Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

March 29, 2016

Lincolnshire council cyber-breach a lesson for all

We hear all the time of major firms being attacked by cyber-criminals. Sometimes it is a case of digital thieves taking valuable data to sell on, while others sabotage sites for financial or moral gain.

We hear all the time of major firms being attacked by cyber-criminals. Sometimes it is a case of digital thieves taking valuable data to sell on, while others sabotage sites for financial or moral gain. It’s a little rarer to find stories of smaller organisations falling victim, but these attempts do happen – just ask the people of Lincolnshire.

Earlier this year, Lincolnshire County Council’s online services went down when its systems were breached by malicious hackers hoping to get hold of a significant sum of money.

The saga began when a member of staff received an email with an attachment purporting to be an official invoice. The employee opened this file, trusting it was legitimate, but soon realised the download had infected the council network with ransomware – a type of malware through which hackers demand money to restore access to hijacked data. The requested sum in this instance was a lofty £1 million.

Ransom reduced from £1m to £350 but council still refused to pay

As a precaution, the council immediately shut down its IT systems while work continued on removing the threat. Although it’s thought that the majority of data stores were accessed by the hackers, no files were lost in the assault, officials said.

Eventually, upon realising a local county council is unlikely to have a million pounds lying around spare, the cyber-criminals dropped their fee to just £350. The updated demands were still refused, however. After working “24/7” to eradicate the virus, staff eventually regained control of the system, having worked with pen and paper for almost a week.

The biggest point to take away from the story is the fact that, as chief information officer Judith Hetherington Smith explained, the malware made it through the council’s anti-virus software. All it took was for an unsuspecting employee to open an email attachment – something most of us will do multiple times every day.

The key is undoubtedly to be extra vigilant, as these attacks happen with alarming regularity. Only open emails from recognised senders, and ask for invoices to be sent in a PDF format, which tends to be a safer format than both Word and Excel. Oh, and think twice before ever paying a ransom – it might pay to sweat it out.

In the same theme we have observed a spike in email threats that don’t have an overt payload, making it almost impossible for Antivirus scanner to detect. Here’s a walkthrough of one such recent threat:

An email is sent with a subject line “URGENT - Statement of Account - Invoice overdue”. It has an attachment that’s a spreadsheet, the spreadsheet looks to be list of invoices that have nothing to do with the recipient or their business. Thinking it’s a simple mistake the email is closed and forgotten. However, the spreadsheet contained a simple macro to make a web call to a legitimate web site and download a file. The download is undertaken using HTTPS (TLS) to encrypt the communication and bypass gateway content controls. Worth noting is that the legitimate web site has been compromised without the Web Master of the site realising they are now harbouring such content and hence web site categorisation lists used to ensure safe browsing are made worthless.

So why was the spreadsheet not blocked by the email anti-malware scanner? Because it did not actually contain malware, rather it had a macro that is legitimately supported in most MS applications. In Summary, a dangerous file has now bypassed email and web perimeter controls and has been delivered to the endpoint. The result is that the last line of protection depends on the endpoint defence being robust and adequate (reasons why it may not be: does the endpoint have AV, is it active, is it optimised to detect advanced threats, are the signature library is up-to-date). Disturbingly, even if these controls are all in place, if the payload file is a variant such as non-replicating utility that encrypts files, then the AV scanner can mistakenly deem the file as legitimate rather than a threat. The final chapter of this walk through, is that at some later time the original recipient receives a message stating that their files been encrypted, and they need to make a bit-coin payment ransom payment!

Do you want to know more about these and similar risks, and what you can do to protect against them? Please call or email us: or tel 020 7621 7836.

CSTL awarded ‘Cyber Essentials Plus’ certification body status - we can help you achieve Cyber Defence recognition.
Cyber Essentials aims to help organisations implement fundamental levels of protection against cyber-attack, demonstrating to their customers that they take cyber security seriously. We can assist with the advice, and can undertake assessment to award you Cyber Essentials plus certification.