The Scottish Environment Protection Agency says a ransomware attack last month on Christmas Eve continues to cause extreme outages and warns that some data was also stolen by ransom-demanding attackers.
SEPA is the principal environmental regulator of the Scottish government, tasked with protecting the environment of the country. The non-departmental public agency – which means that it works entirely independently – has a workforce of approximately 1,200.
The agency says it continues to respond to the ransomware attack, which continues to interrupt services, as attackers request a ransom from the company in exchange for a key to access their systems and a pledge to stop leaking online stolen information.
The department, however, reassured the public that, in the aftermath of the attack, priority regulatory, surveillance, flood forecasting, and alert services remained operational.
“It’s a significant cyberattack and a serious crime has been committed against SEPA,” A’Hearn told BBC Scotland News on Friday. “We’ve lost, for the time being, access to most of our data systems, including things as basic as our email system.”
Email systems have also been impacted by the Xmas Eve ransomware attack and are still down, with some internal systems and external data products to be offline in the short term.
“[E]mail, staff schedules, several specialist reporting tools, systems and databases remain unavailable with the potential for access to a series of systems and tools to be unavailable for a protracted period,” SEPA said.
In the Thursday Update, SEPA confirmed that Data stolen by attackers has begun to be leaked online by the Conti ransomware operation, which has claimed credit for the attack.
“Whilst … this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least 4,000 files may have been accessed and stolen by criminals,” SEPA says.
What the operators say is a partial dump of stolen SEPA data, comprising 7 per cent of what they claim to have received, is now included in Conti’s leak site. It is as yet uncertain if any of the stolen information could be sensitive.
“They released it to show that they have the data and to prompt the victim to negotiate and pay the ransom,” Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, tells Information Security Media Group. Based on those claims, “We, therefore, assess with medium confidence that this is indeed an attack by Conti.”
Conti ransomware first appeared in May 2020. Since then, the ransomware operation claims that it has accrued more than 150 victims and produced illicit profits of several million dollars. Conti also operates its own leak platform, like more than a dozen other ransomware operations, where it listed industrial IoT chipmaker Advantech as one of its victims last month.
“Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas,” says SEPA’s A’Hearn. “Some of the information stolen will have been publicly available, whilst some will not have been.”
SEPA is actively working on eradication, remediation and rehabilitation tasks with cybersecurity professionals and experts from multi-agency partners, including Police Scotland and the National Cyber Security Centre.