Proact’s Glasgow office is based just East of the city, on the road which takes you to Edinburgh. The office park at Eurocentral is bright, modern, and full of vibrant companies, great food and occasionally some excellent entertainment.

However, last Christmas Eve it was very much the opposite for our neighbours over at the Scottish Environmental Protection Agency (SEPA).

Instead, they were subjected to a very nasty ransomware attack which has put the organisation into turmoil as they continue to deal with the consequences of the attack. Last week, SEPA’s Chief Executive Terry A’Hearn admitted that it will be “well into 2022 before its systems are restored fully”.

How did the attack on SEPA unfold?

While many details are still not publicly known, it is likely that attackers entered SEPA via a phishing attack. We can assume the ransomware was then spread across the organisation via lateral movement, devastating the estate and the ability of the employees in the organisation to do their jobs because of the lack of access to key files, emails and tools.

This was, and still is, devastating for SEPA. It was reported that only a small amount of data was stolen, approx. 1.2 GB equalling 4000 files. Unfortunately, this data contained information about staff who worked in several business areas.

Further concern arose from the prospect of SEPA integration with other UK, European Union and Scottish government agencies. However, SEPA did confirm that IT functions were affected, such as delivery of email systems and tooling required for day-to-day business, and not OT (Operational Technology) systems, such as flood forecasting and warning services. Some good news, at least, as a widespread ransomware attack across Government would have been devastating.

SEPA reacted quickly and informed the Scottish Government, Police Scotland, National Cyber Security Centre, National Crime Agency, and Information Commissioners Office as soon as it had happened. They used well-rehearsed business continuity planning, so they could continue operating in a sound manner.

What can we learn from this attack on SEPA?

SEPA’s quick reaction clearly prevented this attack from worsening. The involvement of law enforcement at the most critical stage was also a massive part of that. They helped to quickly identify the issue and remediate any problems as soon as they could.

Unfortunately, the attackers did get away with some data. However, it was limited and was controlled as much as possible. Yet the downtime and long-lasting effect the attack’s had on the systems the organisation uses day-to-day has been impactful and that cannot be ignored.

It appears that SEPA did have a cyber capability, such as a SOC (Security Operations Centre), which may have played a part through services like SIEM (Security Information Event Management), vulnerability assessment and, most importantly, anti-phishing software.

So, where can you go from here?

The attack on SEPA is a perfect example of how organisations can’t let their guard down at any point. As well, having a prevention strategy and business continuity plan in place is key. But when was the last time you reviewed your security strategy?

Proact can take that pain away, whatever your current security solutions in place. Our expert consultants can review your current plans and recommended a robust strategy to keep your business-critical information protected. We can go further and offer a range of security solutions to suit you, while our 24/7 SOC can provide that extra protection giving you peace of mind.

Want to know more? Book a meeting with our team.

Cyber Security Euan Birch

Euan Birch

Security Operations Lead, UK

Find Euan on LinkedIn