The days of cyber attacks being focused only on private sector organisations or on specific sectors are long gone. Recent cyber attacks have shown that every private and public sector organisation is a potential target, whether directly or through their supply chain. As we look at these attacks, we consider UK government plans to help organisations respond to the evolving threat and how ICAEW can facilitate dialogue.

Microsoft SharePoint Servers hacked

Late last month, Microsoft published a blog informing customers of vulnerabilities in on-premises SharePoint Servers which were being actively exploited. It made clear that the vulnerabilities only applied to on-premises SharePoint Servers, and SharePoint Online in Microsoft 365 was not impacted. With many organisations across different sectors using such servers, the impact could be far reaching.

The two vulnerabilities related to spoofing, where attackers impersonate someone or something to gain trust and bypass security, and Remote Code Execution (RCE). Microsoft has described the steps of the attack as beginning with exploitation of internet-facing, on-premises SharePoint Servers followed by distribution of Warlock ransomware. 

Microsoft believes the vulnerabilities are being actively exploited by two Chinese nation-state actors, Linen Typhoon and Violet Typhoon. They are known to target government and defence organisations, as well as media, financial sector, health, non-governmental organisations, think tanks, and higher education bodies. They also believe the vulnerabilities have been exploited by a China-based threat actor, tracked as Storm-2603. They are investigating exploitation by other actors. 

Security updates have been published along with steps to mitigate potential attacks, which include using supported versions of SharePoint and applying the latest security updates. The UK’s National Cyber Security Centre (NCSC) has also published an article encouraging UK organisations to take immediate action to mitigate the vulnerabilities.

Organisations have to make choices on where to host their applications and data. This often involves considerations weighing up data privacy, regulatory compliance, and control against cost, scalability and expertise. 

Whichever decision is taken, cyber security roles and responsibilities of in-house IT teams and the cloud service providers where relevant must be considered. The ICAEW guidance on benefits and risks of cloud computing explores these considerations in more detail.

Public sector under attack

Thousands of Afghans provided with safety in the UK were notified this month that their personal data had been revealed following a cyber security incident at a sub-contractor used by one of the MoD’s suppliers. The subcontractor Inflite The Jet Centre’s company website describes it as a family-run business which provides “an extensive range of aircraft handling, engineering and support services” at London Stansted airport. 

The MoD notification stated that the exposed data may include passport details such as names, date of birth and passport number, as well as Afghan Relocations and Assistance Policy (ARAP) reference numbers. Inflite The Jet Centre has stated that the breach was limited to email addresses only. Details of the cause of the attack have not yet been released.

This is not the first time we have heard about an MoD-related data breach. Just last month, media reports notified of a previous data breach that had led to thousands of Afghans being secretly relocated to the UK. 

In that case, the breach was caused by an employee who accidentally emailed a spreadsheet – containing personal details of thousands of people seeking to come to the UK to flee the Taliban – outside the government team processing the applications, with the data ending up in the public domain. A further BBC News article states that the MoD has admitted 49 data breaches in the last four years at the unit handling Afghan relocation applications. 

The latest MoD breach happens as the impact of the UK Ministry of Justice’s (MoJ) Legal Aid cyber attack in May continues to be felt, with barristers reporting that they are going unpaid and having to turn cases away, as they fear the collapse of the sector. The breach impacted the personal data of thousands of legal aid applicants and led to the legal aid system being taken offline, with most of it still unavailable as systems are rebuilt.

These public sector breaches are concerning for several reasons. The MoD holds highly confidential and sensitive data which, if compromised, could significantly impact human lives. While the cause of all its 49 breaches are unknown, the volume could indicate a weak cyber security environment. 

Where the root causes are known, they are a reminder that cyber security is not limited to technical controls but includes educating and supporting people to avoid and handle incidents. 

Further, cyber security goes wider than the organisation’s boundaries, encompassing the whole ecosystem. Organisations and their clients, suppliers and business partners must work together to raise the bar on cyber security. Tools such as Cyber Essentials can help improve cyber security across the supply chain.

Weak password destroys a 158-year-old company

A news report in late July covered a 158-year-old Northamptonshire-based transport company, KNP, which went down following a ransomware attack, leaving 700 people out of work. 

The attack was believed to have been caused by a weak employee password, which allowed the attackers to guess it. Once in the system, the perpetrators encrypted the data and demanded a ransomware payment, estimated to be in the region of £5m. The company was unable to pay this ransom, leaving them without access to their data and forcing them to cease trading.

A UK government news release in July confirmed its intentions to take forward legislative measures “to tackle the threat of ransomware and protect businesses and critical services”, following public consultation. These measures would introduce a targeted ban on payment of ransomware by public sector bodies and operators of critical national infrastructure (CNI).

While KNP would not have been banned from paying a ransom based on this criteria, it does show the potential impact of not paying a ransom and not having suitable backups. 

Our Annual Cyber Lecture on 6 October will explore the ransomware legislative proposals and the forthcoming Cyber Security and Resilience Bill with representatives from the UK’s National Cyber Security Centre, and the Department for Science, Innovation and Technology. Book your place here. 

Want to learn more about cyber security?

Visit the ICAEW cyber security webpages.

Got an interesting cyber story for us? Email techfac@icaew.com