[BreachExchange] Police Federation hit by seemingly random cyber attack

Destry Winant destry at riskbasedsecurity.com
Fri Mar 22 08:54:38 EDT 2019


No evidence yet that attackers extracted any data, or that the malware
spread to any branches

Malicious actors have hit the computer systems of the Police
Federation of England and Wales (PFEW) with a malware attack that, at
one point, threatened to spread across the entire organisation.

The association body representing near-120,000 officers was alerted to
an attack on 9 March by its cyber security systems, which triggered
experts into isolating the attack and stopping it spreading to its 43
individual branches.

The attack is not thought to have specifically targeted the PFEW,
rather it is more likely to be part of a wider campaign, the
organisation said. There is no evidence as of yet pointing towards who
may be responsible, nor is there evidence the perpetrators extracted
any personal or sensitive data from PFEW systems.

"Our priority has been to mitigate the damage caused by the attack and
to protect the personal data of our members and others whose data we
hold," said PFEW national chair John Apter, who apologised for the

"We remain committed to representing police officers and ensuring they
are supported. We have set up a dedicated webpage to help officers and
other individuals with any questions they may have and have directed
them to where they can find guidance on the risks associated with this
type of incident."

The PFEW is a statutory body responsible for protecting the welfare of
its members, who range from junior officers through to the rank of
Chief Inspector. The organisation also gathers the views of its
constituent police officers with regards to policy and policing
methods, and regularly communicates these to the government of the

"Being struck with ransomware at this level seems rare in 2019 but it
just goes to show that the cyber criminals will continue to attack
wherever there are vulnerabilities," said cyber security specialist
with ESET Jake Moore.

"Organisations should never have the only backups online where the
virus can attack, plus ransomware mitigation tools are easily
accessible and feasible.

"However, there is always a cost involved in the prevention of such
attacks and sadly the police does not have access to the amount of
financial support required to fully protect itself. Corners will
inevitably be cut and the police will remain a target whilst this is
still the case."

The PFEW said there has been no evidence of data extraction, and that
the malware did not spread any further than the systems based at
Federation House, the organisation's headquarters in Surrey. None of
its external branches around England and Wales were affected,
according to the body.

However, the PFEW has been working with the National Crime Agency
(NCA) and Information Commissioner's Office (ICO) to establish whether
there could be any more indicators pointing to the scale and effects
of the attack.

On the nature of non-targeted attacks, which the PFEW believes this to
have been, Kaspersky's David Emm told IT Pro that it's interesting how
many of these manage to successfully penetrate organisations.

"What was interesting in industrial facilities, the bulk of attacks
were ransomware or spyware - just general purpose spyware. And I guess
it's interesting for some reasons; one is there's a general
understanding that if people are going to be going after those
facilities, it's going to be really high-tech targeted attacks,
whereas really most of it isn't.

"The second is that if I were an attacker, I'd be lurking around and
saying 'wow, if these places can be hit be general purpose malware,
what if we actually start trying?'"

Specialist officers from the NCA's National Cyber Crime Unit (NCCU)
are taking the lead on the criminal investigation. Meanwhile, the PFEW
is liaising with the National Police Chief's Council (NPCC) and the
National Cyber Security Centre (NCSC) to gain a better understanding
of the fallout.

IT Pro approached the PFEW for comment but did not get a response at
the time of publication.

More information about the BreachExchange mailing list