A shadowy hacker group brought the British Library to its knees. Is there any way to stop them? | Lamorna Ash – Source: www.theguardian.com

It is not quite accurate to say that the cyber-attack against the British Library took place on 28 October 2023. Most probably, Rhysida, the hacker gang that orchestrated the attack and is thought to be Russian, had already been creeping undetected through the digital territories of the British Library for months, Enrico Mariconti, a lecturer in security and crime science at UCL, told me.

Once it broke through to the library’s virtual private network (VPN) – the remote connection that allows employees to access its network from any location – it could in theory start making its way through locked door after locked door of the library’s many online systems, trawling until it discovered emails and documents containing details such as employees’ passport scans and work contracts. It hoped these documents might tempt a single bidder to pay 20 bitcoins (about £600,000) for privileged access to all that personal information.

Eventually, after the British Library refused to pay a £600,000 ransom, the hackers published close to 500,000 files of what they called “exclusive, unique and impressive” stolen data for anyone to download for free through the dark web. An image of the aftermath of Rhysida’s October attack might look like this: a national library from the pre-digital era, no wifi, no computer access, with even the phone lines dead. Except there was one crucial difference. No one could even make use of the British Library’s enormous collection of 170m items. Three months later, the library is still in the initial stages of its recovery, with many of its services and systems still down. Rhysida’s attack, according to Ciaran Martin, the previous CEO of the National Cyber Security Centre, is “one of the worst cyber incidents in British history”.

Long gone are the days of the solo-hackers who broke through computer security systems for kicks and bragging rights, like the bleached-haired teens in the 1995 film Hackers. In February 2022, years of internal messages from a Russian ransomware group were leaked, offering a window into the logistical dynamics of hacker groups. The group in question often had more than 100 employees on its payroll, each working remotely on the various moving parts of its fastidiously planned cyber-attacks. Its workforce was ordered into numerous departments, each with its own budget, and it had a committed HR department. In the past few years, cybercrime has expanded from a cottage industry to a slick, specialised crime racket.

Rhysida is a ransomware-as-a-service group. This means anyone can contract it to target a victim of their choosing. Its clients need not have any native understanding of cybercrime, because Rhysida will do the heavy lifting. It discovers how to hack into its victim’s private network, lift information, then encrypt the victim’s data and send out the ransom note, having decided in advance on a number that will be significant but not enough to bankrupt the victim. Then, it liaises with the victim through a message portal, all the while providing the client with detailed analysis of its progress.

Its motivations are varied. Mariconti told me he believes the British Library cyber-attack was probably a “showcase” operation. High-profile attacks work like an advertisement for potential clients. “It says, ‘Hey, we are able to attack a big institution,’” Mariconti said. “‘Come to us, give us money, and we are going to take whatever you want.’” Then there is the opportunistic element. The British Library is a critically important site of knowledge, but unlike the NHS or GCHQ, a breach of its cybersecurity wouldn’t cause an immediate threat to public safety, so there are fewer incentives for the government to improve its IT systems.

The future of cybercrime is beginning to look like any other arms race. There are many Russian-affiliated hacker groups, which tend not to carry out attacks on their own country (indeed, many strains of malware don’t even work on Russian computers). Nicole Perlroth, formerly the lead cybersecurity reporter for the New York Times, summarises Russia’s guidelines for hackers as follows: “First, no hacking inside the motherland. And second, when the Kremlin calls in a favour, you do whatever it asks.” Meanwhile, in Britain, the government’s lack of investment in cybersecurity has turned the country into an open goal for potential aggressors (last year, the Treasury posted a job advert for a head of cybersecurity with a starting salary of £50,000; the median salary for a head of cybersecurity role in the private sector is almost double that number).

And then there is the other hidden cost undergirding this arms race: its environmental impact. To run the servers that are either building the malware or defending against such attacks requires enormous carbon emissions. In 2020, an American cybersecurity firm managed to decrypt the malware that had locked a technology manufacturer out from their data in a few hours using nearly 100 cloud computer servers. The cloud reportedly now has a greater carbon footprint than the airline industry.

I asked Prof Mariconti if a solution to the increasing global threat from cyber-attacks would be to create stronger internal borders within the internet, so that each country’s firewalls came more to resemble those in China, whose servers block much international traffic and international websites. “That goes against the logic of the internet,” he replied. “The internet was born out of the idea of being able to communicate without restrictions all over the world.” This double-sided quality has existed since the internet’s very inception: freedom to roam without borders, and the potential misuse of such a liberty.

All that time the Rhysida hackers spent moving freely through the networks of the British Library, while we were down below in its physical reading rooms, naive to their existence, I wonder if they ever considered the irony of their attacks. The very conditions that have allowed them to conduct their trade across the open plains of cyberspace are those they now aim to abuse, by shutting down the possibility for communication and knowledge-sharing, stealing and encrypting information, forcing users to buy back or lose their data, and bringing vital institutions such as libraries – which protect and share all of this knowledge for anyone to access – to their knees.

• Lamorna Ash is the author of Dark, Salt, Clear: Life in a Cornish Fishing Town