2 February 2023

The Untold Story of a Crippling Ransomware Attack

MATT BURGESS

IT WAS A Sunday morning in mid-October 2020 when Rob Miller first heard there was a problem. The databases and IT systems at Hackney Council, in East London, were suffering from outages. At the time, the UK was heading into its second deadly wave of the coronavirus pandemic, with millions living under lockdown restrictions and normal life severely disrupted. But for Miller, a strategic director at the public authority, things were about to get much worse. “By lunchtime, it was apparent that it was more than technical stuff,” Miller says.

Two days later, the leaders of Hackney Council—which is one of London’s 32 local authorities and responsible for the lives of more than 250,000 people—revealed it had been hit by a cyberattack. Criminal hackers had deployed ransomware that severely crippled its systems, limiting the council’s ability to look after the people who depend on it. The Pysa ransomware gang later claimed responsibility for the attack and, weeks later, claimed to be publishing data it stole from the council.

Today, more than two years later, Hackney Council is still dealing with the colossal aftermath of the ransomware attack. For around a year, many council services weren’t available. Crucial council systems—including housing benefit payments and social care services—weren’t functioning properly. While its services are now back up and running, parts of the council are still not operating as they were prior to the attack.

A WIRED analysis of dozens of council meetings, minutes, and documents reveals the scale of disruption the ransomware caused to the council and, crucially, the thousands of people it serves. People’s health, housing situations, and finances suffered as a result of the insidious criminal group’s attack. The attack against Hackney stands out not just because of its severity, but also the amount of time it has taken for the organization to recover and help people in need.

Ransom Demands

You can think of local governments as complex machines. They’re made up of thousands of people running hundreds of services that touch almost every part of a person’s life. Most of this work goes unnoticed until something goes wrong. For Hackney, the ransomware attack ground the machine to a halt.

Among the hundreds of services Hackney Council provides are social and children’s care, waste collection, benefits payments to people in need of financial support, and public housing. Many of these services are run using in-house technical systems and services. In many ways, these can be considered critical infrastructure, making the Hackney Council not dissimilar to hospitals or energy providers.

“The attacks against public sector organizations, like local councils, schools, or universities, are quite powerful,” says Jamie MacColl, a cybersecurity and threat researcher at the RUSI think tank who is researching the societal impact of ransomware. “It’s not like the energy grids going down or like a water supply being disrupted … but it’s things that are crucial to the day-to-day existence.”

All the systems hosted on Hackney’s servers were impacted, Miller told councilors at one public meeting assessing the ransomware attack in 2022. Social care, housing benefits, council tax, business rates, and housing services were some of the most impacted. Databases and records weren’t accessible—the council has not paid any ransom demand. “Most of our data and our IT systems that were creating that data were not available, which really had a devastating impact on the services we were able to provide, but the work that we do as well,” Lisa Stidle, the data and insight manager at Hackney Council, said in a talk about the council’s recovery last year.

One person living with disabilities in Hackney, who asked not to be named for privacy reasons, says they applied for social care at the end of June 2021—eight months after the cyberattack first hit—but didn’t end up with a care plan or visits from carers until February 2022. “I could not wash myself. I couldn’t wash my own hair,” they say. “And the reason for that delay, they repeatedly told me, was the hack.” The person recalls that when they first heard back from the council, months after initially getting in touch, the worker they spoke with was relieved they were still alive, as their situation hadn’t been clear and there had been a delay in the case.

Since the ransomware attack, Hackney residents have told independent complaints boards how they suffered. At one point during the aftermath of the cyberattack and the ongoing pandemic, Hackney had a backlog of around 7,000 home repairs. A Housing Ombudsman report from May 2022 said Hackney was responsible for “severe maladministration” leading to “substantial delays” in dealing with “damp, mold, and leaks” at one person’s home. While Hackney had lost its records in the cyberattack, the Ombudsman said the council didn’t make enough efforts to check emails (which were still available) or interview staff about the case. (The attack “impacted on our ability to retrieve our housing management and repairs data, as well as historic records, and sadly impeded our ability to investigate the resident’s complaint,” the council said.)

The council was also criticized because its system for reporting noise complaints wasn’t working. There was a backlog of council tax payments. It was also unable to investigate people’s complaints properly, as records weren’t available. The loss of housing records and people’s correspondence led to “large numbers” of complaints to the council in the first months after the attacks, according to council reports. In one instance, a resident hadn’t been able to use their kitchen for over a year, and work was partially delayed because the cyberattack made the building plans inaccessible. And in July 2022, ITV News reported a family of seven living in Hackney was forced to leave their home because the council wasn’t able to update their housing benefit payments.

Hackney Council and Philip Glanville, the mayor of Hackney, have apologized for the impact the attack has had on residents. In response to the Ombudsman decisions, the council says it accepts the findings and apologizes to “all of those who have been affected as a result of the criminal action that left us unable to help some of the most vulnerable in our borough.”

Miller says the devastating impact of the attack highlights how many “critical services” the council operates and the dangerous nature of ransomware attacks. “All of the things we do matter to someone,” he says. “But some of the things really are very acute.” He says the council prioritized high-risk cases during its recovery from the attack but that the impact has still been wide-ranging. “Over time, the number of residents affected has become fewer. But if you’re a resident who’s affected, that doesn’t matter.”

Ever since the ransomware hit Hackney Council, it has refused to comment on the technical aspects of the incident, citing ongoing investigations from the UK’s National Crime Agency and the data regulator, the Information Commissioner’s Office (ICO), which could potentially fine the organization. The ICO says its investigation is ongoing and hasn’t provided a timeline for completion.

Criminal hackers have frequently attacked local governments and public organizations in recent years. Hospitals and medical carers, city governments, and entire national governments have been attacked by ruthless ransomware gangs. Eleanor Fairford, the deputy director of incident management at the UK’s National Cybersecurity Center, which is part of the intelligence agency GCHQ and helped Hackney, says ransomware is the “most significant” threat to both public services and businesses.

“Incidents can affect every aspect of an organization—from impeding its ability to deliver key operations to hitting finances—and effects are felt in the short- as well as longer-term,” Fairford says, pointing to its guidance on protection from ransomware. The cyberattack has cost Hackney at least £12 million ($14.8 million), with several of its services reporting budget overspend to fix issues.

Lizzie Cookson, the director of incident response at ransomware recovery firm Coveware, says that in the final three months of last year, public sector ransomware victims it saw accounted for 13 percent of victims. “That’s pretty high,” Cookson says, adding that public services are often underfunded and underresourced. Attacks against the sector can cause untold long tail damage to society, with the damage felt by thousands over months and years. Miller says the impact on Hackney shows how “poisonous” ransomware attacks can be. “It’s easy to assume it’s faceless and doesn’t really have a big impact,” he says. “But it has that human impact.”

In addition to the impact on Hackney’s residents, the cyberattack has naturally affected the staff at the organization. Hundreds of staff at Hackney Council have had to work through the disruption, trying to help people despite little or no access to databases and case files. “When there’s an incident like this, it can cause a lot of stress and anxiety and upset for the people who are involved,” says Jessica Barker, the co-CEO of cybersecurity company Cygenta, who has followed the Hackney attack. Barker adds that for people involved in the technical recovery, there can be stress and burnout, and for those involved in helping citizens, it may have added extra time to their jobs.

Hackney’s Children and Families Service—which initially lost its social care management and document management systems—acknowledged the toll the attack had on staff in an annual report. It said “morale in some parts of the service may be lower” because of the pandemic and the ransomware attack. It also said the “legacy of the cyberattack in October 2020 cannot be understated.”

Miller says he is “proud” of the way staff at Hackney have responded but admits it has been hard on those working there. “People come into public service because we want to do things right, you give residents and citizens the services they need, we want to make life better for them,” he says. “To be in a position where people have had to put huge amounts of effort in, and they’ve known that they’re delivering less than they would normally expect to deliver—I think that’s been really tough for people. They care about what it means for our residents.”
The Road Ahead

In many ways, Hackney Council is an outlier. The vast majority of ransomware victims don’t talk about the attacks they’ve faced. They refer to opaque “cyber incidents” and “sophisticated attackers” but refuse to answer questions. Hackney has been more transparent than most.

While Hackney’s recovery has been hard and slow, Miller says steps to modernize its technology and move its services to cloud hosting meant it didn’t shut down entirely. The council’s email systems, messaging platforms, and website were still working. It wasn’t entirely reduced to pen and paper. Council leaders would hold daily “Cyber GOLD” emergency meetings for leaders to roll out business plans. During the recovery, Miller says, there would be emergency meetings for responding to the pandemic and the ransomware attack simultaneously. One year after the attack, the council said its services were all back but not running as normal.

Allan Liska, an analyst for security firm Recorded Future who specializes in ransomware, says the recovery process can take longer than many people would expect. “At least for the first couple of weeks, you generally have staff working around the clock,” Liska says, adding that it can often take local governments six months to get back up and running, though two years isn’t uncommon. After the initial scramble to work out what has happened technically, backups (if they exist) need to be restored and handled carefully. “Recovery has to be measured not to reintroduce ransomware into the network,” Liska says.

Hackney prioritized council services—such as children’s and social care—for recovery, Miller says. And while services were affected, “continuity plans” helped them continue to operate, and schedules meant trash wasn’t piling up in the streets. “It’s not trivial by any measure, but they can get the job done,” Miller explains. Within some services, such as building applications, people were told to resubmit documents.

Staff within the council also hacked their way around not having their regular systems in place. Google Forms and Google Sheets were used as temporary measures to collect information from people. Council staff working in housing repairs have described putting “piles and piles” of repair requests from paper into computer systems. Where temporary systems were used, Miller says it has been important to work out how the newly collected data will fit back into permanent systems when they’re restored.

In some cases, Miller says, the council made its recovery harder by trying not to disrupt the services it provided. The team decided to continue paying its 30,000 benefits claims that were in place at the time of the attack. “It would have been administratively much easier to just stop all benefits payments, get the benefits system back up and running, and then start again,” Miller says. “But that would have been six months when people didn’t receive any benefits.”

Miller says the cyberattack has allowed Hackney to speed up the process of moving more of its services to the cloud, rather than hosting them directly on its own servers. He says the council is trying to remove risk from its systems, saying it got rid of 95 percent of Windows computers, which are more likely to suffer from malware. “We really had to build our data infrastructure from the ground up again,” Stidle, the Hackney data and insight manager, said in a July 2022 talk about rebuilding the council’s services. “We wanted to migrate everything into the cloud and use that crisis as an opportunity.”

As of the start of 2023, the majority of council services are running normally again, Miller says, adding that Hackney’s teams are still sorting some data out and putting it back together. That doesn’t mean there aren’t still issues. The council’s register of risks, as of January 18, ranks the aftermath of the cyberattack as a “red risk” but says its impact is decreasing. Ultimately, Miller says local governments and public sector organizations need to identify where the threats to their organizations are coming from and make sure to prioritize cybersecurity and otherwise cut out possible risks. “It matters to us what the impact is on our residents—and that’s what really kept people going,” he says.

No comments: