Scotland's EPA is a Mess After Ransomware Attack
Table of Contents
- By Dawna M. Roberts
- Published: Jan 20, 2021
- Last Updated: Mar 18, 2022
The Scottish Environmental Protection Agency (SEPA) was attacked in December by the cyber gang known as Conti. Along with a ransom demand, the cybercriminals also exfiltrated and leaked data on the dark web.
What Happened to Scotland’s EPA?
SEPA is Scotland’s primary environmental protection agency, and it acts pretty independently of other government agencies. SEPA has a staff of about 1,200 employees, and the agency is still reeling after a ransomware attack that crippled its files and systems for the past month.
Struggling to pick up the pieces, SEPA claims that many of its systems are still impacted and services offline. Additionally, the Conti gang has taken responsibility for the attack and posted some of the leaked data on their ransomware website.
Despite the fact that many of their systems are still down (including email), SEPA said that "priority regulatory, monitoring, flood forecasting, and warning services are adapting and continuing to operate."
To keep the public informed, they have created a dedicated web page upon which they post regular updates. In their announcement, they described the incident as "On Christmas Eve, the Scottish Environment Protection Agency confirmed that it was responding to a significant cyber-attack affecting its contact centre, internal systems, processes, and internal communications. We are continuing to respond to the ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The matter is subject to a live criminal investigation, and the duty of confidence is embedded in law."
How SEPA Responded to The Ransomware Attack
The agency is currently working with the Scottish Government, Police Scotland, and the National Cyber Security Centre to resolve the issue and locate those involved.
Although only about 1.2GB of data was stolen, authorities have yet to identify what was contained in those files and how damaging the contents may be. A partial assessment has identified the following details were included:
-
"Business information, such as publicly available regulated site permits, authorisations, and enforcement notices. Some information related to SEPA corporate plans, priorities, and change programmes.
-
Procurement information, such as publicly available procurement awards.
-
Project information related to our commercial work with international partners.
-
Staff information, including personal information, with limited sensitive data having been accessed."
SEPA commented on the 1.2GB as "Whilst … this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least 4,000 files may have been accessed and stolen by criminals."
Any staffs’ personal information stolen could eventually lead to identity theft or further fraud for employees personally.
Senior executives have stated that the damage done was so severe that full recovery will take quite a bit of time. They also stress the need to remain consistent and urge the public to continue reporting environmental/pollution issues and concerns online or in person.
Who is Conti? The Masterminds Behind The Ransomware Attack
Conti is the cybercriminal group that perpetrated the attack on SEPA and boldly took responsibility while also posting a sample of the stolen data on their ransomware website. On their dark web posting, they claim the leaked data is only about 7% of the total of what they pilfered.
The group used the Conti ransomware-as-a-service model for this attack and posted the data to urge the agency to negotiate and pay up.
Conti showed up around May 2020 and has since logged about 150 attacks. Last month big-name IoT vendor Advantech was listed as a victim.
Conti is quickly moving up the ranks as one of the most prolific hacker groups in operation right now. Experts speculate they have amassed millions without even having breached a full year of work.