Royal Mail cyber incident sees international shipments crippled

National Crime Agency investigating as well as NCSC

A cybersecurity incident at the Royal Mail has forced it to stop sending letters and parcels overseas.

The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) are both investigating; a fact that alongside the operational impact suggests a likely ransomware attack on the postal service provider.

Computerised systems for sending letters and parcels abroad have been "severely disrupted", Royal Mail said. The company delivers some 13 billion letters and 1.3 billion parcels to 31 million UK addresses every year.

Royal Mail said it is "temporarily unable to despatch items to overseas destinations."

It operates internationally as General Logistics Systems (GLS): “One of the largest ground-based providers of deferred parcel delivery services in Europe with a growing presence in North America”.

GLS operations are unaffected, Royal Mail told The Stack.

Anthony Davis, former Head of Information Security at Royal Mail until 2009, said: “I have a good idea which systems at Royal Mail could be affected. But it’s early days so far, and the incident response will likely take some time" -- a comment that given his tenure ended 14 years ago, suggests legacy systems are involved.

https://twitter.com/RoyalMail/status/1613208820456558600

Royal Mail hacked: NCSC says working to “understand the impact”

The NCSC said tersely in a Tweet on January 11: “We are aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact.”

“We immediately launched an investigation into the [cyber] incident and we are working with external experts,"Royal Mail said. The BBC’s Joe Tidy wrote that “the back office system that has been affected is used by Royal Mail to prepare mail for despatch abroad, and to track and trace overseas items. It is in use at six sites, including Royal Mail's huge Heathrow distribution centre in Slough, which has been affected by the incident.”

Royal Mail’s trading name is International Distributions Services Plc., which in its last half-year report did not mention cybersecurity once during a presentation but did emphasise that it is “targeting our investments to accelerate the automation of processes and the rollout of our digital tools to optimise efficiencies…”

The Royal Mail hack comes days after The Guardian confirmed that it had been hit by ransomware, saying that the incident likely started with a phishing attack but nonetheless describing it as “highly sophisticated”.

As the NCSC itself noted just before Christmas in 2022, trying to stop employees clicking phishing emails or bad links is always going to be a losing battle. It said that “although attackers are very good at designing phishing pages to look genuine, your organisation can entirely mitigate the threat of credential theft by mandating strong authentication across its services, such as device-based passwordless authentication with a FIDO token.”

(These typically involve the use of a small hardware key that employees need to have with them.)

It also notes that phishing attacks can involve not just credential theft but malicious documents that spawn processes when opened. Techniques to prevent execution of this initial code can include, the NCSC suggests:

  • "Allow-listing to make sure that executables can't run from any directory to which a user can write
  • Registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
  • Disable the mounting of .iso files on user endpoints
  • Make sure that macro settings are locked down (see the NCSC's guidance on macro security) and that only users who absolutely need them – and are trained on the risks they present – can use them
  • Enable attack surface reduction rules
  • Ensure you update third-party software, such as PDF readers, or browser to open such files
  • Keep up to date with current threats with wider reading about any new attack vectors emerging."

Organisations should also identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems and prioritise restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on. A 3-2-1 approach and regular exercising of this are critical. As security experts have noted, too often, “plans to restore from backups have been known to turn into “nobody knows how to restore from backup without Active Directory. Also, we have no backup server or tape library drivers.. or working backups.”

Get event invitations: Follow The Stack on LinkedIn