UK’s postal service hit by “cyberincident”

Overseas postal services have been unceremoniously stopped from the UK.
12 January 2023

Nothing gets out – the Royal Mail’s overseas service paralyzed by “cyberincident.”

The UK’s Royal Mail has been hit by a “cyberincident,” which has forced it to stop people sending any mail (letters or parcels) outside the country for the foreseeable future.

While the organization is as yet being tight-lipped about the exact nature of the “incident,” the sudden shutdown of international postal services suggests the Royal Mail is working to identify and deal with the issue, and that whatever its nature, it is centered on the Royal Mail International arm of the business.

An international standstill.

All items received by the Royal Mail to and from other countries are being held securely until the ramifications of the incident are known and dealt with. Extreme disruption is expected as a result of the incident.

Unusually, because of the way services are split up in the Royal Mail, an alternative system for sending parcels internationally – Parcelforce Worldwide – continues to operate, though it is expected to incur service delays, which may well increase as more people use the often more expensive service to get around the grounding of Royal Mail International.

Royal Mail is being particularly cagey about the event that has ground Royal Mail International to a halt, and is currently insisting on describing it as a “cyberincident” rather than a “cyberattack,” because it claims not to know what has affected its systems.

That might strike cyber-experts as desperate and mealy-mouthed, especially because the UK’s own National Cyber Security Centre (NCSC) defines a cyberincident as:

  1. Attempts to gain unauthorized access to a system and/or to data.
  2. The unauthorized use of systems for the processing or storing of data.
  3. Changes to a systems firmware, software or hardware without the system owners’ consent.
  4. Malicious disruption and/or denial of service.

For differentiation, the NCSC defines a cyberattack as “Malicious attempts to damage, disrupt or gain unauthorized access to computer systems, networks or devices, via cyber means.”

The difference between the two definitions is always going to be whisper-thin, and whatever has actually happened at the Royal Mail, it seems inarguable that unauthorized people have compromised the company’s systems, for reason or reasons as yet unknown.

Ransomware likely?

Many analysts are already concluding that the “incident” has several of the known hallmarks of a ransomware attack, given that the Royal Mail has not informed its users that their data has been “exfiltrated” – removed or stolen – and ransomware attacks frequently involve encrypting data in situ.

Just weeks ago, in late December, 2022, we spoke to Field CISO at Check Point Software, Deryk Mitchelson, specifically about the weakness to attack inherent in the UK’s critical infrastructure systems, due to a combination of legacy technology, relatively open systems, and a lack of highly-skilled cybersecurity personnel to combat unfriendly action, leading to a comparatively massive attack surface.

In light of the Royal Mail “incident,” Deryk said that whatever the truth of the event turned out to be, we should in no way be surprised by it.

“Last year the number of cyberattacks continued to increase at a concerning rate. This is why it is not surprising that in the first few weeks of the new year, a key institution has already suffered at the hands of opportunistic cybercriminals.”

On the other hand, he pointed out that the seemingly localized nature of the incident in the international arm of the service could be reason for optimism in terms of the scope of the potential damage.

Be grateful for segmentation.

“While the details of the attack are yet to be revealed, it appears this only seems to be impacting oversees deliveries, suggesting that segmentation may have had a part to play in keeping domestic postal services secure.”

That said, the latest incident proves two things. Firstly, there is no size restriction that applies to targets of what it can be assumed is the cybercriminal community. The Royal Mail had revenue of 12.7 billion pounds sterling in 2022 (equivalent to $15.4 billion), and, if we assume this is a cyberattack, it has still proven to be vulnerable, at least as far as accessing its systems are concerned.

And secondly, being hit once is no guarantee that you won’t be hit again – and potentially with more devastating results.

“We know that Royal Mail experienced a minor leak last year,” said Deryk, “so this should act as a reminder to everyone that you could fall victim more than once.

“Cybercriminals have set the tone for the year already. If organizations don’t take the necessary steps right now, they will be breached. As a result, it’s vital that we all take advantage of the tools at our disposal to keep data safe and services operational.”

The system that has been infiltrated at the Royal Mail is described as a “back office system” – similar to the description used in regard to the recent Guardian newspaper and website infiltration. It’s used to prepare mail for despatch outside the UK, and to tack and trace mail once it leaves the UK’s jurisdiction.

While Royal Mail works with the NCSC to investigate the extent of the incident, every day that passes increases delays to services – for which the Royal Mail is responsible to regulators – and increases public dissatisfaction with the performance of the company.

Royal Mail staff are among the cornucopia of UK workers currently staging intermittent strikes for better pay and conditions – a situation which has already made the Royal Mail less than optimally popular in the country. The longer the cyberincident goes on, the longer and deeper public disdain for the company is likely to grow.