Thwarted cyberattack targeted Library of Congress in tandem with October British Library breach

Min Zhang/Getty Images

Multifactor authentication prevented hackers from accessing the U.S. institution’s systems in the October campaign, documents show.

The Library of Congress was targeted in a cyberattack that occurred in parallel with a high-profile intrusion into the United Kingdom’s British Library in late October, but the hackers failed to access the U.S. library’s systems, according to internal documents obtained by Nextgov/FCW.

The attempted breach occurred around Oct. 28, the same day the U.K.’s national library began reporting technical issues on its website. The cybercriminals were unsuccessful because LOC had multifactor authentication — a method that digitally verifies a user logging into a system — enabled at the entry point of the hackers’ incursion.

Library IT staff also quickly shuttered targeted services once the attack was detected, the documents said. Since then, LOC has been decommissioning legacy equipment and integrating new security tools into its networks.

The October British Library attack was claimed by the Rhysida ransomware gang. The group had pilfered data and held it hostage in exchange for a ransom payment of 20 bitcoin, about £600,000 at the time of the threat. But the library refused to pay, and the hackers published the troves of some 500,000 stolen files, which included employees’ personal information.

The cyber offensive was deemed one of the worst in British history by a former leader of the U.K.’s National Cyber Security Centre. The library is still facing service disruptions to date.

The FBI and CISA declined to comment. LOC did not respond to multiple requests for comment. It remains unclear whether the same operatives tied to Rhysida had attempted entry into the U.S. library.

It’s likely that an initial access broker — a hacker specializing in gaining access to systems who sells their entry techniques to other groups on underground discussion forums — probed LOC’s systems and backed off when they weren’t able to break in, said Allan Liska, a ransomware threat intelligence analyst at Recorded Future.

“You lock your car not because it can stop a determined thief, but because it makes the casual thief go to the next car and try and get in,” he said. The dynamics are akin to the British Library incident, except an initial access broker was instead successful and sold their break-in technique to Rhysida, he added.

The Rhysida collective, believed to have possible ties to Russia, was the subject of a November advisory from CISA and others warning that the gang since last May has been targeting government education, healthcare, IT and manufacturing sectors.

As the largest cultural research institution in America, a successful intrusion into the LOC would have been devastating to internal research and filing systems, Liska said.

Notably, the U.S. Copyright Office works in tandem with the library. “You wouldn’t be able to copyright any works during that period of [recovery] time. So the add-on effects would be felt well beyond just the people using the library,” he said.

Hackers leveraged a similar vulnerability in the recent breach of UnitedHealth's Change Healthcare unit. The company admitted it did not have multifactor authentication protocols installed on the server that a separate ransomware collective breached with stolen credentials.