Cyber_Bytes Issue 66

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

The CrowdStrike Incident

On 19th July 2024, a faulty software update by cybersecurity firm, CrowdStrike, triggered a global IT outage, affecting a substantial number of Windows devices.  This interrupted services for a number of organisations and caused significant disruption, including in air transport.

This incident, considered one of the most severe cyber events in history, has resulted in economic losses for numerous businesses. Notably, Delta Airlines and various financial institutions were severely affected, prompting threats of legal action against Crowdstrike for compensation.

The insurance implications of this event are still being assessed. Initial suggestions are that businesses may file claims under the ‘system failure’ provisions of their cyber insurance policies, given that the incident was not a result of a malicious attack. The potential volume and scale of these claims could affect the cyber insurance industry materially, including potentially the cost of premiums and the scope of policy wordings.

For more information, a BBC report into the incident is here and an article from Spiceworks which includes reference to the potential litigation and insurance consequences is here.

King's Speech announces new Cyber Resilience Law  

The King's Speech announced plans to introduce a new Cyber Security and Resilience Bill to Parliament in the coming months following an increase in cyber threats to critical organisations.

The Bill aims to update existing UK Regulations including the Network and Information Systems (NIS) Regulations 2018. According to a briefing paper published alongside the King's Speech, the Bill will extend the scope of the existing NIS regime to protect more digital services and supply chains. Additional incident reporting obligations will likely be imposed, including in relation to ransomware attacks to improve national threat understanding. Other measures will be put forward to strengthen regulators’ powers in relation to enforcement, costs recovery and the ability to carry out proactive investigations.

This is a step towards an updated cyber security regime in line with the developments in this field at European level, where the implementation deadline for the EU NIS 2 Directive is 17 October 2024.

Click here to read the full King's Speech and click here to read the accompanying briefing paper from the UK Government. 

ICO reprimands Electoral Commission

The Information Commissioner's Office (ICO) has reprimanded the Electoral Commission over cyber security failings relating to an attack in August 2021.

Hackers entered the Electoral Commission's servers and exploited a known flaw in the software that should have been fixed months before. This resulted in personal data, including names and addresses, of approximately 40 million voters being exposed to hackers for over a year until the problem was found.

The ICO's report said the Electoral Commission did not have appropriate security measures in place to protect the personal information it held and did not keep its servers up to date with the latest security patches issued months before the attack. The ICO also found that the Commission did not have sufficient password policies in place at the time of the attack, with many staff still using default passwords.

Click here to read the full reprimand.

NCSC and partners issue warning over North Korean state-sponsored cyber campaign to steal military and nuclear secrets

The National Cyber Security Centre (NCSC), alongside international partners from the US and South Korea, has issued a new advisory revealing a global cyber espionage campaign linked to the Democratic People’s Republic of Korea (DPRK). The group, identified as Andariel and associated with DPRK's Reconnaissance General Bureau (RGB), has targeted critical sectors including defence, aerospace, nuclear, and engineering, with a lesser focus on medical and energy entities. The attackers aim to steal sensitive technical information such as contract specification design and project details.

Andariel's activities have expanded to include ransomware attacks, notably against US healthcare organisations, to extort payments and fund further espionage. The advisory provides technical insights and mitigation strategies to defend against these threats. It highlights the group's tactics of exploiting known vulnerabilities, maintaining persistence, and evading detection. The NCSC and partners warn that Andariel has evolved from destructive attacks to sophisticated espionage and ransomware operations, sometimes combining both tactics against the same target.

Click here to read the full joint advisory. 

ICO takes action against two organisations for "risking public trust" by failing to respond to public requests for information

The ICO has issued enforcement notices to Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for failing to meet requirements under the Freedom of Information (FOI) Act 2000.

Investigations revealed both organisations had significant delays in responding to FOI requests and have been issued with enforcement notices for their ongoing FOI failings.

Devon and Cornwall Police responded to only 39-65% of requests within the required 20 working days' timeframe between 2022 and 2024, with a backlog increasing from 77 to 251 requests between December 2023 and June 2024. The Police have 30 days to publish an action plan and clear the backlog within 6 months. 

Barking, Havering and Redbridge Hospitals NHS Trust was found to respond to only 29% of requests within the required timeframe, with only 2.5% of requests made in January 2024 responded to in a timely manner. The Trust's backlog increased from 589 to 785 requests between April and June 2024. The Trust has been given 35 days to publish an action plan to clear the backlog by the end of the year.

Failure to comply with the enforcement notices may lead to Court proceedings.

Click here to read Devon and Cornwall Police's enforcement notice and click here to read Barking, Havering and Redbridge University Hospitals NHS Trust's enforcement notice.

NCSC and partners issue warning about evolving techniques used by China state-sponsored cyber attackers

The National Cyber Security Centre (NCSC), in collaboration with international partners from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea, and Japan, has released an advisory highlighting the evolving tactics of China state-sponsored cyber actors. The focus is on APT40, a group linked to the Chinese Ministry of State Security, which has targeted Australian networks by exploiting vulnerable small-office and home-office devices.

These devices, often not running the latest software or lacking security updates, provide a weak point that attackers exploit to launch attacks and hide malicious traffic. The advisory includes two technical case studies demonstrating these attack methods, which are also used by other Chinese state-sponsored groups globally.

The UK has previously attributed APT40 as being part of the Chinese Ministry of State Security. Defenders are encouraged to follow the latest advice to help detect and mitigate the malicious activity.

Click here to read the full advisory.