The ransomware attack on Seattle Public Library this past weekend isn’t the first to target public library systems.
Libraries in Toronto and London also recently suffered major cybersecurity breaches, knocking out technical infrastructure and causing serious disruption to services that lasted several months.
Ransomware attacks rose significantly last year. They typically involve hackers who leverage credentials or exploit software vulnerabilities, make data inaccessible or threaten to leak it, then demand exorbitant payments from victims. Recent high-profile attacks have hit auction house Christie’s; healthcare systems including Ascension and Change Healthcare; and Seattle’s Fred Hutchinson Cancer Center.
Public libraries are a “curious” target given that they are unlikely to have significant resources to pay requested ransoms, said Joshua Steinman, CEO of Seattle cybersecurity startup Galvanick and a former White House cyber policy leader.
But government-related entities are appealing to ransomware attackers because they provide important public services and losing time makes a vital difference, said Corey Nachreiner, chief security officer at Seattle-based WatchGuard Technologies.
“If anything, I would presume the ransomware threat actors just thought this target would have a decent likelihood of paying a ransom, like other government-related organizations,” Nachreiner said. “However, threat actors sometimes just target an organization that they can successfully breach.”
Libraries and school districts also typically don’t have well-funded cybersecurity teams and can’t effectively defend themselves against individual threats, said Sunil Gottumukkala, CEO of Seattle-based cybersecurity startup Averlon.
Ransomware is one of the most common and consequential cyber threats affecting states and localities, according to a report published last year by the nonprofit Center for Internet Security.
In a post on its Shelf Talk Blog, the Seattle Public Library detailed the cybersecurity attack which started in the early morning hours Saturday as the organization was preparing to take its systems offline for planned maintenance during the holiday weekend.
The attack affected access to staff and public computers, online catalog and loaning systems, e-books and e-audiobooks, in-building Wi-Fi, and the Library website, which was restored Wednesday morning.
“The Library quickly engaged third-party forensic specialists, contacted law enforcement, and took our systems fully offline to interrupt and better assess the nature and impacts of the event,” the Library said in its blog post.
Buildings remain open at the Library’s 27 locations across Seattle, with print books and other physical materials still available for checkout via paper forms.
We’ve reached out to the Library to get the latest on restoring services. Update: Laura Gentry, head of communications for Seattle Public Library, said that due to the nature of the ongoing investigation into the attack, the Library was limited in what could be shared beyond operational updates being posted on the Shelf Talk blog.
“The Seattle Public Library team is doing a great job, enabling the public to continue using the library — checking out books using pen and paper — while communicating openly to the public about what services are working,” Steinman said.
Ana-Maria Critchley, senior manager of communications and stakeholder relations for Toronto Public Library, told GeekWire that her organization has been in touch with Seattle Public Library to convey its support.
“While every cyberattack is different and requires a tailored response, it’s clear that public sector organizations are increasingly being targeted,” Critchley said. “For public libraries, dedicated to equity, access to information and openness for all, this represents an attack on the very essence of civil society.”
The recent attacks may be a sign to other library systems to shore up their security defenses.
Nachreiner said ransomware threat actors commonly leverage classic phishing emails to try and trick end users into accidentally sharing a username and log-in credential. They can also find an unpatched network service that is exposed online and exploit it to gain access, or spot vulnerabilities in remote access software.
“Once a hacker is inside your network and past most defenses, it’s generally not hard for them to access the rest of your computers,” Nachreiner said. “Sometimes they can obtain credentials over your internal network and use those credentials to log into other systems. They can sometimes use your own legitimate software deployment tools to install ransomware on all devices.”
The British Library published details of how it was attacked, tracing the likely initial intrusion point to a third-party access system that was accessed via compromised account credentials.
“The threat of aggressive and disruptive cyber-attacks is higher than it has ever been, and the organisations behind these attacks are increasingly advanced in their techniques and ruthless in their willingness to destroy whole technical systems,” Roly Keating, CEO of the British Library, wrote in a blog post in March.
“This is of especial importance for libraries and all those institutions who share our mission to collect and make accessible knowledge and culture in digital form, and preserve it for posterity. Though the motive of the attack on the British Library appears to have been purely monetary, it functioned as, effectively, an attack on access to knowledge.”
Gottumukkala advised organizations to ensure that there is a recovery and rebuild plan in place that is tested periodically; enable two-factor authentication; and keep critical systems patched up to date.
Jim Alkove, CEO of Seattle-based cybersecurity startup Oleria, said organizations should ensure their users only have access and permissions for their job requirements — and nothing more.
“Due to legacy identity and access management systems, combined with relatively static and manually intensive workflows, most organizations grapple with significant over-provisioned user access,” he said. “While that over-provisioned access provides no real value to the organization or the user, it provides an unnecessarily large attack surface for a bad actor that accesses any such account.”