Cybercrime , Cybercrime as-a-service , Endpoint Security

Ransomware Disrupts Scottish Environment Protection Agency

Conti Gang Claims Credit for Christmas Eve Attack and Data Exfiltration
Ransomware Disrupts Scottish Environment Protection Agency
Conti's data leaks site claims to have now published 7% of the files it stole from SEPA. (Source: Kela)

The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data.

See Also: Securing the Nation: FedRAMP-Authorized Identity Security

SEPA is the Scottish government's principal environmental regulator, charged with protecting the nation's environment. The nondepartmental public body - meaning it largely operates independently - has a staff of about 1,200.

The agency says it's still responding to the ransomware attack, which continues to disrupt services, as attackers demand the organization pay a ransom in return for a key to unlock their systems as well as a promise to stop leaking stolen information online.

Data stolen by attackers has begun to be leaked online by the Conti ransomware operation, which has claimed credit for the attack.

Conti's dedicated leaks site lists SEPA as a victim and has posted 20 files comprising what attackers say is 7% of what they stole. File names have been partially redacted. (Source: Kela)

SEPA says the attack is the "subject of a live criminal investigation," and that "a number of SEPA systems - including email - continue to be inaccessible." But it says many essential functions, including "priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate."

SEPA has created a dedicated web page to describe its response.

"What is now clear is that with infected systems isolated, recovery may take a significant period," says Terry A’Hearn, SEPA's chief executive. "A number of SEPA systems will remain badly affected for some time, with new systems required."

SEPA disclosed the attack on Dec. 24, 2020. The agency says it occurred "at one minute past midnight on Christmas Eve. The agency warned that its internal systems and contact center had been disrupted by the attack. It said it had implemented business continuity plans and was working with the Scottish government, Police Scotland and the U.K. National Cyber Security Center "to respond to what appears to be complex and sophisticated criminality."

"Communication into and across the organization is significantly impacted," David Pirie, executive director of SEPA, said at the time.

Stolen: 1.2GB of Data

In a Thursday update, SEPA detailed the continuing system disruption and said attackers also exfiltrated about 1.2GB of data. "Whilst … this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least 4,000 files may have been accessed and stolen by criminals," SEPA says.

"It's a significant cyberattack and a serious crime has been committed against SEPA," A'Hearn told BBC Scotland News on Friday. "We've lost, for the time being, access to most of our data systems, including things as basic as our email system."

But A'Hearn said SEPA has still been able to operate Scotland's flood-warning system and issue flood alerts, which it has done in recent weeks. He called issuing such warnings "one of our most important responsibilities."

Scotland's environment secretary, Roseanna Cunningham, says: “While a great deal of work is going on to support recovery of other services that SEPA staff and the public rely on, I want to stress that arrangements are in place to allow the public to continue to report pollution incidents online or via the dedicated pollution hotline. I would urge them to do so in the interests of continuing to safeguard our environment.”

'Ongoing Investigation'

SEPA couldn't immediately be reached for further comment on the attack, including the suspected identity of the attacker, beyond its assertion that a "serious and organized cybercrime group" was involved.

“This remains an ongoing investigation," says Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit. "Police Scotland are working closely with SEPA and our partners at Scottish government and the wider U.K. law enforcement community to investigate and provide support in response to this incident. Inquiries remain at an early stage and continue to progress, including deployment of specialist cybercrime resources to support this response."

Police have declined to release further details.

Conti Operators Claim Credit

But the attack appears to have been carried out by the ransomware-as-a-service operation called Conti.

That's because data allegedly stolen from SEPA has been posted to a leaks site dedicated to Conti ransomware victims.

Conti's leaks site now includes what the operators say is a partial dump of stolen SEPA data, comprising 7% of what they claim to have obtained. As yet, it's unclear if any of the stolen information might be sensitive.

"They released it to show that they have the data and to prompt the victim to negotiate and pay the ransom," Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, tells Information Security Media Group. Based on those claims, "we therefore assess with medium confidence that this is indeed an attack by Conti."

Conti ransomware first appeared in May 2020. Since then, the ransomware operation claims to have amassed more than 150 victims and generated several million dollars in illicit profits. Like more than a dozen other ransomware operations, Conti also runs its own leaks site, where last month it listed industrial IoT chipmaker Advantech as one of its victims.

"Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas," says SEPA's A’Hearn. "Some of the information stolen will have been publicly available, whilst some will not have been."


Editor's note (Jan. 21): Conti's data-leaks site has been updated to list more than 4,000 files for download, saying 100% of what attackers exfiltrated has now been leaked.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.