In August 2023, St Helens Borough Council experienced a cyber security incident that impacted its ICT systems and operational activities. The attack was a Malware as a Service (MaaS) incident, where an unknown actor gained access to the council’s system and exfiltrated 29 gigabytes of data.
Challenges
- Initial systems shutdown until compromised areas could be identified and contained.
- Service disruption: Staff couldn’t access line of business apps, and the public couldn’t make payments or bookings online.
- Data exfiltration: A large amount of data was uploaded to a cloud storage provider in New Zealand.
- Finance function impact: The finance department was significantly affected due to its reliance on on-premise servers.
Approach
- The council immediately invoked its Emergency Response Plan and brought in a cyber incident response team (CIRT).
- Compromised accounts were disabled, IP addresses blocked, and domain access passwords reset.
- Staff were notified via email, and a statement was published on the council website.
- The CIRT cleansed all servers accessed by the actor.
- The council reset all staff passwords, introduced multi-factor authentication (MFA), and replaced its antivirus with an Endpoint Detection and Response (EDR) solution.
Outcomes and benefits
- Quick recovery: The council moved back to a business-as-usual position by November 1, 2023, just 10 weeks after the incident.
- Minimal impact: The overall impact on the council, staff, partners, and residents was minimized due to quick action and workarounds Enhanced security: The incident led to improved security measures, including MFA and EDR implementation.
Lessons learnt
- SIEM importance: Having a Security Information and Event Management (SIEM) solution in place could have prevented the attack by providing real-time warnings.
- MFA necessity: Multi-factor authentication on all devices could have prevented the actor from gaining access.
- Business continuity planning: Plans need to cover the possibility of prolonged ICT system disruption.
- Cloud migration benefits: The council’s prior migration of 60% of its systems to the cloud helped minimize the attack’s impact.
- Regular audits and certifications: The council’s ISO/IEC 20000 and ISO27001 certifications contributed to its preparedness.
- Experience matters: Previous experiences with emergencies increased the council’s readiness to deal with the cyber incident.
View original case study article at local.gov.uk [PDF]