On Christmas Eve 2020, the Scottish Environmental Protection Agency (SEPA) was hit with a ransomware attack that encrypted data and stole approximately 1.2 GB of information.
Recently, a month after the initial attack, the threat actors published the stolen information. There were over 4,000 stolen files, including contracts and strategy documents.
This comes after SEPA said it would refuse to cooperate with the cybercriminals by paying the ransom demand.
What types of data did hackers take from Scottland's EPA?
SEPA is an organization tasked with doing its best to protect Scotland's environment, primarily through national forecasting, flood warnings, and other potential natural disasters.
It also handles many aspects of environmental business, so many of the stolen files contain information relating to this. Some of the information was publicly available, such as regulated site permits, authorizations and enforcement notices, and data related to SEPA corporate plans, priorities, and change programs. However, some of the stolen files included information not publicly available previously.
After a month of trying to remediate the attack, SEPA admits the data that has been published could have the potential to ripple through the supply chain including other parts of the Scottish government:
"The agency reiterated that whilst stolen data had now been illegally published and work was underway to analyse the data set, it does not yet know, and may never know the full detail of the 1.2 GB of information stolen. Some of the information stolen will have been publicly available, whilst some will not have been.
It confirmed that staff had been contacted based on the information available, were being supported and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners."
How bad was the network destruction in SEPA ransomware attack?
SEPA's Chief Executive, Terry A'Hearn says the organization is now forced to rebuild some of its systems and processes:
"Sadly we're not the first and won't be the last national organisation targeted by likely international crime groups. We've said that whilst for the time being we've lost access to most of our systems, including things as basic as our email system, what we haven't lost is our twelve-hundred expert staff. Through their knowledge, skills and experience we've adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services."
This attack on SEPA also represents the shift in some cybercriminals' mentality. Prior to 2020, ransomware gangs would simply encrypt data and attempt to bring operations to a halt.
Now, however, many operators exfiltrate the data and will publish that stolen data if an organization refuses to pay a ransom.