Cyber attack against Royal Mail linked to Russian hackers

A cyber attack against the UK postal service Royal Mail which saw the company request that customers stop sending mail abroad via its services has been linked to Russian hackers.

Royal Mail informed the public of the cyber attack on January 11, saying it had caused “severe disruption” to the computerized systems used to send mail abroad. The company “immediately launched an investigation into the [cyber] incident” and utilized the help of the UK’s National Cyber Security Centre, Information Commissioner's Office and National Crime Agency to halt further attacks.

The system affected by the ransomware attack has been used at six Royal Mail sites including at the company’s Heathrow Airport distribution center and has been used to track and trace items sent abroad, as well as to prepare mail to be dispatched overseas.  

We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations.

Please do not post any export items while we work to resolve the issue.

Sorry for any disruption this may cause.

— Royal Mail Help (@RoyalMailHelp) January 12, 2023

In the wake of the “cyber incident”, as it was referred to by Royal Mail, the company asked customers to stop sending mail abroad due to severe delays, which included being temporarily unable to export or dispatch items. There were also minor delays to incoming mail to the UK from overseas, although domestic mail was not affected by the attack.

On January 12, it was reported by multiple news sites that the previously referred to “cyber incident” was in fact a cyber attack against Royal Mail by Russian ransomware-as-a-service (RaaS) gang LockBit.

The Telegraph has a copy of the ransom note sent to Royal Mail which forced it to suspend international deliveries

It says: "Lockbit Black Ransomware. Your data are stolen and encrypted"

😬😬😬https://t.co/14BWkVp8du pic.twitter.com/A3wBpmkMPx

— Rowland Manthorpe (@rowlsmanthorpe) January 12, 2023

Printers at Royal Mail distribution center in Belfast, Northern Ireland, began to print letters from the gang. The letters allegedly informed those in the office that LockBit black ransomware was responsible for the disruption and that “your [sic] are stolen and encrypted” and a threat to post it online if the ransom demands are not met.

Cyber security news site Bleeping Computer reported that it had seen an unredacted version of the ransom letter and confirmed that it did include “the Tor websites for the LockBit ransomware operation”. The site noted, however, that the decryption ID provided in the note that would allow Royal Mail to communicate with the malicious actors did not work. Bleeping Computer said it was unclear whether the ID was deleted after the ransom note was circulated or if negotiations were moved to a new ID to “avoid scrutiny from journalists and researchers”.

The Royal Mail has not publicly said that LockBit was responsible for the attack.

What is LockBit?

LockBit is a Russian RaaS organization that uses double extortion methods in its cyber attacks. In double extortion attacks, malicious actors both steal and encrypt sensitive data, which places additional pressure on the victim to pay the ransom.

The gang has been active since 2019 and has quickly become notorious. It was found by Digital Shadows that LockBit was responsible for 38 percent of ransomware attacks worldwide from January 2022 to March 2022.

Using its malware tool Stealbit and encryption system Lockbit 2.0, the gang automates data exfiltration to extort its victims.

The gang has attack a number of large organizations and corporations including the French Ministry of Justice, Bridgestone Americas, Thales Group and Bangkok Airways.