On April 11, 2024, Leicester City Council in the United Kingdom fell victim to a major cyberattack that crippled many of its systems and services. The unknown hackers were able to breach the council's networks and deploy malicious software, causing widespread disruption.
One of the most visible impacts was on the city's street lighting system. Due to the attack, thousands of street lamps remained illuminated throughout the day, wasting significant energy and money. Council staff were unable to remotely control or fix the lighting systems as the malware had locked them out.
However, the lighting issue was just the tip of the iceberg. The cybercriminals encrypted critical data and systems across the council's networks, severely hampering its ability to operate and provide services to residents. Services impacted included:
• Online payment systems and revenue collection
• Libraries and leisure center operations
• Housing repairs and maintenance requests
• Social care coordination and processes
• Email and communications infrastructure
The council stated the attack represented an "unprecedented" situation and crisis. Non-essential operations were temporarily suspended as emergency response teams worked around the clock to understand the malware, prevent further damage, and initiate backups and recovery procedures where possible.
As for the street lights, residents continue to contact City Hall asking why the lights are staying on, even during the daytime.
"We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue connected to the recent cyber attack, when we were forced to shut down our IT systems. It means we are currently not able to remotely identify faults in the street lighting system," said a city council spokesperson. "The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern. There are a number of steps required to resolve the problem, and we are working through these as quickly as we can."
While the investigation is still ongoing, Leicester City Council stated that evidence pointed to the attack being financially motivated rather than an ideological cyberattack. The hackers are believed to have deployed ransomware and are demanding a seven-figure payment to decrypt data and restore systems.
"While this event demonstrates what may be, at least to this victim, an 'unprecedented situation and crisis,' the reality is, just about every ransomware attack on a victim is at some level unprecedented, to a certain degree; but the lessons that come from it are very predictable," said Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, Spencer Fane LLP, and frequent SecureWorld speaker.
"First, any organization that uses computers and the internet is a potential target of these attacks; there is no such thing as security by obscurity. Many of the times, the threat actors are not seeking out these victim targets but are, instead, engaging in drive-by hacking where they are simply using tools to scan the internet for vulnerable systems and then attacking those vulnerabilities, without even knowing the identity of the victim until after they are in the system.
Second, and of equal importance, is that the risks to every organization are unique based on numerous factors that need to be considered, and this is why it is essential for all organizations to engage in an ongoing cyber risk management process that starts with them adequately assessing their cyber risk on a regular basis—not just in a technical sense, but in an overall business and operational impact risk sense—and using that assessment as the foundation for both their risk mitigation strategy and their incident response preparation. In the real-world, this is critical because how can you defend against what you don't understand, and how can you prepare for what you don't understand? The better you understand these risks, through your assessment phase, the better job you can do in protecting against them and in planning for them."
This incident highlights the vulnerability of local government systems to cyberattacks and the severe real-world impacts such incidents can have on the services and utilities relied upon by citizens. Authorities are still assessing the full scope of the attack and damage as recovery efforts continue.
"The attack on the Leister City Council and its associated IT infrastructure shows how vulnerable we have become to cyber attacks. Even if this attack was solely motivated by financial greed, it does provide a playbook for future attackers of any stripe," said Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); and Chairman, Cedric Leighton Associates, LLC. "The attack vectors used in this incident are the same ones a state-sponsored hacker could use to cripple government services—and they could do so without firing a shot. This is precisely what pre-Cyber Age military theorists like Clausewitz and Sun Tzu envisioned when they wrote about defeating an enemy without using kinetic force."
Col. Leighton added: "Personally, I'm not convinced that this is solely a ransomware attack. It bears quite a few of the hallmarks of a state-sponsored cyber operation. The goals of a well-planned military operation can include making life for an adversary's citizens as inconvenient as possible. This attack seems to have done so in several different ways."
