Main Menu

Audit reports

Cyber gang made second attack on SEPA systems


The attack on SEPA was ‘malicious and sophisticated’

Cyber criminals made a second attempt to break into the computer systems at the Scottish Environment Protection Agency (SEPA), according to official audits on last year’s attack.

A Police Scotland investigation into the first incident concluded that an international serious organised crime group was most likely responsible for the extortion attempt detected at one minute past midnight on Christmas Eve. 

The Scottish Business Resilience Centre noted a “secondary and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore back-ups”. 

SEPA did not respond to a ransom request left on its systems and was clear that it would not use public finance to pay serious and organised criminals. 

Recent London Business School research concluded that cyber-risk more than quadrupled since 2002 – and tripled since 2013 whilst Scottish Business Resilience Centre states that in the fourth quarter of 2020, attacks utilising PowerShell grew by 208% while malware leveraging Microsoft Office increased by 199%.

The same study also identified that attacks targeting public sector entities increased by 93%.   


The pattern of activity has become more global and has affected a broader range of industries. Victims have ranged from Apple and LinkedIn, to Sony Pictures, Marriot Hotels, Colonial Pipeline, Citi Bank and JP Morgan Chase.  

Closer to home, the Weir Group, the NHS, Tesco, Talk Talk, and Dundee and Angus College have also been targeted.

Terry A’Hearn, chief executive at SEPA, described the attack as a “hideous, internationally orchestrated crime”.

He said: “Unfortunately, our story is not unique. Cybercrime has rapidly expanded around the world. Major organisations such as Apple, the Irish Health Service, LinkedIn, Colonial Pipeline, CitiBank, Sony and many more have been hit by cyber-attacks.   

Terry A’Hearn: hideous crime

“In the face of this awful crime, I am immensely proud of the way our team has coped and responded. We have delivered high-priority services to protect Scotland’s environment and started building all our services up in new and better ways.

“In the end, we will have fast-tracked major reforms we had set out to do anyway. In all this work, as CEO of SEPA, I want to acknowledge and thank the outstanding efforts of our workforce and the assistance we have received from partners and all those we regularly work with. 

“A key element of our recovery has been to set a high level of transparency in our work. We’ve spoken openly about the impact of the attack, our response and recovery, including weekly service updates as one example of the many ways we’ve kept people informed about our recovery and how to work with us. 

“In line with this approach, I commissioned independent expert reviews of the cyber-attack. No-one asked us to commission multiple reviews. No-one required us to do so. We simply took the view that this was our responsibility as a public agency. 

“The audits make it clear we were well protected but that no cyber security regime can be 100% secure. A number of learnings have been identified that will help SEPA further improve its cyber security.  All have been accepted. 

“The majority of organisations hit by cyberattacks around the world do not publicise much about the attack and that is their right. We know we have taken an unusual approach, but we are convinced it is the right thing for us to do. 

“We are publishing as much as we can of the reviews so that as many organisations as possible can use our experience to better protect themselves from this growing scourge of cybercrime and have committed to supporting Police Scotland and Scottish Business Resilience Centre in their work on highlighting the support available to organisations to be cyber ready, resilient, and responsive.” 

Detective Inspector Michael McCullagh, cybercrime investigations at Police Scotland, said:  “Police Scotland has been consistently clear that SEPA was not and is not a poorly protected organisation. The organisation had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others.   

“Recent attacks against SEPA, the Irish Health Service and wider public, private and third sector organisations are a reminder of growing threat of international cyber-crime and that no system can be 100% secure. They’re also a reminder of the growing importance of organisations being ready, resilient, and responsive.   

“SEPA’s work in standing up to, and speaking openly about international serious and organised cyber-crime shows real leadership.  By its actions, including sharing its learnings, organisations across Scotland have the opportunity to be safer and stronger.” 

Jude McCorry, chief executive, Scottish Business Resilience Centre, said:  “Against a growing global and local threat environment, Scottish businesses and organisations need to get increasingly serious about cyber.  For organisations in Scotland today, the question is when, not if you’re organisation will be subject to attack and how well it will respond and recover.

“The fact that SEPA’s cyber maturity assessment was high and sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident is a reminder to us all how real the risk is.

“As an organisation, SEPA has consistently acted with great courage – not engaging with the criminals, refusing to use public funds to pay a ransom, speaking out and sharing the learnings widely. 

“We’re delighted to stand with SEPA as together we use this as an outstanding case study of a cyber-attack response, including on the practical support available to Scottish businesses and organisations on readiness, response and recovery.” 

Independent audits were commissioned from Police Scotland (Cyber-Attack Response Debrief); Scottish Business Resilience Centre (Cyber-Attack Preparedness Review) and Azets (Cyber-Attack: Response; Cyber-Attack: Lessons Learned) to (a) ensure that SEPA further enhances its cyber security as the organisation builds new systems and practices; and (b) to allow others to learn from SEPA’s experience to help better protect themselves from cyber-crime.  SEPA has also published its organisational response. 

New app launched

The Scottish Business Resilience Centre (SBRC) has launched an app to provide advice and support for businesses to stay safe online and offline.

Businesses that download the app will be informed of credible threats to their operations including cyber threats, traffic, and protestor activity, and be given accurate sector-specific guidance within minutes. 

Jude McCorry, CEO of SBRC, said: “Our aim at SBRC is to ensure that no Scottish business fails because of lack of knowledge or support when it comes to their resilience.

“When the pandemic hit, there was an incredible amount of detail shared with businesses which, at times, may have been overwhelming or only applied to the few rather than the many.

“We’ve taken learnings from this on how important it is to keep the business industry informed of the updates that directly affect them.”

Leave a Reply

Your email address will not be published. Required fields are marked as *

This site uses Akismet to reduce spam. Learn how your comment data is processed.