SEPA continuing to respond to ‘ongoing’ ransomware attack

The Scottish Environment Protection Agency (SEPA) is continuing to respond to an ongoing ransomware attack thought to be caused by international serious and organised cyber crime groups.

The agency has confirmed the theft of 1.2 GB of data following the “significant cyber attack”, which began on Christmas Eve and affects its contact centre, internal systems and internal communications.

Early indications suggest that at least four thousand files may have been accessed and stolen by criminals, it said.

SEPA said it “may never know” the full detail of the 1.2 GB of information stolen, but it believes the theft covers a number of business areas including business data such as site permits, authorisations, enforcement notices and corporate plans; procurement information; project information related to its commercial work with international partners; and staff information.

SEPA chief executive Terry A’Hearn said some of the information would have been publicly available, while some would not have been.

SEPA’s emergency management team is working with the Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what it describes as “complex and sophisticated criminality”, with the matter currently a live criminal investigation.

A’Hearn said: “Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber crime groups intent on disrupting public services and extorting public funds.”

He added: “We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously, which is why we have worked closely with Police Scotland, Scottish Government, the National Cyber Security Centre and specialist cyber security professionals day and night since Christmas Eve.”

The environment agency is prioritising the continued delivery of flood forecasting and warning services, along with work to help businesses meet their environmental obligations and support economic recovery as well as dealing with environmental events, high hazard sites and sites of community concern.

It said it will continue its risk-based approach to regulation, focusing the most effort on sites or sectors that require oversight or where there is a risk of criminality or organisations seeking to take advantage of the ongoing cyber attack.

The agency’s email continues to be offline, but online pollution and enquiry reporting has been restored and flood forecasting and warning services have been adapted and continue to operate.

SEPA has warned that it make take some time to restore all systems, saying: “It is now clear is that with infected systems isolated, recovery may take a significant period.

“A number of SEPA systems will remain badly affected for some time, with new systems required.”

A’Hearn said: “Sadly we’re not the first and won’t be the last national organisation targeted by likely international criminals. Cyber crime is a growing trend.

“Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”

Environment secretary Roseanna Cunningham said: “We strongly condemn this criminal attack on SEPA and the important work they do to protect and enhance Scotland’s environment.

“SEPA has acted quickly to enact its business continuity arrangements, ensuring its environmental incident response, and flood forecasting and warning services, are operational, and the Scottish Government, Police Scotland and the National Cyber Security Centre continue to provide support as part of a multi-agency response.

One in five feel more at risk of cybercrime and fraud since lockdown

“While a great deal of work is going on to support recovery of other services that SEPA staff and the public rely on, I want to stress that arrangements are in place to allow the public to continue to report pollution incidents online or via the dedicated pollution hotline.

“I would urge them to do so in the interests of continuing to safeguard our environment.”

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit added: “This remains an ongoing investigation.

“Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident.

“Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

“It would be inappropriate to provide more specific detail of investigations at this time.”