'Everything, everywhere, all at once'
Is London prepared for cyber attacks?
A coordinated series of 'mid-level' cyber attacks on London's infrastructure is the most likely way a hostile state actor could overwhelm the capital, according to the UK’s former most senior cyber security chief.
Former National Cyber Security Centre (NCSC) CEO Ciaran Martin called the scenario 'everything, everywhere, all at once', borrowing from a US intelligence assessment of Chinese malware discovered lying dormant in key American infrastructure.
Although Martin said an attack on this scale is ‘not going to happen tomorrow’, recent incidents affecting the city, including the NHS in south east London, British Library and Transport for London (TfL), have underscored the potential for chaos and the need to safeguard the city.
Will imminent legislation be a remedy, and is complete prevention realistic?
Disrupting the capital
On 1 September 2024 a ‘highly sophisticated’ cyber incident hit the systems of Transport for London’s (TfL), owners of a tube network which can exceed four million daily journeys.
According to TfL, around 5,000 customers’ Oyster card data including bank account numbers and sort codes were accessed.
TfL responded to the attack by suspending contactless card refunds for customers unable to tap out at the end of a journey.
As of 21 November, there is no set date or solution for the repayment to customers of these overcharged fares, expected to be worth millions of pounds.
Train barriers at a London Underground tube station.
Train barriers at a London Underground tube station.
Live TfL data was unavailable for passengers in the aftermath of the cyber attack. Source: CityMapper.
Live TfL data was unavailable for passengers in the aftermath of the cyber attack. Source: CityMapper.
"It's imperative that transport operators can continue their services in the face of modern-day challenges, this kind of harm is unacceptable."
It also suspended the booking system for its Dial-a-Ride assisted transit service for disabled people.
A spokesperson for accessible transport advocacy group Transport for All told South West Londoner:
“The cyber-attack on Transport for London caused immeasurable harm to disabled people.
“The Dial-a-Ride service failed completely. Disabled people were unable to attend appointments, and were left isolated from friends, family and support.
“Even when open, some booking systems were not accessible to many disabled users, who called our adviceline in distress.
“It was weeks before the service was fully repaired, and even longer before Transport for London updated disabled people.
“This fiasco cannot be repeated. It's imperative that transport operators can continue their services in the face of modern-day challenges, this kind of harm is unacceptable.”
TfL said in response: “While we continued to operate a service to Dial-a-ride customers while we were dealing with the highly sophisticated incident, during the first week of the incident, the telephone booking system was unavoidably temporarily unavailable as a result of the internal measures implemented to deal with the incident.
“However, bookings were still being taken through the Dial-a-ride app and pre-existing bookings were still fulfilled during this time.
“Due to the nature of how TfL interacts with its Dial-a-ride customers, we completely appreciate that there may have been some issues with directly updating customers as quickly as we would have liked, and again apologise for any inconvenience this caused.”
TfL also suspended online applications for concessionary Oyster cards including the 11-17 Zip cards relied upon by many young Londoners.
Ruth Lomax is Group Executive Director for Communications & Student Support at New City College, the UK’s fourth-largest college group with over 20,000 students at seven campuses in London and Essex.
She told South West Londoner: “In the weeks after the cyber attack, and when the (30 September) cut-off for students' 11-15 cards was looming, we saw a steady stream of anxious new students, who had just left school, asking how they would afford their travel to college.
“At that time, communication from TfL was unclear. Since then, however, TfL have been in touch with previous 11-15 card holders, and with the college, with updates.”
TfL reopened Zip card applications on 21 November, 11 weeks after the cyber incident was first reported.
It also announced it was again able to process Oyster refunds, though was not yet able to do the same for contactless card payments.
While official policy has been for TfL staff to accept expired photocards while the incident is ongoing, some cardholders reported being turned away.
TfL said in response these reports: "Children need to show their expired photocard to staff at the start and end of their journey on TfL services, or as requested.
"Staff are also regularly reminded of the need to accept these expired cards and if customers have any issues at TfL or Train Operating Company services, they should report this via TfL customer services.”
Lomax explained this policy was cold comfort for students needing to apply for a Zip card for the first time.
She said: “If students did not previously have an expired 11-15 card, the communication has been less clear and effective.
“This could include students new to London, or those who have taken some time out of study before joining college.
“These students need to pay for fares, keep receipts, then claim refunds when the system is re-opened. This is a significant expenditure for a student to pay up front.
“So far, we’ve supported a relatively small number of students who have been affected by this issue.
“However, we may see a significant increase in requests for assistance if the TfL portal remains closed for applications potentially until the new year.”
This was not the first major cyber incident affecting London this year.
On 3 June, a ransomware attack hit healthcare services across south east London.
Hackers targeted the IT systems of Synnovis, a pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospitals NHS Trust.
Hackers stole blood record data, rendering affected trusts unable to match patients’ blood for transfusions, and forcing them to use O-negative blood which is safe for all recipients.
10,152 acute outpatient appointments and 1,710 elective procedures were postponed at the Guy’s and St Thomas’ and King’s College Hospital trusts, according to NHS England.
Although O-negative is universal, only 8% of the population produce it, so the incident led to a national shortage and triggered a nationwide appeal for more O-type donors.
'When, not if'
"The West is being pulverised frequently by Russian ransomware groups."
As experts point out, the methods and motivations of those responsible reflect global cyber security trends and may give clues as to future attacks.
Professor Martin said: “The West is being pulverised frequently by Russian ransomware groups.
“Criminal ransomware originating in an around Russia, tolerated and even tacitly encouraged by the Russian state is pretty much out of control and it has been for most of the 2020s.
“The UK has suffered a bit less proportionately hitherto, and that is more randomness than anything else, whereas (…) it is having the same type of very difficult 2024 with ransomware as other Western economies.”
Authorities linked the NHS/Synnovis hack to Qilin, a Russian-speaking ransomware-as-a-service operation which steals data from organisations and demands payment as ransom.
Another ransomware gang using Qilin’s services is the English-speaking Scattered Spider gang who engage in phishing and MFA bombing.
The group were linked to a huge attack on US-based MGM Resorts, for which a 17-year-old male from Walsall was arrested by the National Crime Agency (NCA) in July.
The NCA also arrested a 17-year-old male from Walsall in connection with the September TfL incident, though it has not confirmed if the two arrests are the same person.
Professor of Information Security at Royal Holloway University Stephen Wolthusen outlined how attacks like these happen.
Wolthusen said: “The majority of these ransomware attacks would come in through attack forms like phishing or sometimes spear phishing, which means that you have somebody in the organisation that responds to an e-mail or clicks on something, and that's really difficult to prevent.”
“This is a global industry that is pulling in billions, and it is highly international.
“There's division of labour internationally. Most of the people that are in this ecosystem are in jurisdictions that are really hard to get hold of.
“The Russian Federation at the moment does not have much of an interest in cooperating with the CPS (Crown Prosecution Service).”
Although the line between state- and non-state hacking groups often blurs, distinguishing between the two can help to understand their methods.
Wolthusen said of non-state, criminal gang activity: “There wouldn't be an orchestrated attack, it would just be whatever is likely to be a paying customer.
“The ransom demand might be contingent on publicly available information of how deep the pockets of the institution are.
“They will avoid places like hospitals that give bad publicity, so there is the level of sophistication in the case of criminal attacks.”
“If you're dealing with a state actor or quasi-state actor, then the situation is radically different, because then the aim is not to maximise the return and the minimum amount of fuss with law enforcement."
Zirconium/APT31
China-based hacking group which was ‘almost certainly responsible’ for a 2021 phishing campaign targeting MPs’ email addresses, according to NCSC.
Unknown actor
Behind the ‘highly sophisticated’ TfL hack where around 5,000 users’ personal bank data was accessed. TfL responded by restricting access to many of its online services, causing months of disruption and costing customers millions of pounds.
Unknown actor
Gloucester City Council concluded Russian-linked hackers were behind a 2021 spear phishing ransomware attack for which the council were reprimanded by the Information Commissioner's Office.
Scattered Spider
English-speaking cybercrime group who engage in phishing, social engineering and MFA bombing.
The group were reportedly behind the attack on US-based MGM Resorts in 2023, for which a 17-year-old male from Walsall was arrested by the National Crime Agency (NCA) in July this year.
According to Microsoft, Scattered Spider uses the services of Qilin, the ransomware operation which stole NHS blood data in June.
Rhysida
Ransomware operation which claimed responsibility for the huge 2023 British Library hack which knocked out its IT systems and vast library catalogue.
Qilin
A ransomware-as-a-service operation and gang that works with affiliates, encrypting and exfiltrating the data of hacked organisations and then demanding a ransom be paid.
The gang were behind the June 2024 NHS/Synnovis ransomware attack, and published almost 400GB of patient data online after failing to extort a ransom from the NHS.
It had previously stolen and published around 500GB data from Big Issue's publishers, The Big Issue Group.
NoName057(16)
Pro-Russian ‘hacktivist’ group allegedly targeting governments and institutions of countries supporting the Ukrainian war effort. It claimed responsibility for a series of denial-of-service attacks in 2024 impacting council websites across the UK.
Lockbit
Russia-based ransomware operation reported to be the world's largest. Lockbit's operations were infiltrated this year in an operation led by the NCA.
Lockbit claimed responsibility for a 2023 ransomware attack on Royal Mail which temporarily halted its international shipping services. The group had reportedly demanded a £65million ransom.
Inc Ransom
Ransomware and data extortion threat group which has claimed responsibility for ransomware attacks on NHS Dumfries & Galloway, Leicester City Council and Liverpool’s Alder Hey Children’s Hospital.
ALPHV
Russian-speaking cybercrime group and ransomware-as-a-service operation. It carries out ‘triple-extortion’, making individual ransom demands for: the decryption of infected files; not publishing stolen data; and not launching denial of service (DoS) attacks.
Linked to Scattered Spider by the latter group’s previous use of BlackCat ransomware.
Martin told the Science, Innovation and Technology Select Committee this year: “Were the lights to go out or were there a serious attack on central London, there is only a handful of actors who at the moment have the capability to do that.”
He elaborated to South West Londoner: “Principally, there would be two, the Russian state and the Chinese state.
“We're still sufficiently vulnerable that basic criminal attacks done out of Russia have enough capability to do one or two isolated and not particularly targeted attacks, but they can really hurt us.”
The six-city Counter Terrorism Preparedness Network (CPTN), of which the London Assembly is a member, describes the effects of a more coordinated attack on a large city than the ones sustained this year.
It said: “An attack on or within cyber-based infrastructure can have significant cascading effects.
“A DDoS (distributed denial of service) attack on a telecommunications company could cascade out and affect emergency services, and interference with the communication channels of a transport network could cause gridlock and widespread disruption.
“In a low-probability, high-impact scenario, operational disruptions of a power plant could cascade out and impact on hospitals, residential areas, sanitation and water services."
Martin said: “The most frightening issue for a big city is the sustained, coordinated series of mid-level attacks – the tube, the NHS, parts of the NHS, because it's quite decentralised, some educational bodies, some central government bodies if you're talking about London, some big private companies.
“That is what the US have characterized in the Volt Typhoon assessment as being the thing they most worried about.
"They called it ‘everything, everywhere, all at once’.
“So not the most devastating single side of attacks, but just so many of them. Being realistic about the threats, it’s not going to happen tomorrow, because there's no sign of a massive geopolitical crisis tomorrow that doesn't already exist.”
Martin said there are few vulnerabilities unique to London which don’t exist elsewhere in the UK, but there is a particular concentration and overlap of vulnerable infrastructure in London.
He said: “London is New York, Washington and Los Angeles, but all in the same place. I suspect if you look at things like Volt Typhoon, I guess it's a concentrated risk there in London.”
Wolthusen cited energy, water and logistics as three particularly vulnerable sectors, due to the combination of criticality and limited budgets.
Professor Stephen Wolthusen discusses the public infrastructure most vulnerable to cyber attacks
Wolthusen also explained how a new feature of big cities, E-mobility, could create a new vulnerability for cyber attacks:
Buying better
Why do the IT systems guarding critical infrastructure remain so vulnerable?
According to Wolthusen, this is a battle that was lost more than a decade ago.
He said: “If you go back long enough, you had systems that were separated, air gapped from the rest of the environment, but we haven't had that for many years.
“Convenience, the need to have functionality, the need to have networks, the need to use commercial off the shelf components – that's been the story of the last decades in IT systems."
The CPTN echoed this view: “The widespread use of enterprise solutions by many sectors creates the possibility of common vulnerabilities, as shown by publicly known instances of such network overlaps.”
In a September Audit & Assurance meeting, TfL assessed the risk of a ‘Significant Security Incident including cyber security’, one of ten ‘Enterprise Risks’ its committee routinely assesses.
It had identified in the first quarter of the year ‘a number of control weaknesses’ including “unclear ownership and responsibility for compliance and maintenance of the Wi-Fi cabinets, and obsolescence of some of the Wi-Fi infrastructure”.
It said: “Failure to anticipate systems that are approaching end of life and can no longer be patched are at risk of cyber security incidents that may lead to operational, financial and reputational losses, as well as legal and regulatory penalties.”
This echoes a CPTN concern that: “There are particular challenges involved in protecting critical national infrastructure against cyber attack.
“Bespoke and often legacy industrial control systems, which were not designed with cyber security in mind, are now increasingly networked and connected to the internet to enable more efficient control and real-time monitoring."
A TfL spokesperson said: “TfL constantly reviews its policies and procedures around procurement to ensure that they are in line with industry best practice and consider potential risks.”
This was the case during the 2017 WannaCry attack, the largest incident to directly impact UK infrastructure which affected 80 of 236 NHS hospital trusts.
Many hospital IT systems and equipment connected to networks were using third-party supplied unpatched software and these were rendered unusable.
NHS England identified 6,912 cancelled appointments and estimated more than 19,000 were cancelled in total, based on the normal rate of follow-up appointments.
The Department of Health & Social Care estimated the incident cost the NHS £92 million in lost output and IT costs.
A broader look at UK businesses shows the problems are not limited to large-scale of 'political' targets.
Half of businesses and 32% of charities reported experiencing a cyber breach or attack, according to a 2024 Department for Science, Innovation and Technology survey.
Martin discussed how providers like the NHS can procure better services:
'If there's implausible claims, don't buy it': Ciaran Martin on how critical sectors can better mitigate cyber attacks
Cure, not prevention
The UK followed the EU in implementing the NIS (Network and Information Systems) Directive, a directive to establish a common security framework.
The proposed Cyber Security and Resilience Bill aims to mirror the newer NIS2 Directive by being more far-reaching and mandating reporting for a wider range of incidents, allowing the government to collect more accurate data on cyber attacks.
Martin said: "It's worth remembering that the intention is not just to prevent attacks, it's also to help people to recover better from attacks.
"'Resilience’ implies something bad already has happened, and that you're able to recover from it.
“Like with GDPR, people who are taking the subject seriously already will feel it's a bit overkill.
“But people who have not been paying any attention to cyber security will now have a legal duty to take some of this detection quite seriously.”
London's infrastructure can expect to remain firmly in the line of fire during the current geopolitical moment.
Whether mitigating against the kind of narrow but disruptive attacks seen this year, or something more coordinated and overtly state-backed, corporate culture, government legislation, and an understanding of 'resilience' needs to keep up with these trends.
Wolthusen summarised: “I think the takeaway is that you can prevent only so much. There is a non-zero chance at any given point that you are going your organisation.
"Complete prevention seems utopian."
Image credits
Title image: Markus Spiske on Unsplash
Intro background image: Gianmarco Boscaro on Unsplash
Section 1 header image: Belinda Fewings on Unsplash
Section 2 background image: Bernd Dittrich on Unsplash
Section 4 background image: Marcin Nowak on Unsplash
All other video/images by Harry Hetherington
Glossary sources
National Cyber Security Centre
Queen Mary University of London
Built with Shorthand