back to article UK council yanks IT systems and phone lines offline following cyber ambush

Leicester City Council says IT systems and a number of its critical service phone lines will remain down until later this week at the earliest following a "cyber incident". The governing body of the midlands city in England first reported issues across its services on March 7 and announced via its X channel that it had yanked …

  1. Mike 137 Silver badge

    "Cyberattacks happen a lot, they happen to councils a lot,"

    ' "Cyberattacks happen a lot, they happen to councils a lot," said Eerke Boiten, professor of cybersecurity at De Montfort University Leicester '

    One has to ask whether councils are specifically targeted in advance, or whether they're simply in general so vulnerable that they fall victim by chance. Neither the victims nor the perps will ever disclose this or they'd lose face, but a combination of the recognised poverty of most UK councils (making them a poor target of choice) and my experience of local authority IT suggests that these are mostly opportunistic successes (just as the UK NHS wasn't specifically targeted by NotPetya -- it was just wide open and so fell victim).

    1. cyberdemon Silver badge
      Devil

      Simple scumbag target priority formula

      (number_of_customers x vulnerability_of_customers) / competence_of_it_staff

      Attacks are becoming about increasing the search space for further victims of scams, and councils will be a prime target because so many people depend on them.

      I am unfortunately a southern water hostag^Wcustomer and since their cyber-leak i have started getting many scam calls e.g. "calling about your housing problem"

      These appear to be automated with an AI voice calling itself Sarah. I haven't been far enough down the scam but I assume it wants to collect info about any issues you do have which it will use to sell you a discount home improvement survey which doesn't exist

      I dread to think how much misery they could cause if they obtained a list of phone numbers of vulnerable people who are in debt to their council / housing association / etc. It's pretty worrying

    2. Captain Hogwash

      Re: One has to ask whether councils are specifically targeted in advance

      Possibly. It depends who's behind the attack. If I was a criminal opportunist then I'd sneak in wherever I saw an opening. If I was the kind of aggressive nation state who liked to try and interfere in another country's elections then I'd definitely be targeting councils in order to disrupt services, cost money and sow much dissatisfaction among the populace. I understand it's known as hybrid warfare.

      1. Anonymous Coward
        Anonymous Coward

        Re: One has to ask whether councils are specifically targeted in advance

        A friend at a local company said that she thought they had been attacked but she had configured all their data deep in the network except for a directory at the front called "Account_Information" in which she had placed a lot of malware files with names like "Account_456738808.PDF.exe" and they were all "stolen" a year ago .. it's been completely unpublicized and her company has not seen any problems.

        1. steviebuk Silver badge

          Re: One has to ask whether councils are specifically targeted in advance

          That will be because if there was no actual data stolen, they don't have to report themselves to the ISO.

    3. Adam JC

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      We do IT for a few local authorities and I think one of the stipulations is to publicly advertise all staff/councillors details openly on their website. This makes spear phishing rather easy as they already have the e-mail address, first/second name of most of their targets before they even begin. It's far from ideal so they have to run an extremely tight ship. Most of the ones we look after are <25 seats, so fairly easy to secure the lot but the bigger ones could be a logistical nightmare I'd imagine.

      1. John Brown (no body) Silver badge

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        To be fair, it's a bit difficult NOT to publish the information on elected officials and the relevant staff on something like a Council website. It's all information that has to be public. I would assume the canteen staff and cleaners names are not on that website, or even the general non-customer facing staff, but department heads etc would be easily findable anyway from many other sources.

        1. steviebuk Silver badge

          Re: "Cyberattacks happen a lot, they happen to councils a lot,"

          Yep. All you have to do is search for councillor meetings and you'll get the names and email addresses of execs and directors. Because those councillor meetings are public record by law.

      2. steviebuk Silver badge

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        They don't stipulate for councillors. Its the law that they have to publish the councillors details.

    4. John Brown (no body) Silver badge

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      "the recognised poverty of most UK councils"

      "Poverty" is relative. Some may have effectively gone bankrupt and others may be close to it, but the annual budget is still a Very Large Number in most cases.

      Birmingham, as a current example, may be effectively bust and in special measure, but the annual budget is still over £3B. To a ransomeware crim, that's still a juicy target.

      Likewise, Leicester City Council has an annual budget in the region of £500m, so to ransomware scum, also a juicy target for a $million or so, even though local councils, especially now, are at best breaking even and have no spare cash.

    5. FlamingDeath Silver badge

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      It’s terrifying that the moron masses are allowed anywhere near a computer.

      How many idiots are there right now, dangerously close to a keyboard?

      Most people, and I do mean the majority, have no bloody clue how most of the things they take for granted work.

      Lets face it, IF councils even have an IT department, chances are high, its just some MSP doing a piss poor job

      1. This post has been deleted by its author

      2. Martin M

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        I suspect the livelihoods of most people reading this depend - directly or indirectly = on non-techies using computers, so personally I’m all for them being allowed to use their keyboards.

        I’m no doubt a moron and idiot when it comes to servicing my car or understanding the fine details of server CPU microarchitecture. Thankfully, some clever people in those domains have put lots of effort into making their technologies easy and safe to use, rather than bitching about me.

        1. FlamingDeath Silver badge

          Re: "Cyberattacks happen a lot, they happen to councils a lot,"

          What passphrase should I use for this IPSEC connection I have been tasked with setting up

          QWERTY

          Yes, an actual idiot did that

          This was someone who SHOULD know better

          But then we get onto the subject of your average breeder who doesn’t do IT, but are shoved in front of a computer as part of their job

      3. amajadedcynicaloldfart
        Facepalm

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        @FlamingDeath

        Interesting comment. Moronic masses? Hmmm, just a tad insulting don't you think?

        By the way, I looked up "lying cunt" (without the operators) and the answer is not 3 as you said,

        It was "About 3,220,000 results (0.25 seconds)". Yes I used Google. Perhaps you misread? Oh the irony...

    6. Anonymous Coward
      Anonymous Coward

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      Speaking with my sister in law recently who is an NHS psychologist. We got onto talking about IT security when she was telling me about a recent NHS breach. She was amazed when I told her I had been using MFA for at least 10 years as people I have worked for have had a security focus. They have only rolled it out where she works in the last few weeks.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        The question is, how is it implemented?

        The organisation I work for is rolling out MFA. The system requires you either to install an authenticator app on your phone or to give it your number for an SMS. Leaving aside the security of the latter, I'm not going to do that on my personal phone for work purposes and of course I have no work phone, neither do the majority of my colleagues. There is no Fortikey-type option either. My best option would seem to be to receive a code to my desk phone, but every time I try, the robot on the line says "sorry, we can't do that today" or somesuch.

        Bear in mind that nearly all my work is done on-site, on the LAN, logged in to the system. Isn't there some way the flippin' printer can ask the server to vouch for me?

        1. Anonymous Coward
          Anonymous Coward

          Re: "Cyberattacks happen a lot, they happen to councils a lot,"

          "The system requires to install an authenticator app on your phone or to give it your number for an SMS. Leaving aside the security of the latter, I'm not going to do that on my personal phone"

          You can get OTP display "card", the size of a business card, they work pretty much like an hardware implementation of any authenticator app you can have. So nothing specific to configure anywhere. Yes, they are mostly use-and-discard when the battery is done, but if you don't want to use your phone and your org doesn't want to buy phones for everybody, that could be a solution.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Cyberattacks happen a lot, they happen to councils a lot,"

            Only if the org buys the cards. If I buy my own, highly likely they will refuse to register it and anyway, why should I have to buy my own tools?

        2. The Real SteveP

          Re: "Cyberattacks happen a lot, they happen to councils a lot,"

          I come across a lot of idiots in the commercial world who expect a free mobile phone just to be used for authentication. If they had any wits about them, they'd already have a suitable authenticator app installed on their personal mobiles for use with all their online accounts, such as Amazon, eBay, and their anti-social media - if they aren't already using MFA then they are not just idiots but morons, low hanging fruit for the bad guys.

          One more account in your MFA app doesn't make a difference in either time or energy used, but hey, let's whine anyway.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Cyberattacks happen a lot, they happen to councils a lot,"

            I ran across a situation recently where staff were unable to access a system.

            The system required the use of an athenticator app

            The staff had the app on their phones

            The problem was that there had been a new rule put in place that staff were not allowed to have their phones on them while at work

          2. Martin an gof Silver badge

            Re: "Cyberattacks happen a lot, they happen to councils a lot,"

            idiots [...] who expect a free mobile phone just to be used for authentication

            Personally, I wouldn't be looking for a free mobile phone; I'd be looking for an alternative method. Even if I already had an authenticator app on my phone (which I don't), I have this thing about keeping work and personal stuff as separate as reasonably possible. Until recently, my "smart" phone was ancient (8 years old when I swapped it) and would not have run such an app anyway, and I have / had colleagues who still run "dumb" phones. I make further complications by refusing to have a Google account so meaning I can't use the Play store to download apps. I realise I'm somewhat unusual among the great unwashed in this regard.

            There is also the issue of what to do for (for example) partially-sighted users who can't necessarily read the numbers.

            Back in the day, miners were forced to buy their own candles, picks and shovels.

            M.

        3. steviebuk Silver badge

          Re: "Cyberattacks happen a lot, they happen to councils a lot,"

          Always annoys me when staff say they don't want to put the authenticator on their own phone. We give out work phones but I still put mine on my own phone as I use the authenticator anyway.

    7. Binraider Silver badge

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      The deliberate approach will typically have a motive beyond cash. The ability to carry one out is only constrained by the intelligence that you can gather. If you WANT to get into something, you probably can, if sufficiently determined.

      Whereas the blanket approach and take-what-you-can-get, typical of most ransomware outfits, they just plain don't care who the target is. The disruption caused might be a "bonus" for the group, and, as was the case with the NHS hit a significant backfire for the ransomers - not because of the negative PR for them - but rather the attention it drew to (attempting) to beef up security.

      30 years hard fought experience says that practically everything going connected is the biggest mistake of all. There's a place for it, but any form of Automation, PLC's. etc - I'd rather not have the personnel and physical security barriers be the line of defence not some software that can and will be bypassed by the determined.

    8. Anonymous Coward
      Anonymous Coward

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      Councils are reletively big organisations so many users to choose from. They have a wide range of contacts and the subject matters of contacts are huge. they must receive email from teh public which means it's difficult to screen.

      On top of that most councils workers these days are overworked covering 2-4 jobs that were previously done by other people.

      Training budgets are generally zero, and IT budgets have been cut beyond bare minimum.

      On top of that you have to deal with elected members who will ignore training requests and click on anything (I dealt with incidents caused by elected members falling for the exactly the same scam email 3x over and still they would refuse to do training).

      And you also have disgruntled staff who are unfit to work anywhere else but too difficult to sack that will click on phish just out of malicious delight.

      And if you're in Scotland you'll deal with teachers (who make the behaviour of elected members seem a minor irritation, since they will preach physical child safety till they are blue in the face then in the same rage filled breath demand to transfer all kids data to a Russian Paedophile because they simply must have access to the app du-jour or the children will all be academically destitute).

      I don't miss it much

      My sympathies to public sector cyber pros that haven't yet left through some deluded sense of loyalty. You work too hard, have rediculous levels of responsibility and are paid far too little.

    9. Anonymous Coward
      Anonymous Coward

      Re: "Cyberattacks happen a lot, they happen to councils a lot,"

      > the recognised poverty of most UK councils (making them a poor target of target)

      Their resources may be stretched thin to provide their services but councils routinely handle vast sums of cash, tens or hundreds of millions.

      1. Binraider Silver badge

        Re: "Cyberattacks happen a lot, they happen to councils a lot,"

        Indeed, and do you want those millions going on dealing with actual infrastructure, social services, etc., or on the red tape and IT consultants?

        I suppose the answer to that depends if you are one of the ones creaming off the top!

  2. tmTM

    We're stuffed

    but we're not sure how badly.

    Check back later for more bad news.

  3. t245t Silver badge
    Facepalm

    Managed Service Success Story stabalising the home Office's digital applications

    > .. officials still trying to 'identify the nature of the incident'

    Open Leicester - IT Services - Information

    Managed Service Success Story | stabalising the Home Office's digital applications

    1. hoola Silver badge

      Re: Managed Service Success Story stabalising the home Office's digital applications

      That first link is just part of the insanity of the Public Sector. The amount of information that is available directly or via vexatious FOIA requests is bonkers.

      I have been on the receiving end of some of these with requests down to serial numbers of equipment.

      No private sector company would ever make that available.

  4. Anonymous Coward
    Anonymous Coward

    Ah, the good old UK public sector!

    The natural home of incompetent IT staff who can't get a proper job in IT and senior council manglers on huge salaries who couldnt organise a day out for alcoholics in brewery where the bottles are already open.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah, the good old UK public sector!

      I was contacted about a job at a London council recently doing M365 migration. I have 25 years of AD and Exchange, 10 of 365 and many successful migrations under the belt, but at the salary on offer of £45-50k they're not going to get the best.

    2. Little Mouse

      Re: Ah, the good old UK public sector!

      re "incompetent IT staff", etc.

      Been there - done that. It's far more nuanced than just Idiots-work-for-the-council. It's basically a Kafka-nightmare in miniature, played out by the characters from Gormenghast.

      The staffers are not typically incompetent at all. Not necessarily the top 10%, but certainly more than capable of keeping the IT lights on.

      It's the layers and layers of middle management who bog everything down. That's where the "couldn't get a proper job in the real world" individuals are to be found. Too many decisions made at that level are self-serving and fly in the interests of the tax-payer.

      Add to that the senior management, who, like CEOs everywhere, spunk too much money on their pet vanity project, but then leave before it gets finished, only to get replaced by a looky-likey clone with another totally different vision that requires a complete U-turn.

      And then you have the tendering and procurement processes that effectively guarantee that all promising and well-intentioned initiatives get compromised to the point of being unrecognisable.

      1. rg287 Silver badge

        Re: Ah, the good old UK public sector!

        The other issue here is that certain respected security bods on Xitter/Mastodon have mentioned that when councils get ransomwared, they're getting a phonecall from Westminster asking them not to say so, and be vague in communications. Quite why, nobody knows, but your know-nothing middle-management will do exactly what the Home Office/Communities Dept tells them - even as the actual IT staff are begging to be allowed to release a post mortem for other councils to learn from.

        Most recently:Leicester City Council remains offline, from my automated monitoring, from their ransomware incident. A person in the council tells me they’ve been told not to admit it is ransomware by central government.

        The BBC reports they expect to return mid week. My take - very unlikely they will get back online mid week.

        Kevin Beaumont in particular has become increasingly vocal of late about the need for openness, transparency and in particular, for government to do the hard thing and ban the paying of ransoms.

        On the latter, so has former NCSC Chief Exec Ciaran Martin, and even EMSIsoft who - as a security vendor - make money when you come crying to them about your ransomware. When vendors are saying "this is getting a bit ridiculous now", then we should probably take notice.

    3. Who-me

      Re: Ah, the good old UK public sector!

      I worked for a council, for a few months between "real" jobs. If they paid worth a damn they might keep the better people.

      1. hoola Silver badge

        Re: Ah, the good old UK public sector!

        Yet according to all the Social Media experts people working for councils are and overpaid many time what they should be and sit around doing nothing.

        Having working for a local authority we had highly skilled & experienced staff. Just like any organisation there were passengers as well. The biggest issues are:

        Tendering - the constraints around public sector tendering essentially means you end up with a solution you don't want, does not work whilst being ripped of by a large private sector outfit.

        Money - there is a constant battle with budgets and having to make do. Managed solutions are seen as a way around this because the costs are fixed. The value for money is appalling (as is the quality) but Finance like it because it is predictable.

    4. David 155

      Re: Ah, the good old UK public sector!

      I think you'll find they employ plenty of private sector consultants too.

    5. Anonymous Coward
      Anonymous Coward

      Re: Ah, the good old UK public sector!

      A few years ago my council got infected. Nothing clever, someone in a small remote office like parks and recreation plugged in an infected USB stick and EVERYTHING was infected, all the servers right down to the Cisco CallMangler, so along with no systems they had no phones for three weeks. Because they didn't have even the simplest network segmentation.

      But who to blame? Likely not a senior network engineer, who probably told his boss then needed £25k to upgrade the firewalls but the boss had spent the last £25k of his budget buying top-of-the-range laptops and iPhones for the councillors who would be doing his pay review. Or perhaps the culture was that the engineer was too scared to press the subject for fear for his own job (and nice final salary pension)? Who knows? The remediation of course was to hire HPE or the like for £000ks to audit, recommend and upgrade.

      Some years later that same council won the Private Eye 'Rotten Boroughs' award, also coming runner up the following year.

  5. Anonymous Coward
    Anonymous Coward

    When I worked at a council one of the staffers trying to set up a website for their service wanted to skip the security reviews - "after all, we're just a little council, who'd want to attack us". I reminded them that very recently a council had had their web server hacked and someone had started their own site with unsavoury illegal images being served from a council domain. I was in the middle of repainting our hallway and the colour reminded me of one of the lighter shades on the Dulux colour chart.

  6. Pascal Monett Silver badge

    Oh, all is well, then

    "Leicester City Council has a good reputation for information governance, so I have some faith that the damage done in terms of sensitive data will be quite limited "

    Yeah, well we're going to find out just how "limited" the damage was. Not that I wish them to languish for weeks, it's just that I doubt that their reputation is enough to get them back on their feet next week.

  7. Tron Silver badge

    Keep your key services inaccessible to the internet.

    Intranet and internet. If necessary, two screens and two keyboards. Staff as the bridge. Have a paper-based back-up plan that works.

    If you can't do this, you might need to consider whether tech is an appropriate solution. Poorly done, it just reduces resilience and ends up costing more. A non-interactive website offering information, with services handled by people via phone may be the way to go.

    Tech is also very expensive, as you can't just buy it and use it for a decade. It costs a fortune to implement and maintain, plus subs, plus a fortune a few years down the line to upgrade/replace, and rinse and repeat. This in not what councils should be spending their money on. Paper may be a cheaper and more resilient alternative for many services.

    1. hoola Silver badge

      Re: Keep your key services inaccessible to the internet.

      That does not work when everyone demands everything be available online.

  8. Anonymous Coward
    Anonymous Coward

    Until people who click the links are fired, this will continue to happen.

    1. Mike 137 Silver badge

      "Until people who click the links are fired, this will continue to happen"

      Or, preferably, technological means are employed to prevent malicious links being active before they get presented to users, who can not reasonably be expected to discriminate between legitimate and malicious links on sight.

      Quite apart from which, punitive regimes such as dismissal for mistakes don't prevent accidents of this kind happening, as the next person appointed is just as likely to make a similar mistake if left unaided by proper controls. The culture of fear such regimes generate also results in people who make mistakes concealing them, which helps nobody.

      1. The Real SteveP

        Re: "Until people who click the links are fired, this will continue to happen"

        "Or, preferably, technological means are employed to prevent malicious links being active before they get presented to users, who can not reasonably be expected to discriminate between legitimate and malicious links on sight."

        Really? Just how hard is it to train people to hover the mouse over an email address or link to read the actual address/link behind the screen image one? Clue - It's not hard! This really is a training issue (or lack of) and should be dealt with in induction and further traing for all staff that use computers.

        1. Mike 137 Silver badge

          Re: "Until people who click the links are fired, this will continue to happen"

          "Just how hard is it to train people to hover the mouse over an email address or link to read the actual address/link behind the screen image one"

          The hard part is instilling the understanding that allows folks to decide reliably whether the actual target is malicious or not, particularly in this age of contaminated legitimate sites, internationalised domain names, URL shorteners and incomprehensible hash parameters. Even we infosec bods would have a hard time doing this reliably at sight.

          In any case, as it's perfectly possible to apply tech controls to this problem (e.g. cloud based security proxies have existed for ages) why should the inevitably non-expert user (who has a quite different full time job to do anyway) be expected to be the front line defender? Solely, I think, because many IT folks despise users as "stupid" and therefore fair game, whereas in reality they're just inadequately informed (and it's in reality impracticable to inform them sufficiently). The really stupid element here is the refusal to address the problem with appropriate controls.

  9. bernmeister
    Holmes

    Grudge?

    Sounds like somebody has got a grudge against UK councils. That narrows down the field of suspects. Count me out though, I dont have the IT skills needed.

  10. johnck

    Jumping to conclusions

    Before we go all in on it being ransomware, we need to remember all we know is this is an "cyber incident" its at Leicester City Council and IT systems and a number of its critical service phone lines. It could be a ransomware, or some other form of attack yes, but being as it is a UK council it could also be some 40 year old critical bit of equipment, that they have never had the budget to upgrade\replace. has let out the magical smoke and they cant get a replacement until next week. They are only predicting a down time of 2 weeks, a quick recovery from an attack

    1. Vestas

      Re: Jumping to conclusions

      Except of course LCC have already stated on Monday that they are working with “cyber security and law enforcement partners” so nobody is jumping to conclusions.....

  11. Anonymous Coward
    Anonymous Coward

    Accepted the risks "you can't fix stupid"

    This is about somebody at the top (Senior Manager) has accepted the risks.

    Take it out of his / her Golden Wheelbarrow Pension pot.

    This will soon stop idiots from not listening to IT / Security.

    I was always told, "you can't fix stupid".

    Apps, Cloud or SaaS, need to be reviewed on a regular basis, as you don't know what over the "Horizon"

    Hint: If you open a door to access an external Site, it's a swing / two-way door.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like