Sign in / up

back to article Scottish council still rebuilding systems two years after ransomware attack

Auditors remain concerned about the cyber resilience of a Scottish council as some systems are yet to be fully rebuilt following a ransomware attack in November 2023. The ransomware attack on Comhairle nan Eilean Siar, in Scotland's Western Isles, required "several" of its systems to be reconstructed, among other damage – …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. FirstTangoInParis Silver badge

    From the report ….

    Public-sector bodies are encouraged to reflect on the findings set out below and learn lessons from the Comhairle’s experience:

    • IT infrastructure: Locally hosted systems are more vulnerable to cyber threats. Organisations should review their infrastructure to ensure it is resilient and meets recognised disaster recovery standards.

    Really? Can someone explain why locally hosted is more vulnerable than (presumably) cloud hosting? Surely so long as there are NCSC-approved countermeasures in the local hosting, this is not necessarily the case?

    13 0 Reply
    1. Like a badger Silver badge
      Reply Icon

      Re: From the report ….

      I suspect it's because from the council's own report: "only systems unaffected were those in the cloud, principally Microsoft 365, therefore email, Teams and SharePoint were still available", and because the local backups were also successfully attacked, meaning they couldn't restore them. And what they lost was almost everything - payroll, accounts payable, receivable, housing benefit etc etc.

      As the original breach was believed to be employee login credentials, it certainly doesn't follow to me that cloud systems would be notably more secure.

      6 0 Reply
      1. MachDiamond Silver badge
        Reply Icon

        Re: From the report ….

        "and because the local backups were also successfully attacked, meaning they couldn't restore them."

        Tape vaults are usually not accessible via the internet. It sounds like they didn't have a proper back up system in place. Paper is still a thing that's available as well as toner cartridges.

        I have a mirrored drive for near real time back ups. Drives I connect to have off-line back ups that get archived since spinning rust is cheap as. My final line of defense are a set of archive drives that live in the back of a closet at a family member's home with labels on so they can easily be sent to me if I need them (haven't in 20 years). Any common disaster that takes both of our homes would have to be so large that recovering the data won't be a priority or maybe not even necessary.

        For some I see a cloud storage subscription as useful. A photographer I know works on-site on big advertising projects and uses an online company to back up in case the gear is nicked or destroyed. He also is mirroring the data as he goes on an external drive that leaves with somebody else and often there's a copy going to the client at the location.

        5 0 Reply
    2. herman Silver badge
      Reply Icon

      Re: From the report ….

      Especially in low populated rural areas, some things should probably remain paper records

      4 2 Reply
  2. Taliesinawen

    Restore from backups ..

    > The ransomware attack .. required "several" of its systems to be reconstructed

    Why not just restore from the last good backup. The backups to be kept on a second system that cannot be over written.

    0 0 Reply
    1. Ochib
      Reply Icon

      Re: Restore from backups ..

      A good ransomware attack will wait a number of months in order to be part of the backup. So when you do a restore, you are restoring the ransomware as well

      7 0 Reply
      1. Excused Boots Silver badge
        Reply Icon

        Re: Restore from backups ..

        Yes but presumably that will only work if you are backing up, say images of the entire system. what if you simply backup the data itself? It’s either encrypted or not.

        Or, hypothetically, say you have a backup image of a system from a month ago - you restore this to an isolated device and set the date to be a month prior. Would the malware on it not activate and hence the data is intact?

        2 0 Reply
        1. Like a badger Silver badge
          Reply Icon

          Re: Restore from backups ..

          It was a ransomware attack, it did hit the backups. Even if the backups had been purely data, and been encrypted by the council, that wouldn't have stopped them being irretrievably scrambled by the attackers, and it was the complete loss of all financial and related data that was the problem. They couldn't just restart bare metal, and declare it Year Zero, there's all the bills to pay, benefits to handout, staff to pay, HR records to be recreated, financial accounts partially reconstructed from what they could find etc

          After the event they recognised that backups needed to be immutable, but that was the wisdom of hindsight. Best practice would have been different, but when you're running the Middle of Scottish Nowhere Council the most exciting things that normally happen are outbursts at the planning committee, so your IT department is comprised of limited experience and empty chairs....

          5 0 Reply
          1. MachDiamond Silver badge
            Reply Icon

            Re: Restore from backups ..

            "They couldn't just restart bare metal, and declare it Year Zero, there's all the bills to pay, benefits to handout, staff to pay, HR records to be recreated, financial accounts partially reconstructed from what they could find etc"

            Those outgoings aren't going to happen with ransom-wared files. I would hope that checksums are being run on the backed up data so it's known to be a good copy and then physically disconnected from the system so it can't be attacked. I'm awfully fond of paper reports even if they are just summaries. It's expensive and a right PIA to type stuff back in, but when all else fails......

            0 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              Re: Restore from backups ..

              Yes, best practice would likely have prevented or mitigated the attack, i think they have learned the now. But you have to accept that at the time off the attack, this was a tiny organisation, serving 26,000 people across the Outer Hebrides, probably the most remote part of Britain. Scheduled air services to one of the islands still land on the beach, elected councillors are almost entirely independents. It's almost tribal there - well, familial if tribal is too much. The local economy is fishing and subsistence farming, with a tiny amount of tourism.

              The budget is tiny, local interest trumps all other matters, and unless the head of IT is both forceful and has a lot of local influence, then change will be very, very difficult. Think backwoods Alabama as a comparison.

              4 1 Reply
      2. Taliesinawen
        Reply Icon

        Re: Restore from backups ..

        Cumulative digitally signed backups to be kept on a second system that cannot be over written.

        0 0 Reply
    2. Excused Boots Silver badge
      Reply Icon

      Re: Restore from backups ..

      "Why not just restore from the last good backup.”

      What is this ‘backup’ of which you speak?

      Asking for a friend who happens to work in local government!

      11 0 Reply
      1. herman Silver badge
        Reply Icon

        Re: Restore from backups ..

        You mean the photocopy of the floppy disk?

        8 1 Reply
  3. Tron Silver badge

    Two years is a joke.

    It shouldn't take that long to set up an offline system, airgapped by staff from any systems they connect to the internet for interactivity.

    Data security rule one. Your intranet/infrastructure should never connect to the public internet.

    4 1 Reply
    1. MachDiamond Silver badge
      Reply Icon

      Re: Two years is a joke.

      "Data security rule one. "

      And if you forget Rule One, a small Asian person is going to kick your ass.

      0 1 Reply

      1. This post has been deleted by its author

      2. MachDiamond Silver badge
        Reply Icon

        Re: Two years is a joke.

        A down vote...hmmmm. Somebody hasn't heard of Lu Tze (Discworld reference (The Thief of Time)).

        0 0 Reply
      3. MachDiamond Silver badge
        Reply Icon

        Re: Two years is a joke.

        Ok, found the reference:

        'Rule One', which states "Do not act incautiously when confronting little bald wrinkly smiling men", since such a person is almost always a highly trained martial artist due to the Disc's law of narrative causality.

        0 0 Reply
  4. beast666 Silver badge

    This is my local council and there has been no disruption to services at all.

    In fact I was unaware of said ransomware attack.

    Go figure...

    4 3 Reply
  5. Michael Hoffmann Silver badge
    Unhappy

    A lot of talk about backups...

    Backups are rarely the problem, everybody has "backups".

    It's *restores* that's the problem. How often are they done, tested and verified?

    <crickets> Yeah, thought so...

    7 0 Reply
  6. EnviableOne

    If you haven't tested, does it count as a backup?

    There are government emergency plans for specifically 2 things: Pandemic and Widespread Cyber Attack.

    Neither plan survived enemy action. gov.scot has a lot of cyber resources, and they've been there for years:

    https://www.gov.scot/publications/cyber-resilience-incident-management/

    2 0 Reply
  7. Missing Semicolon Silver badge

    Windows shares?

    I expect the backups are done by backup programs on the systems-to-be-backed up, copying to Windows shares. Those shares have to be writable for the backup program to work.

    I suspect making a system that "pulls" data from systems to back up is a little trickier.

    0 0 Reply
  8. Anonymous Coward
    Anonymous Coward

    Relax guys

    Have you heard about AI-Backups?

    1 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon