Western Riverside Waste Authority Breach Incident Score: Analysis & Impact (WES1032810112725)

In this Rankiteo incident briefing, we review the Western Riverside Waste Authority breach identified under incident ID WES1032810112725.

The analysis begins with a detailed overview of Western Riverside Waste Authority's information like the linkedin page: https://www.linkedin.com/company/western-riverside-waste-authority, the number of followers: 0, the industry type: Waste Treatment and Disposal and the number of employees: 9 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 803 and after the incident was 789 with a difference of -14 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Western Riverside Waste Authority and their customers.

Royal Borough of Kensington and Chelsea recently reported "Coordinated Cyberattack on Three Major London Councils", a noteworthy cybersecurity incident.

A sophisticated cyberattack has disrupted IT networks and phone systems across three London councils—Kensington and Chelsea, Westminster, and Hammersmith & Fulham—affecting over 400,000 residents.

The disruption is felt across the environment, affecting IT networks, Phone systems and Public service portals (housing support, social services, waste collection).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Shutdown of IT networks, Shutdown of phone systems and Isolation of shared infrastructure, while recovery efforts such as Protecting systems and data, Restoring systems and Maintaining critical public services continue, and stakeholders are being briefed through Limited public disclosure to avoid aiding attackers; confirmation of ongoing investigation with UK law enforcement.

The case underscores how Ongoing (UK law enforcement involved; attack vector identified but not disclosed), with advisories going out to stakeholders covering Public advised of service disruptions; limited details shared to avoid aiding attackers.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (85%), supported by evidence indicating shared government infrastructure targeted; attack vector has been identified but undisclosed and Valid Accounts (T1078) with moderate to high confidence (75%), supported by evidence indicating shared IT infrastructure suggests potential abuse of legitimate access across councils. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating ransomware is strongly suspected, shutdown of IT networks to contain the threat and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with high confidence (95%), supported by evidence indicating complete shutdown of IT networks and phone systems, crippled critical public services. Under the Lateral Movement tactic, the analysis identified Remote Services: Windows Admin Shares (T1021.006) with moderate to high confidence (70%), supported by evidence indicating shared IT infrastructure implies lateral movement across interconnected council systems. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating shutdown of IT networks may indicate attacker disabled security tools or forced defensive measures. Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating sophisticated and simultaneous multi-council impact suggests staged payload deployment. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate confidence (60%), supported by evidence indicating potential data compromise and prolonged service outages hint at possible exfiltration before encryption. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.