Royal Borough of Kensington and Chelsea Breach Incident Score: Analysis & Impact (ROY4633046112625)

In this Rankiteo incident briefing, we review the Royal Borough of Kensington and Chelsea breach identified under incident ID ROY4633046112625.

The analysis begins with a detailed overview of Royal Borough of Kensington and Chelsea's information like the linkedin page: https://www.linkedin.com/company/royal-borough-of-kensington-and-chelsea, the number of followers: 21962, the industry type: Government Administration and the number of employees: 1983 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 767 and after the incident was 699 with a difference of -68 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Royal Borough of Kensington and Chelsea and their customers.

Westminster City Council recently reported "Cyber Attack on London Councils Activates Emergency Plans", a noteworthy cybersecurity incident.

London councils, including Westminster, Kensington and Chelsea, and Hammersmith and Fulham, were hit by a cyber attack on Monday (date unspecified).

The disruption is felt across the environment, affecting Shared IT systems, Phone lines and Call center (Kensington and Chelsea), and exposing Under investigation (standard practice to check).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like IT teams worked overnight, Mitigations implemented and Network access restrictions (implied), and began remediation that includes Restoring systems safely and Investigating data compromise, while recovery efforts such as Business continuity plans and Prioritizing critical services for vulnerable residents continue, and stakeholders are being briefed through Public statements issued, Apologies to residents and Updates promised as available.

The case underscores how Ongoing (cause and data compromise under investigation), and recommending next steps like Avoid opening suspicious emails, Do not click on unexpected links and Verify unusual requests, with advisories going out to stakeholders covering Staff warned about phishing risks.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (85%), with evidence including staff warned about phishing risks (suspicious emails/links), and avoid opening suspicious emails or clicking unexpected links and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (75%), supported by evidence indicating attack originated from Kensington and Chelsea’s network (shared IT). Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), with evidence including shared IT systems disrupted across multiple London boroughs, and originated from Kensington and Chelsea’s network (shared infrastructure) and Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate confidence (65%), supported by evidence indicating shared IT systems implies internal network propagation. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate confidence (60%), with evidence including suspected Ransomware (unconfirmed), and echoes 2020 Hackney Council breach (440K files encrypted) and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate to high confidence (80%), with evidence including shared IT systems and phone lines disrupted, and call center outage for multi-hour period. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate confidence (50%), supported by evidence indicating investigations ongoing (potential tampering with logs/files). Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate confidence (55%), with evidence including shared IT infrastructure may have been used for C2, and network access restrictions implied in containment. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with lower confidence (40%), with evidence including data compromise under investigation, and referenced Hackney’s 2020 breach (data exfiltration risk). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.