SUBSCRIBE NOW!

Vol. 44 No. 2 — March 2024

THE SYSTEMS LIBRARIAN
Libraries Under Cyberattack
by Marshall Breeding

The Worst-Case Scenario

The recent attack experienced by the British Library (BL) approaches what might be considered a worst-case scenario. The incident was discovered on Oct. 28, 2023, as technical systems supporting the library services began collapsing. Practically all parts of the BL’s technology infrastructure were impacted, including the ILS, the catalog, the many systems supporting the library’s massive digital collections, request and retrieval services, and even the Wi-Fi network. Library users were unable to access its physical collections, including both those in its main building in St. Pancras in London and those housed in its remote Boston Spa facilities. The largest library in the world was essentially unable to function or fulfill any of its core services.

Many of these services remained down months later. It was not until Jan. 15, 2024, that the BL’s online catalog was relaunched, although without the former ability to request materials. The full restoration of all systems will likely take additional months of intense behind-the-scenes work. Compounding the operational impact, internal data has been released, including personal and financial details of library workers and users. The library has contacted those affected to offer advice on how to mitigate problems related to the exposure of their personal information.

This full-scale ransomware attack caused incredible disruption for the BL. Such attacks exploit vulnerabilities in technology components to unleash processes that encrypt data, rendering it inaccessible to its owners. Once the attack has been executed and the files encrypted, only the intruders have access to the digital keys created to unencrypt the files. It’s impossible to access data without the digital key used to encrypt the files. The digital keys are held as ransom, with the perpetrators demanding substantial payments, usually in bitcoin via anonymous wallets that protect their identity. Attackers may also threaten to auction an organization’s sensitive data to the highest bidder or release sensitive data publicly to inflict further damage.

There have been other high-profile victims of ransomware attacks in recent months. The Toronto Public Library (TPL) experienced a similar attack in October 2023. As of mid-January 2024, its website, catalog, and other services remain unavailable. Users can access content services provided by external vendors (for further details, see torontopubliclibrary.typepad.com/tpl-updates/library-services-update.html). Baker & Taylor, a major supplier of books and other materials to libraries, experienced a ransomware attack in 2022. The company was able to recover its services in 17 days (see librarytechnology.org/document/ 27787/baker-and-taylor-services-disrupted-by-ransomware-attack).

Recovery Strategies

Cybersecurity experts consistently warn organizations against giving in to their attackers by paying the ransom, even though recovery costs will be even higher. Paying ransomware demands will only encourage future attacks. But real-world decisions are more complex. A recent HigherEd Dive article reported that 56% of 200 educational institutions experiencing a ransomware attack paid their attackers to recover access to their data (highereddive.com/news/higher-education-ransomware-paid-ransom-college/689929). Organizations that pay the ransom expect to receive the digital certificate or key needed to unlock the file systems involved. Most do receive the keys; otherwise, future ransomware threats would be seen as futile. But there are other costs involved in this mode of recovery, including a comprehensive review to ensure that all data and systems are intact and that the security flaws that enabled the intrusion are closed. Backdoors or other malware may have been planted while the intruders had custody of the systems.

The preferred alternative strategy of not paying the ransom unfortunately requires considerable resources and time. Recovering from a ransomware attack can be incredibly complex, calling into play all processes in place for disaster recovery. OSs and software applications will need to be restored anew, and data will need to be reloaded from the latest safe and reliable copy. In some cases, the encryption processes unleashed in an attack can cascade through multiple layers of backup systems, further defying a smooth recovery.

Cybercriminals

Responsibility for the BL attack was claimed by Rhysida, a group of cybercriminals of unknown origin or residence. They use a toolkit of software components and social engineering techniques that are designed to gain access to their victims’ internal systems. Attack vectors include vulnerabilities in infrastructure components or the ability to trick users into clicking on messages or links that contain malware. Intruders may lurk undetected for days or weeks, gaining knowledge of the systems and data structures before unleashing their final attack.

Once an organization has assembled the tools and resources to carry out ransomware attacks, it may extend its criminal reach through providing access to its capabilities to others in exchange for a cut of any proceeds. This kind of syndication—or ransomware-as-a-service—enables other individuals or organizations with less technical capacity the ability to carry out attacks.

Be Prepared

The attacks against the BL and the TPL must be taken as a wake-up call for all libraries to redouble their efforts to protect their technical systems. The specific vulnerabilities exploited in these attacks are not yet known and may never be known. Libraries and their parent institutions must follow the most careful security practices possible to ensure that they are always ahead of potential attackers who are ready to exploit any lapse.

Organizations that serve the public good, such as libraries and educational institutions, cannot expect to be left alone by cybercriminals. Large public institutions may be perceived as able to pay substantial ransom payments. Smaller organizations cannot be complacent, although their lower profile may decrease their chances of being targeted. Large or small, all libraries need to be extraordinarily careful regarding all aspects of their technology systems.

Libraries that directly operate their own systems have a responsibility to maintain strong security practices and to have comprehensive disaster prevention and recovery plans established. Solid security practices help ensure that attacks aren’t successful, although effective disaster recovery procedures must be in place regardless. All OS components and application software should be continually updated. This practice not only ensures that security-related patches are installed, but it also provides library workers and users with the latest features and capabilities.

Libraries often defer installing new releases of software to avoid disruption; however, in most cases, this practice runs counter to improving security. Libraries operating local servers must have dedicated security specialists available and perform regular audits of security and backup practices. Libraries should review their backup and disaster recovery procedures to ensure that backup copies of data are made frequently and are entirely isolated from operational systems. These copies should reside on physically separate servers, with tightly controlled access, well-protected from user and administrative accounts that may be compromised.

In most cases, using systems and services managed and hosted by library vendors can provide better security compared to locally operated systems. Technology companies offering hosted systems to a large customer base will have many dedicated engineers and security specialists in addition to sophisticated network- and application-monitoring components. Even in these cases in which the security and backup procedures are outsourced, libraries should require documentation and demonstration that the best possible practices have been implemented and are rigorously followed.

Beyond the technical processes, procedures, and components implemented to secure an organization’s networks and systems, its personnel can be a weak link. We’ve all experienced the continual deluge of messages tempting us to click on links designed to capture sign-in credentials or to plant malware. These social engineering attempts are increasingly convincing and can fool even the most cautious user. Most institutional email systems scan messages to remove those with malicious or deceptive content, but such protections may not be present on personal email accounts. In addition to email, malicious messages may come through text messages, WhatsApp, or other sources. Library personnel at all levels should be trained to recognize social engineering attacks and to consult with appropriate experts when unsure. Avoiding deceptive messages designed to capture passwords is essential for organizational security, but it is increasingly a skill needed for everyday life.