Royal Mail cyber incident now identified as ransomware attack.
N2K logoJan 13, 2023

The Royal Mail cyber disruptions this week have now been identified as a ransomware attack by Russian-adjacent gang LockBit.

Royal Mail cyber incident now identified as ransomware attack.

Cyber disruptions to the UK’s Royal Mail service, first reported on Wednesday as a “cyber incident,” has now been identified as a ransomware attack, linked to the Russian-affiliated LockBit gang, Computing wrote today.

LockBit encryptor found in use.

The Telegraph broke the news of the confirmed ransomware attack yesterday, with attribution to LockBit, or an actor using the gang’s encryptor. The attack was behind the encryption of devices used for shipping internationally, and ransom notes were reportedly printed on printers intended for customs dockets. The ransom note claims to be "LockBit Black Ransomware," with links to Tor sites used by LockBit operators and a ‘Decryption ID’ said by multiple security researchers to be unusable, Bleeping Computer confirmed yesterday. When Bleeping Computer reached out for comment, LockBit Support claimed that the gang “did not attack Royal Mail and they blamed it on other threat actors using their leaked builder.” There is “no end in sight” to service disruption, stressed a Royal Mail spokesperson, the BBC reported last night.

Expert commentary on the real world implications, and aftermath, of the Royal Mail incident.

Alexander Heid, Chief Research and Development Officer at SecurityScorecard, noted that this incident shows the impact that a breakdown of the digital supply chain can have on physical operations:

"While technical details about the particulars of the incident are not yet disclosed to the public, the fact that the UK postal service has halted international shipping as a result of a cyber event is indicative of a physical supply chain's reliance on a digital component for continuous operations. A break-down in the digital supply chain can have real world effects, as demonstrated by the halting of international parcel shipments in and out of the UK."

Adam Flatley, Vice President of Intelligence at Redacted and a former technical director at the NSA, discusses how cyber incidents such as these have real world impacts on people, and believes that they should be treated as national security threats:

“This is yet another example of how 'cyber incidents' like ransomware attacks have real world impacts on innocent people and should be considered national security threats in addition to being cybercrimes. Mail services are vital for so many government and private industries that provide critical services (e.g., mailing medicine). A wide disruption could have catastrophic economic and human consequences. It's essential that governments of the world treat malicious actors who cause harm be hunted as national security threats, with all the tools available used to disrupt their operations and dismantle their organizations.”

Added, 5:45 PM, 1.13.23.

Alexander Heid, Chief Researcher at SecurityScorecard, compared and contrasted the Royal Mail and the Guardian ransomware attacks.

"Ransomware will continue to be a scourge throughout 2023, and the attacks against The Guardian and the Royal Mail within the first month of the year is likely an omen of more to come. What is interesting to watch will be the ongoing battles between APT groups and ransomware gangs, who will sometimes "battle over turf" in regard to compromised networks.

"In the case of the Guardian incident, the ransomware payload is reported to have been delivered through an e-mail spear phishing attack. This method of delivery is common, attackers will use phishing because it is oftentimes easier to trick a human than technically exploit any digital controls that may be in place

"While The Guardian was able to maintain business operations, the ransomware attack against the Royal Mail had a brief global supply chain impact by causing the halting of shipments going in and out of the UK.

"The profitability of the ransomware racket is seemingly not going away any time soon, and every company that engages in commerce on the internet is a potential target. Companies that implement a comprehensive and continuous cybersecurity strategy will be at a much lower risk of business disruption in the event of an attack. Such a strategy would include continuous monitoring of the network perimeter for vulnerabilities and understanding the full attack surface of the enterprise, implementing continuous cybersecurity awareness training for all employees, and regularly scheduled vulnerability assessments and penetration tests. Business Continuity Plans should also be developed in the event of a successful ransomware attack, with segregated backups of mission-critical data.

"Even when an enterprise is doing everything possible to mitigate the impact of an attack, there still exists the risk of a successful attack against a critical third-party vendor - in which case leveraging security rating solutions as part of the continuous monitoring process could assist companies with determining which partners pose the most amount of risk at any given time."