Following on from our first report on the ransomware attack 12 days ago, a Kent County Council (KCC) spokesperson has revealed to the Shepwayvox Team that it was:
“A foreign criminal organisation that is well known to the law enforcement authorities”, who perpetrated the £800,000 (102 Bitcoin) ransomware attack on Kent Commercial Services (KCS), wholly owned by KCC, on April 2nd at 1:30am
The foreign criminal organisation ransomware attack managed to avoid 3 levels of professional IT security; and affected all KCS systems.
The spokesperson went onto say:
The attack bears the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network for further attack. The sophisticated attack allowed the criminals to access KCS systems and encrypt a large amount of data.
They further confirmed
As the systems and records were encrypted as part of the attack it is not possible to confirm what data was stolen. This data breach in our systems may have exposed personal and business data to unauthorised use by unknown external parties.
KCC and KCS are likely to be aware of the potential identities of the perpetrators as they working with Kent Police Cyber Crime Unit; and the Eastern Region Special Operations Unit (ERSOU) cyber crime unit, based in Bedfordshire.
Detective Inspector Ian Kirby from the Eastern Region Special Operaons Unit cyber crime unit said:
We are investigating a ransomware attack on Kent Commercial Services. We are working with the company and following a number of lines of inquiry to bring those responsible to justice. As this is an ongoing investigation, it would be inappropriate to comment further at this time.
All parties continue to share key information relating to the attack with other cyber crime units, both nationally and internationally.
Hours before the foreign criminal organisation struck on April 2nd, at 1:30am, KCC had sanctioned just over half a million of extra spending on PPE as their stock was exhausted:
KCCs Cabinet approved £523,000 on the 1st April, as a secure source had been identified for PPE stock on 30th March, valued at £523k. It had to confirm the order that day – 1st April, April fools day, – else the PPE would be lost to another buyer.
This is a classic phishing email scam, well described by the National Cyber Crime Unit and our American Colleagues of the same ilk, who said in their Advisory report of April 8th
Scarcity – Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
Within hours of responding to what seems like a too good to be true offer, KCS three levels of professional IT security systems get bypassed and ransomware installed. Had KCS/KCC paid the £523,000 up front as demanded? If so has it all been returned? Did they get the PPE? No, No and No is the answer to each question.
On the 7th April, five days after the ransomware was activated, KCS sent out their Data breach letter notify their suppliers and customers (almost).
Moving on: Monday 27th April, KCS were notified that a sample of the stolen data was published on the Dark Web. A review of the sample data was conducted by their cyber experts and their data protection team and was found to contain business and corporate information relating to CSG business activities and information relating to CSG employees. No personal data relating to customers was found during the review. KCS continue to monitor the Dark Web for any new information being posted there.
The wholly owned KCC company –Kent Commercial Services holds a lot of business and corporate information data as it has a dozen trading tentacles : 1- KCS Kent County Supplies; 2- KCS Professional Services; 3- KCS Fleet; 4- KCS Printworks; 5- LASER Energy; 6- Lumina Energy; 7- Connect2Staff; 8- Connect2Kent; 9- CTS Vehicle Services; 10- Landscape Services; 11- Inspection Services; 12- Waste Management
KCS makes circa £350m pa via many of its tentacles and circa £250m pa acting as an agent in the supply of gas and electricity to Councils, Hospitals, Universities and Schools.
This mess has to be fixed as the website has been down for eight weeks and is expected to be down for a further three weeks. So an expected down time of eleven weeks from a phishing email/s. A simple click of a mouse may well cost circa £1.5m to implement new and improved system security.
The people brought into fix the issue are another KCC owned company – Cantium, and KCC’s retained cyber-security specialists – Iforce who will undertake the investigation into the attack and report on possible future system enhancements.
Another KCC spokesperson has added that KCS systems will have:
Full IT re-build, supported by 3rd party IT security experts.
Enhanced security with additional firewalls and segregation being implemented through moving to a ‘Cloud’ environment via Azure (e.g. Microsoft 365).
Completing the implementation of 2 factor authentication to provide additional security to individuals data and the data that is accessible on our systems.
Providing guidance and training to employees on how to spot and deal with phishing emails to reduce the chances of a future attack.
Commencing a review of how we manage personal data to reinforce the security of that data.
The data breach was reported immediately to the Information Commissioner’s Office and KCS have since been informed, in writing, there is no regulatory action required and that the case has been closed.
On the 5th May, The Foreign Secretary The Right Honorable. Dominic Raab MP (pictured) mentioned cyber attacks in his daily briefing, saying:
There are various objectives and motivations that lie behind these attacks, from fraud on the one hand to espionage. But they tend to be designed to steal bulk personal data, intellectual property and wider information that supports those aims, and they are often linked with other state actors.
Russia, China and Iran were suspected of being behind the attacks – and targeting Britain during the pandemic, Raab went onto say they were “particularly dangerous and venal”,
The joint advisory group from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned in their Advisory report of April 8th about covid-19 scams and phishing emails – they advised –
NCSC and CISA also recommend organisations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimise the damage caused.
But by April 8th, the damage at the £600m KCC owned company, Kent Commercial Services, had been done.
KCS had fallen foul of a phishing email from a foreign criminal organisation that is well known to the law enforcement authorities. The foreign criminals more likely than not walked away with £523,000, which was to purchase PPE for frontline staff working with covid-19. This, we believe, was a heinous crime to commit while a pandemic was raging across our county; and country.
Good luck with bringing them to justice.
The Shepwayvox Team
Dissent is NOT a Crime
An advisory has been issued for UK and US healthcare organisations involved in the coronavirus response.