in that there were three copies of the data, kept in two separate locations, with one copy stored offline.
The report said: ‘This attack displayed significant stealth and malicious sophistication with a secondary and deliberate attempt to compro
‘Sepa was not and is not poorly protected’
mise Sepa systems as the team endeavoured to recover and restore back-ups.’
Sepa commissioned independent audits from Police Scotland, SBRC and business advisory group Azets following the attack.
The Azets review found Sepa’s response following the triggering of the ransomware on December 24, 2020 was ‘effective’.
But it also noted emergency management and incident management procedures were not stored offline and offsite. This meant procedures were inaccessible when system access was lost.
Sepa chief executive Terry A’Hearn said: ‘The audits make it clear we were well protected but that no cyber security regime can be 100 per cent secure. A number of learnings have been identified. All have been accepted.’
The SBRC report said Sepa’s cyber maturity assessment was ‘high’ and said sophisticated defence mechanisms were implemented.
Detective Inspector Michael McCullagh, Cybercrime Investigations, Police Scotland, said: ‘Police Scotland has been consistently clear that Sepa was not and is not a poorly protected organisation.’