A ransomware and data theft cyberattack on Scotland’s environmental agency is continuing to blight operations almost a month since it was targeted by online criminals.

The Scottish Environment Protection Agency (SEPA) has confirmed it is still working to resolve a significant cyberattack which brought its systems down on Christmas Eve.

The agency – which is responding to ‘complex and sophisticated criminality’ with support from the National Cyber Security Centre (NCSC), Police Scotland and Scottish Government – has revealed that the source of the attack is likely to be ‘by international serious and organised cyber-crime groups’.

The amount demanded by the ransomware element of the attack has not been revealed but the agency has confirmed that 1.2 gigabytes of data was stolen from its systems; whilst, by comparison, this is the equivalent to a small fraction of the contents of an average laptop hard drive, at least four thousand files may have been accessed and stolen by criminals.

Although the agency does not know – and may never know – the full detail of the of information stolen, early indications suggest that the theft related to the following business areas:

  • Business information, such as publicly available regulated site permits, authorisations and enforcement notices. Some information related to SEPA corporate plans, priorities and change programmes.
  • Procurement information, such as publicly available procurement awards.
  • Project information related to our commercial work with international partners.
  • Staff information, including personal information, with limited sensitive data having been accessed.

The agency has also confirmed that with infected systems isolated, recovery may take a “significant period”. A number of SEPA systems will remain badly affected for some time, with new systems required, it said in a statement.

Email systems remain impacted and offline and information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.

Support has been made available to staff and affected partners, and the agency is reassuring the public that priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.

The matter is subject to a live criminal investigation and the duty of confidence is embedded in law. The agency confirmed last week that following the attack at 00:01 Hrs on Christmas Eve, business continuity arrangements were immediately enacted, and the agency’s Emergency Management Team was working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.

SEPA said its approach continues to be to take the ‘best professional advice from the multi-agency partners’, including Police Scotland and cyber security experts, to support its response. The agency advised that, for the time being, it needed to protect the criminal investigation and its systems. Consequently, some internal systems and external data products will remain offline in the short term.

Terry A’Hearn, Chief Executive of the Scottish Environment Protection Agency, said: “Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident. Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

“We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously” said A’Hearn, adding, “which is why we have worked closely with Police Scotland, Scottish Government, the National Cyber Security Centre and specialist cyber security professional’s day and night since Christmas Eve.”

He added: “Staff members affected to date have been notified, are being supported and are being given access to specialist advice and services. Support, including specialist advice from Police Scotland and mitigation services, is also being offered to staff across the organisation.”

He said: “Whilst the actions of serious and organised criminals means that for the moment, we’ve lost access to our systems and had information stolen, what we’ve not lost is the expertise of over 1,200 staff who day in, day out work tirelessly to protect Scotland’s environment.

“Sadly, we’re not the first and won’t be the last national organisation targeted by likely international criminals. Cyber-crime is a growing trend. Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response. It would be inappropriate to provide more specific detail of investigations at this time.”

In a recent interview with FutureScot, Ciaran Martin, who stepped down last year as the Chief Executive of the National Cyber Security Centre (NCSC), said that ransomware attacks such as this were his biggest cyber fear. When asked where are the gaps in cyber security defences, he said: “I never lost any sleep over the big nation state attacks because you have to accept that there are going to be attacks and our job is to repel them as best as we can. The things I always worried most about was ransomware in small but important organisations, such as health boards or local authorities. There are too many organisations that do important things like provide vital public services that are too susceptible to being extorted by criminal gangs. If they lose access to their networks, then there’s big trouble.”