The Foreign Office was hacked in a major cybersecurity incident forcing it to parachute in additional support with “extreme urgency” from its cybersecurity contractor BAE Systems Applied Intelligence.
The UK government only revealed the existence of the “serious cyber security incident” affecting the Foreign, Commonwealth and Development Office (FCDO) through a public tender announcement.
Contract information released by the government on Friday February 4 shows that the department was forced to call in “urgent support” from the security firm “to support remediation and investigation”.
The FCDO initially refused to comment on the incident when approached by The Stack. The department employs 17,300 staff in diplomatic and development offices, including 280 overseas embassies and high commissions.
It later told us “we do not comment on security but have systems in place to detect and defend against potential cyber incidents” — while the BBC, following up on The Stack‘s initial report, said it had learned that hackers breached the FCDO but were detected before accessing any sensitive material.
We have asked the FCDO if it has disclosed a data breach to the ICO but not received a response.
The ICO says it has not been contacted by the FCDO.
The incident does not appear to have been previously reported publicly.
According to the tender information page, the FCDO paid BAE Systems Applied Intelligence (the defence firm’s cyber-security subsidiary) £467,325.60 for its assistance after issuing a contract for “business analyst and technical architect support to analyse an authority cyber security incident” that concluded January 12, 2022.
It awarded the contract without competitive tender due to the “extreme urgency” of the situation.
Foreign Office hacked, FCDO declines to comment further
“The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. The Awarded Supplier is the Authority’s long term incumbent service management integrator and as such had resources on site with significant knowledge and understanding of the Authority’s infrastructure,” noted the tender document.
“Due to the urgency and criticality of the work, the Authority was unable comply with the time limits for the open or restricted procedures or competitive procedures with negotiation,” the department added.
When asked for further comment on the Foreign Office hack, a FCDO spokesperson simply referred The Stack back to the line in the contract award notice saying details of the incident cannot be disclosed.
News of the incident comes days after a massive data breach at the British Council came to light. Security researchers at company Clario identified 144,000 unencrypted files containing details of hundreds of thousands of students on an open Microsoft Azure instance on 5 December 2021, with the news only picked up last week.
FCDO agency Wilton Park was breached, unnoticed, for SIX YEARS
Closer to the FCDO itself, its executive agency Wilton Park uncovered a cyber-attack in late December 2020. According to Wilton Park’s annual report, published July 2021, the NCSC’s subsequent investigation revealed attackers had access to the agency’s systems since November 2014. The FCDO gave Wilton Park £50k as a “discretionary additional allocation” to replace its servers after the attack, and funded new physical security gates.
Wilton Park runs a defence and security programme that has a “global network of partners, beginning with the FCDO, Ministry of Defence (MOD) and other UK government departments, and extending to governments in Canada, Germany, The Netherlands, Norway, Switzerland, and partners in the United States of America.”
The organisation says it explores “a very diverse range of international security issues. Our work includes rapidly-evolving threats such as illicit finance, artifcial intelligence and its implications for governance, the development of cyber-security post-COVID, the security threats driven by climate change, and security in space.”
The latter notes the UK’s “legitimacy and authority as a cyber power is however dependent upon its domestic cyber resilience, the cornerstone of which is government and the public sector organisations that deliver the functions and services which maintain and promote the UK’s economy and society.”
It adds: “While government has made notable progress in recent years, there remains a significant gap between where government cyber resilience is now and where it needs to be.”
The report suggests the NCSC was called in to manage cybersecurity “incidents” affecting the public sector approximately 300 times between September 2020 and August 2021.