The first sign of the unfolding nightmare came by way of a text to his mobile phone. “I can’t get into the system,” the colleague’s message read. “Seems a bit strange”.
It was Christmas Eve and Terry A’Hearn was, like most people, preparing to wind down for the holiday period. He replied that he would chat to someone and carried on with his breakfast, as he normally would, before the fateful call came at around 10am. “It was our head of governance who said ‘it looks like we’ve had a cyber-attack’,” recalls A’Hearn, chief executive of the Scottish Environment Protection Agency (Sepa). “We had a quick chat about what that means, and what do we do next.”
He added: “But we pretty quickly got a handle that it was big. We’d been locked out.”
Sepa had been hit by a devastatng ransomware attack that meant its 1,200 staff could no longer gain access to their corporate network. That meant no emails, no access to files, and a curtailed ability to go about the agency’s core purpose: to protect the environment. When most people up and down the country were putting the final touches to a scaled-down Christmas, a tumultuous year for Sepa and its staff was about to get even worse. Fortunately, to some extent at least, the agency – which responds to emergency environmental events – had a built-in crisis mode.
A’Hearn, who has run environmental protection agencies in the UK and his native Australia, immediately convened an emergency management team meeting, to work out what to do next. He and his colleagues held three meetings that day, and on Christmas Day an incident manager and the IT team worked flat out to see what, if anything, could be done to salvage the network. Then, on Boxing Day, another emergency meeting was held as A’Hearn and his colleagues got into what would become a regular working pattern over the next couple of months.
I speak to A’Hearn two months after the cyber-attack and following his first somewhat cathartic experience of reflecting on the lessons learned at FutureScot’s Public Sector Cyber Resilience virtual conference. There are a lot of things he cannot say, understandably, as the ransomware attack is still under investigation by Police Scotland and the National Cyber Security Centre (NCSC), who became involved on the first day of the attack. But through our own inquiries – via global darknet threat intelligence analyst Kela, based in Israel – we established that the attack was carried out by a ransomware group calling itself Conti. That investigation, in turn, raised further questions – substantiated by the New York cyber firm Crowdstrike – that the ransomware “variant” may ultimately be controlled by a co-ordinated hacking entity called Wizard Spider, which has alleged links to Russian organised crime.
Understandably, A’Hearn is unable to corroborate any of that information, but falling victim to a global rise in such “big game hunting” cyber-attacks inevitably has had major repercussions for Scotland’s cyber defences as a whole. A’Hearn was complimented at the FutureScot conference for his “moral courage” in facing down the hackers, who not only downed the network but stole valuable data. Sepa chose not to pay the ransom – demanded in bitcoin – but was further punished for doing so. The agency was threatened with having its data published on the dark web, in a method known in hacking forums as the “double extort”.
But A’Hearn, informed by Police Scotland, NCSC and the Scottish Business Resilience Centre (SBRC) – who he credits for their expertise and support throughout – took a stance. “I think it was clear once we worked with other partners that the right thing to do was not to pay the ransom. That had some implications, but I just think the idea of using public money to pay the criminals a ransom is just not an easy thing to do,” he says. On 13 January, the hackers started to release Sepa data in stages and across seven days of activity a 1.2 gigabyte cache of more than 4,000 files was published. Throughout the gut-wrenching process, A’Hearn and the agency has been open and transparent at every step, publicly revealing that it had been a victim, when many might have wanted to deal with their anguish in private.
A’Hearn’s main concern has been for his staff, who were already struggling with the exigencies of home working and, in some cases, isolation. To help, he instituted weekly videoconferencing drop-in chats on an internal platform that still worked and set up a messaging service, both of which were welcomed. He also extended identity fraud protection to ex-staff, as well as offering antivirus software for any who needed it on their laptops. The workforce “really pulled together”, A’Hearn added, and he speaks in glowing terms for the professionalism of teams who figured out how to carry on vital work like flood monitoring.
“We’re pretty practised at saying, ‘Right what’s going on? What do we need to do?’ Getting our flood alerts and warnings is the most critical and immediate thing we do, as in the worst-case scenario that is life and death. We were able to do that in the first couple of days and it was great. The flooding guys said the weather forecasts are that it’s going to be dry for the next week; that gave us the week to prioritise underpinning the system, we were able to do the same thing in a week’s time.”
In successive days, the agency worked on recovering core services which range from issuing licences for septic tanks, to dealing with hazardous waste. Sepa has literally thousands of customers on its database, spanning 34 sectors of the economy. Much of the work has been done via third parties, such as industry trade associations, which have helped Sepa issue information to stakeholders. Whilst the situation is recoverable in those instances, there is a lot of data Sepa is resigned to losing. But A’Hearn is sanguine.
“We may have lost a lot of water quality monitoring data, but when we rock up to a river or a loch – when we get back out in the field – will the river or the loch notice that we don’t have its historical data?,” he says. “To do what we need to do next, how much do we need that historical data? In some cases it will be absolutely fundamental but in some cases won’t matter as much.”
Sepa has started to rebuild functionality, too, with Scottish Government laptops and temporary email addresses due to move back within Sepa’s own architecture – under a new Microsoft licence – soon. But the road is long, and “building back better” is going to take time, and a new security approach. On that front, Police Scotland has told Sepa that it was actually “well protected”, according to A’Hearn, which is perhaps a salutary warning to other organisations who will be feeling the need to increase their own vigilance in the wake of Sepa’s experience.
For A’Hearn, he is clear that he wants a leaner, more cohesive approach to IT. For an organisation such as Sepa, which is 25 years old in April, it has inevitably been built on a patchwork of systems developed sometimes incongruously over the years. “What I want as we redevelop our systems is that we have this overwhelming, powerful focus on what is the business need we’re trying to address. And then we build the simplest and smallest number of IT systems to support our business needs,” says A’Hearn.
He adds: “What we have done in the first two months has been essential, although we’ve only done a small proportion of what we need to do to recover. But I think we’ve done well enough, with lots of support from others, to put us in a position where it’s in our own hands now. We’ve got a very long road ahead of us, but I think we’re in a position where we can make a success of it.”