The British Library has confirmed that an IT outage that began at the end of October was indeed the result of a ransomware attack on its systems, from which it is yet to recover.
The organisation’s systems were brought down on Sunday 29 October, although it took a further two days for its IT and security teams to establish that this was the result of a cyber attack.
Two weeks on, the British Library said the outage was still ongoing and was affecting its website, online systems and services, and some on-site services including its public-facing Wi-Fi networks.
“We anticipate restoring many services in the next few weeks, but some disruption may persist for longer,” said a spokesperson. “We have now confirmed that this was a ransomware attack, by a group known for such criminal activity.
“We’ve taken targeted protective measures in response to the attack to ensure the integrity of our systems. We’re also undertaking a forensic investigation with the support of the National Cyber Security Centre, the Metropolitan Police and cyber security specialists.”
The British Library has given no indication that it has entered into any negotiation with its attacker, the identity of which remains undisclosed for now.
Currently, the British Library’s physical sites in London and Yorkshire are fully open, as are reading rooms and items held within them, and access to collection items that had been delivered to reading rooms on or prior to 28 October. It is operating a limited manual collection item ordering at its main St Pancras site via printed catalogues for on-site material, although this is now a paper-based service.
It is also able to register new readers, although currently only on a temporary basis, and pre-bought tickets to its ongoing exhibition can still be used and new ones bought online. Other public events are going ahead as planned, and its café, restaurant and shop are all operating normally.
Technical details unknown
Earlier reporting had linked the British Library’s misfortune to a vulnerable VMware ESXi virtual machine (VM) which is widely targeted by cyber criminals due to the ESXi family’s popularity within enterprise cloud environments.
Whether or not this is the case remains unconfirmed, but a number of ransomware gangs are known to have started targeting servers running ESXi bare-metal hypervisors this year, with a further issue being a lack of support for third-party security products, according to CrowdStrike.
“More and more threat actors are recognising that the lack of security tools, lack of adequate network segmentation of ESXi interfaces and ITW [in the wild] vulnerabilities for ESXi creates a target rich environment,” CrowdStrike’s research team wrote in a whitepaper published in May 2023.