NCSC and law enforcement investigate major Royal Mail cyberattack
Incident, which has been linked to Russian ransomware group, has left customers unable to send items overseas
Cyber intelligence and law-enforcement authorities are investigating a major cyberattack alleged to have been perpetrated by a Russian criminal group.
The incident, which took place last week, has left more than half a million parcels due for international postage unable to be delivered. A Russia-based ransomware gang, known as Lockbit, are believed to be responsible for the attack.
First reported by The Telegraph, sources have indicated that the hacking group’s ransomware, Lockbit Black, has infected machines used by the Royal Mail to print customs labels used to send parcels outside the United Kingdom.
Experts from the GCHQ-based National Cyber Security Centre are working with officers from the National Crime Agency to help investigate the incident.
“We are aware of an incident affecting Royal Mail Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact,” an NCSC spokesperson said.
According to reports, Lockbit’s signature ransomware scrambles files and leaves a message demanding payment in cryptocurrency to reverse the damage.
The note allegedly says: “Lockbit Black Ransomware. Your data are stolen and encrypted. You can contact us and decrypt one file for free."
Printers at a Royal Mail distribution centre in Northern Ireland reportedly started printing copies of the ransom note. This is known to be a tactic of the hacking gang.
As of today, the postal service is still experiencing significant fallout and impact on its services – with individuals currently advised not to attempt to send parcels overseas.
"Royal Mail is experiencing severe service disruption to our international export services following a cyber incident,” the Royal Mail said, on its website. “To support faster recovery when our service is restored and to prevent a build-up of export items in our network, we’re asking customers not to post international items until further notice. Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.”
The site added: " Our import operations continue to perform a full service, with some minor delays. Parcelforce Worldwide export services are still operating to all international destinations though customers should expect delays of one to two days. Our teams are working around the clock to resolve this disruption and we will update you as soon as we have more information. We immediately launched an investigation into the incident and we are working with external experts. We have reported the incident to our regulators and the relevant security authorities.”
External supplier brought in to run the rule over government systems as rollout begins of ‘GovAssure’ programme
Cyber intelligence unit reveals the government brands most often cited in attempted fraud and hacking
Existing initiatives in cybersecurity picked out as shining example of cooperation with commercial sector
Specialist supplier will support in searching – and then attempting to take advantage of – ‘vulnerabilities and exploitable information’