em360tech image

Update on 13 January: It is now known that the disruption was the result of a Lockbit 3.0 ransomware attack launched by a Russia-linked hacktivist group. On Tuesday, printers at a Northern Irish Royal Mail distribution centre reportedly began "spurting out" copies of the ransom note – a signature tactic used by the Russian gang.

The Uk’s postal service Royal Mail has said it is facing severe disruption after a Russia-linked Lockbit 3.0 ransomware attack crippled its international export services.

The attack struck on Tuesday morning, affecting six sites across the country – one of which was a huge sorting facility near Heathrow Airport where most of the outgoing mail is sorted before leaving the UK. 

The severity of the incident is not yet known, but cybersecurity experts warn it could take weeks to restore Royal Mail’s systems as it remains vulnerable to further breaches in its current state. 

In a statement, Royal Mail urged customers to not attempt to send mail internationally while the problems continued, warning that the attack had caused severe delays and disruptions to packages already in transit. 

“The cyber incident has impacted our international dispatch documentation system, Royal Mail explained. This produces dispatch notes for outgoing, and export mail for transport and for foreign posts so that they can receive our traffic.”

It also added that it had launched an investigation into the incident, and was “working with external experts” to attempt to resolve the problem and identify if the incident was the result of cybercriminal activity. 

It arrives at a time of great turmoil for the postal service, which has been locked in a bitter legal battle with its staff over pay and plans to automate its service to compete with rivals. 

Hours before the cyber incident was announced, a union representing just over 115,000 postal workers confirmed plans for further strike action to be in February. 

“We have to acknowledge that such attacks have a considerable impact on business, at a time when the Royal Mail is already facing significant disruption,” Raj Samani, SVP Chief Scientist at Rapid7 explained. 

“It is premature to speculate as to the true nature of the incident but targeting the availability of systems is a tactic that has long been the MO of many criminal groups”

An attack on UK Infrastructure 

Royal Mail, which is largely regarded as a critical part of the UK’s infrastructure, joins multiple other public services to fall victim to cybercriminal activity across the country.  

Last Summer, the UK’s National Health Service (NHS) was hit by a large-scale ransomware attack that destroyed key medical systems and forced doctors to keep patient records on pieces of scrap paper. 

“Robust cyber-defence is critical to any key national industry, but as we have seen in the UK over the past few years, critical industries seem to be constantly attacked and damaged, suggesting that the UK government is not taking cybersecurity seriously enough,” Ricard Staynings, Chief Security Strategist at Cylera, explained. 

“When a critical infrastructure industry is disrupted or attacked, its impact travels far, affecting many other businesses and individuals. For this reason, these industries are supposed to be afforded extra levels of protection by the government,” he added.

To read more about cyber attacks, visit our dedicated Business Continuity Page. 

The National Cyber Security Centre and National Crime Agency have already confirmed they are assisting Royal Mail in responding to the cyber incident, suggesting that a large hacking group or nation-state may be behind the disruption.

“If an attack is deemed to have been launched by a foreign nation-state, then the repercussions for that state could be very severe. In essence, a particularly heinous attack against critical national infrastructure could be seen as the equivalent of a military attack against the UK,” Staynings explained. 

A warning sign for the supply chain

As more details emerge about the cyber incident, it is becoming increasingly likely that it may have been the result of a third-party or specific system vulnerability in the supply chain.  

If this indeed is the case, it confirms the cyber security industry’s long-standing concern around large organisations granting access to third parties with cyber security vulnerabilities. 

Over the past few years, many large UK corporations have faced cyber assaults on their supply chain, leading the UK’s National Cyber Security Centre to publish new guidance on how to defend supply chain operations last October. 

The number of documented supply chain attacks increased by 633%  in 2022, with over 88,000 known instances according to a report by Sonatype. 

“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains,” Sonatype explained in the report. 

“These dependencies impact our software so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result” the report concluded.