Royal Mail, cops probe 'cyber incident' that's knackered international mail

Final update Royal Mail confirmed a "cyber incident" has disrupted its ability to send letters and packages abroad, and also caused some delays on post coming into the UK.

The postal service, and the UK's National Cyber Security Centre and National Crime Agency, issued similar statements about the IT SNAFU on Wednesday, with Royal Mail advising customers to stop sending international mail until it fixed the problem.

"We're experiencing disruption to our international export services and are temporarily unable to dispatch items to overseas destinations," the organisation tweeted. "We strongly advise customers to hold any export items while we work to resolve the issue." 

Royal Mail added it was "sorry for any disruption this may cause," and would not comment further. This is a developing story; we'll keep you updated as we confirm any other details.

The National Cyber Security Centre (NCSC) said it was "aware of an incident affecting Royal Mail Group Ltd" in a statement.

The cyber agency said it was working with Royal Mail and the National Crime Agency "to fully understand the impact."

⚠️ Our statement on the incident affecting @RoyalMail Group this evening: "We are aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact."

— NCSC UK (@NCSC) January 11, 2023

In an email to The Register, the National Crime Agency confirmed it was working with its NCSC partners to investigate the incident.

The postal company did not immediately respond to The Register's inquiries, which included queries about the expected duration of the disruption. A Royal Mail spokesperson told the BBC that it was calling it a "cyber-incident" — not a cyber attack —  because it does not know what caused the issue in the system that prepares mail to send overseas, and also tracks and traces international parcels. 

Royal Mail uses the system at six sites, including its Heathrow distribution center.

• Royal Mail customer data leak shutters online Click and Drop
• The Guardian ransomware attack hits week two as staff told to work from home
• Swiss Army's Threema messaging app was full of holes – at least seven
• German cartel watchdog objects to the way Google processes user data

The latest Royal Mail incident follows a security "issue" in November during which customers could see others' order information. About an hour after the leak started, Royal Mail shut down its Click and Drop website.

It also comes at a time when the postal carrier is locked in a dispute with the Communication Workers Union, which represents more than 115,000 Royal Mail employees, over worker pay and conditions. The union plans another strike later this month, according to media reports.

Anthony Davis, former Head of Information Security at Royal Mail until 2009, commented: "I have a good idea which systems at Royal Mail could be affected. But it's early days so far, and the incident response will likely take some time. Let's see what the investigation discovers and, if it was in fact a cyberattack, who was responsible. The National Cyber Security Centre is pretty good about attributing attacks to perpetrators, eventually." ®

Updated to add on January 12

The Royal Mail was hit by the Russia-linked LockBit ransomware gang, The Telegraph reports. This infection affected at least software used for printing labels on exports, it is said.

Mind you, Bleeping Computer said it got hold of LockBit's support rep, and that person said the malware gang didn't attack Royal Mail – it may have been another crew using the leaked LockBit 3.0 ransomware builder, if we're to believe the representative.

Final update on January 14

LockBit now says one of its affiliates did indeed compromise Royal Mail. Whoever did it, at least we know they used the gang's malware, with permission or otherwise.