Scotland’s environmental watchdog is emerging into the light after cyber criminals came calling

Caught in the dark web


The first sign of the unfolding nightmare came by way of a text to his mobile phone. “I can’t get into the system,” the col- league’s message read. “Seems a bit strange”. It was Christmas Eve and Terry A’Hearn was, like most people, preparing to wind down for the holiday period. He replied that he would chat to someone and carried on with his breakfast, as he normally would, before the fateful call came at around 10am. “It was our head of governance

who said ‘it looks like we’ve had a cyber-attack’,” recalls A’Hearn, chief executive of the Scottish Environment Protection Agency (Sepa). “We had a quick chat about what that means, and what do we do next.” He added: “But we pretty

quickly got a handle that it was big. We’d been locked out.” Sepa had been hit by a devastat-

ing ransomware attack that meant its 1,200 staff could no longer gain access to their corporate network. Tat meant no emails, no access to files, and a curtailed ability to go about the agency’s core purpose: to protect the environment. When most people up and

down the country were putting the final touches to a scaled- down Christmas, a tumultuous year for Sepa and its staff was about to get even worse. Fortu- nately, to some extent at least, the agency – which responds to

emergency environmental events – had a built-in crisis mode. A’Hearn, who has run environ-

mental protection agencies in the UK and his native Australia, im- mediately convened an emergency management team meeting, to work out what to do next. He and his colleagues held three meetings that day, and on Christmas Day an incident manager and the IT team worked flat out to see what, if anything, could be done to salvage the network. Ten, on Boxing Day, another emergency meeting was held as A’Hearn and his colleagues got into what would become a regular working pattern over the next couple of months.

I speak to A’Hearn two months after the cyber-attack and follow- ing his first somewhat cathartic experience of reflecting on the lessons learned at FutureScot’s Public Sector Cyber Resilience virtual conference. Tere are a lot of things he cannot say, under- standably, as the ransomware at- tack is still under investigation by Police Scotland and the National Cyber Security Centre (NCSC), who became involved on the first day of the attack. But through our own inquiries

– via global darknet threat intelli- gence analyst Kela, based in Israel – we established that the attack was carried out by a ransomware group calling itself Conti. Tat in- vestigation, in turn, raised further questions – substantiated by the


New York cyber firm Crowdstrike – that the ransomware “variant” may ultimately be controlled by a co-ordinated hacking entity called Wizard Spider, which has alleged links to Russian organised crime. Understandably, A’Hearn is

unable to corroborate any of that information, but falling victim to a global rise in such “big game hunt- ing” cyber-attacks inevitably has had major repercussions for Scot- land’s cyber defences as a whole. A’Hearn was complimented

at the FutuerScot conference for his “moral courage” in facing down the hackers, who not only downed the network but stole valuable data. Sepa chose not to pay the ransom – demanded in bitcoin – but was further punished for doing so. Te agency was threatened with having its data published on the dark web, in a method known in hacking forums as the “double extort”. But A’Hearn, informed by Police

Scotland, NCSC and the Scottish Business Resilience Centre (SBRC) - who he credits for their expertise and support throughout – took a stance. “I think it was clear once we worked with other partners that the right thing to do was not to pay the ransom. Tat had some implications, but I just think the idea of using public money to pay the criminals a ransom is just not an easy thing to do,” he says. On 13 January, the hackers

started to release Sepa data in stages and across seven days

of activity a 1.2 gigabyte cache of more than 4,000 files was published. Troughout the gut- wrenching process, A’Hearn and the agency has been open and transparent at every step, publicly revealing that it had been a vic- tim, when many might want to deal with their anguish in private.

A’Hearn’s main concern has been for his staff, who were already struggling with the exigencies of home working and, in some cas- es, isolation. To help, he instituted weekly videoconferencing drop- in chats on an internal platform that still worked and set up a messaging service, both of which were welcomed. He also extended identity fraud protection to ex- staff, as well as offering antivirus software for any who needed it on their laptops. Te workforce

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44