Glasgow Council Cyber Attack: Lessons Learned and Practical Recovery Strategies for IT Leaders

Introduction: The Glasgow Council Cyber Attack Incident

In early 2024, Glasgow City Council faced a significant cyber attack that disrupted essential public services, raised concerns across the UK’s public sector, and triggered a wide-ranging review of local government cybersecurity practices. The attack unfolded rapidly: suspicious network activity was detected late in the evening, and by the next morning, multiple critical systems were offline. Investigations determined that the incident involved sophisticated techniques, likely orchestrated by a well-resourced threat actor seeking to exploit known vulnerabilities in public sector IT infrastructure.

This incident was not an isolated event. Local governments have increasingly become lucrative targets for cybercriminals due to the sensitive data they manage and the essential services they provide. The Glasgow Council attack highlighted both the far-reaching consequences of such incidents and the urgent need for robust cyber defense strategies in the public sector. This article provides a comprehensive analysis of the event, lessons learned, and actionable strategies that IT leaders can adopt to improve resilience and response capabilities.

Immediate Impact: How the Attack Affected Council Services

The attack’s immediate effects were both broad and severe. Multiple digital services—including housing benefit payments, council tax processing, and social care systems—were rendered inaccessible. Front-line staff found themselves unable to access key applications, while citizens experienced disruptions to services they rely on daily.

Examples of affected services:

• Housing & Social Services: Case management systems were locked, resulting in delays to social care assessments and benefits processing.
• Online Portals: Residents were unable to access online forms for service requests, making it difficult to report issues or apply for support.
• Internal Communications: Email and intranet services were partially disrupted, impacting coordination among teams.
• Payroll and HR: Payment processing systems for council employees experienced outages, creating uncertainty for staff.

Operational challenges included:

• Manual workarounds, such as paper-based processing, which significantly increased administrative overhead.
• Longer queues and wait times for in-person services as digital alternatives became unavailable.
• Difficulty in verifying identities and processing payments due to compromised or inaccessible databases.
• Elevated stress levels among both staff and the public, as uncertainty about the duration and scope of the disruption persisted.

The disruption underscored the interdependence of digital and physical services in local government operations. Even brief outages had cascading effects, highlighting why business continuity planning, incident response, and cyber resilience must be top priorities for IT leaders in the public sector.

Incident Response: Initial Steps Taken by Glasgow Council

Upon detecting the malicious activity, Glasgow Council’s IT team initiated their incident response plan. The response strategy was guided by established frameworks such as the National Cyber Security Centre’s (NCSC) Incident Management approach, which emphasizes early containment, forensic investigation, and transparent communication.

Key response steps included:

1. Isolation and Containment:
2. Affected servers and endpoints were immediately removed from the network to prevent lateral movement.

3. Network segmentation and firewall rules were updated to restrict communication between compromised and healthy systems.

4. Forensic Investigation:

5. Incident response teams collected volatile memory and disk images for analysis.
6. Logs were exported from firewalls, endpoints, and domain controllers to trace the attack’s origin and timeline.

7. Collaboration with law enforcement and external cybersecurity consultants provided additional expertise.

8. Communication:

9. Internal alerts were sent to all staff, advising on the situation and providing updated guidance on safe working practices.
10. Public statements were issued via social media and the council’s website to inform citizens of service disruptions.

11. Liaison with the Information Commissioner’s Office (ICO) ensured that regulatory obligations were met, particularly regarding data breach notification.

12. Early Remediation Efforts:

13. Password resets were enforced for all users, prioritizing accounts with privileged access.
14. Endpoint detection and response (EDR) tools were deployed or updated across the council’s fleet.
15. Vulnerability scans identified systems needing urgent patching or isolation.

Practical Example:
A script was quickly rolled out to force password changes:

# Force password change for all users in a specific OU
Get-ADUser -Filter * -SearchBase "OU=CouncilStaff,DC=glasgow,DC=gov,DC=uk" | 
ForEach-Object { Set-ADUser $_ -ChangePasswordAtLogon $true }

Through decisive action, the council contained the attack and began the process of restoring trust and operational capability. This swift response limited further damage and set the stage for informed recovery.

Cyber Threats Facing Public Sector Organizations

Local governments like Glasgow Council are frequent targets for cyber attackers seeking financial gain, sensitive data, or to cause widespread disruption. The public sector’s unique combination of legacy infrastructure, complex supply chains, and constrained budgets creates a challenging security environment.

Key risk factors include:

• Legacy Systems: Many councils rely on aging systems that lack modern security features and cannot be quickly patched.
• Resource Constraints: Budget limitations often mean fewer dedicated cybersecurity staff and outdated hardware/software.
• Highly Distributed Workforces: Remote work arrangements and multiple office locations increase the attack surface.
• Sensitive and Mandated Data: Councils store personal details, health records, and payment information that attract cybercriminals.
• Third-Party Dependencies: Outsourced IT providers and contractors can introduce supply chain vulnerabilities.

Common threat types observed:

• Ransomware: Attackers encrypt council data and demand payment for decryption keys.
• Phishing and Spear Phishing: Customized emails targeting staff to steal credentials or deliver malware.
• Exploitation of Unpatched Vulnerabilities: Attackers scan for known vulnerabilities in public-facing applications and remote access solutions.
• Insider Threats: Disgruntled employees or contractors misusing legitimate access.

Recent statistics:
A 2023 UK government survey found that 39% of public sector organizations experienced a cyber attack in the past year, with ransomware and email compromise topping the list.

Defensive strategies:

• Regular vulnerability assessments and patch management.
• Mandatory cyber awareness training for all staff.
• Multi-factor authentication (MFA) on critical systems.
• Continuous monitoring and threat intelligence sharing.

IT leaders must take a strategic approach, balancing immediate risk mitigation with long-term investment in people, processes, and technology.

Technical Analysis: Attack Vectors and Possible Methods Used

While Glasgow Council has not publicly disclosed every technical detail of the incident, available information and typical attacker methodologies provide insight into the probable attack vectors and TTPs (tactics, techniques, and procedures).

Potential attack pathways:

1. Phishing Email Compromise:
2. An employee received a convincing email with a malicious attachment or link.

3. Malware, such as a remote access trojan (RAT), was deployed to establish a foothold.

4. Exploitation of Unpatched Vulnerabilities:

5. Attackers scanned for and exploited known vulnerabilities (e.g., CVE-2023-23397 affecting Microsoft Outlook).

6. Once inside, they escalated privileges using common exploits.

7. Lateral Movement and Privilege Escalation:

8. Tools like Mimikatz or Cobalt Strike were used to extract credentials and move laterally between systems.

9. Active Directory was targeted to obtain domain admin privileges.

10. Ransomware Deployment:

11. After establishing control, attackers deployed ransomware to encrypt data across servers and workstations.

Example of a common privilege escalation attack:

# Simulated extraction of credentials from LSASS using Mimikatz
Invoke-Command -ComputerName TargetMachine -ScriptBlock {
    .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
}

Indicators of compromise (IOCs):

• Unusual outbound traffic (data exfiltration attempts).
• Creation of new privileged accounts.
• Modification of scheduled tasks or group policies.
• Unauthorized access to backup systems.

Mitigation measures:

• Patch management: Maintain an up-to-date inventory of assets and apply security updates promptly.
• Application whitelisting: Block unauthorized executables.
• Privileged access management: Limit and monitor the use of administrative accounts.
• Network segmentation: Restrict the spread of malware and lateral attacker movement.

Regular red teaming and penetration testing can reveal weaknesses before adversaries exploit them. Investing in threat detection and response capabilities remains critical.

Coordinating With Stakeholders: Internal and External Communication

Effective communication during a cyber incident is essential for managing stakeholder expectations, minimizing reputational damage, and facilitating coordinated response efforts. Glasgow Council’s experience demonstrates both the challenges and best practices for crisis communication in the public sector.

Internal communication strategies:

• Establish an Incident Command Structure: Assign clear roles (incident manager, technical lead, communications officer).
• Situation Updates: Provide regular updates to staff via secure channels, such as an internal emergency alert system or encrypted messaging platforms.
• Guidance & Playbooks: Distribute clear instructions on what staff should and should not do, such as disconnecting affected devices and avoiding suspicious emails.

External communication best practices:

• Timely Public Notification: Issue statements about service disruptions, estimated restoration times, and advice for citizens using official websites and social media.
• Regulatory Reporting: Notify the ICO and other regulatory bodies within mandated timeframes, particularly if personal data is compromised.
• Supplier and Partner Engagement: Inform IT partners, contractors, and service providers to coordinate response and prevent further spread.

Sample communication template for public notification:

We are currently experiencing technical difficulties due to a cybersecurity incident. Some services may be unavailable while we work to resolve the issue. Our IT teams are investigating and will provide updates as more information becomes available. We apologize for any inconvenience and appreciate your patience.

Tips for effective crisis communication:

• Avoid speculation; share only verified information.
• Use non-technical language for public updates, but provide technical briefings to senior management and IT stakeholders.
• Maintain transparency to build trust and manage misinformation.

Preparation includes developing and rehearsing communication plans in advance. IT leaders should ensure these plans are reviewed and updated regularly.

Business Continuity and Service Restoration

Restoring services after a cyber attack requires a structured business continuity approach that minimizes further disruption and prioritizes essential functions. The Glasgow Council incident demonstrated the importance of having detailed recovery playbooks and resilient infrastructures.

Key strategies for business continuity:

1. Identify Critical Services:
   Prioritize recovery based on the impact of service outages. For councils, this typically means focusing on social care, payroll, and public safety systems first.

2. Activate Disaster Recovery Plans:
   Leverage backup data and redundant infrastructure to bring systems online in a controlled manner.

3. Phased Restoration Approach:

4. Stage 1: Restore core infrastructure—domain controllers, authentication servers, and network connectivity.
5. Stage 2: Bring up critical applications and databases, prioritizing those needed for essential services.

6. Stage 3: Gradually re-enable non-essential services, conducting thorough security checks at each stage.

7. Manual Workarounds:
   Prepare for temporary manual processes (e.g., paper forms, phone-based support) to sustain key operations during digital outages.

8. Validation and Monitoring:
   Each restored system should be validated for integrity and monitored for signs of persistent threats before going live.

Example: Service restoration checklist

• [ ] Verify backup integrity and absence of malware in backup datasets.
• [ ] Reset privileged account credentials.
• [ ] Patch and harden restored systems.
• [ ] Test restored applications with a pilot group before wide release.
• [ ] Communicate restoration timelines and progress to all stakeholders.

Technology investments for faster recovery:

• Immutable backups that cannot be altered by attackers.
• Cloud-based disaster recovery as a service (DRaaS) for rapid failover.
• Automated configuration management tools (e.g., Ansible, Puppet) to rebuild environments.

Documenting lessons learned throughout the process will strengthen future incident response and business continuity plans.

Learning From the Incident: Strengthening Defenses

The Glasgow Council attack underscores the necessity of a proactive and layered defense strategy. Public sector IT leaders must continuously assess and improve their organization’s cyber resilience.

Actionable steps to strengthen defenses:

• Zero Trust Architecture: Adopt a “never trust, always verify” model, enforcing strict access controls and continuous authentication for all users and devices.
• Comprehensive Patch Management: Implement automated patching solutions and prioritize critical vulnerabilities based on threat intelligence.
• Multi-Factor Authentication (MFA): Require MFA for all remote access and privileged accounts.
• Endpoint Detection and Response (EDR): Deploy EDR platforms to detect, contain, and remediate threats in real time.
• Regular Security Awareness Training: Educate staff on the latest phishing techniques, social engineering, and safe data handling.
• Privileged Access Management (PAM): Enforce least privilege policies and monitor privileged account usage through dedicated PAM tools.
• Network Segmentation: Design networks to limit the spread of malware, using VLANs and firewalls to isolate critical systems.

Example: Implementing network segmentation with VLANs

# Example configuration snippet for Cisco switches
interface GigabitEthernet0/1
 description "Finance VLAN"
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast

Investing in cyber resilience:

• Security orchestration, automation, and response (SOAR) platforms to streamline incident management.
• Regular penetration testing and red team exercises to identify weaknesses.
• Membership in threat intelligence sharing groups such as CiSP (Cyber Security Information Sharing Partnership).

Governance and policy enhancements:

• Update incident response and disaster recovery plans based on lessons learned.
• Review supplier security requirements and third-party risk management protocols.
• Ensure compliance with GDPR, NIS2, and sector-specific regulations.

Incremental improvements, supported by executive buy-in and cross-departmental collaboration, are essential for building a mature security posture.

Key Takeaways for IT Leaders in the Public Sector

The Glasgow Council incident provides a blueprint for IT leaders aiming to improve their organization’s cyber resilience. The following checklist summarizes the most practical lessons:

Readiness Checklist:

1. Review and rehearse incident response plans regularly.
2. Inventory all assets and patch unmanaged or legacy systems.
3. Enforce MFA and strong password policies across all accounts.
4. Invest in staff training and simulated phishing exercises.
5. Ensure backups are frequent, offline, and tested for reliability.
6. Implement EDR and continuous monitoring on all endpoints.
7. Segment networks to contain attacks and limit lateral movement.
8. Develop clear internal and external communications protocols.
9. Assess and manage third-party and supply chain risks.
10. Engage in post-incident reviews to drive continuous improvement.

Lessons learned:

• Rapid detection and response can limit the scope of damage.
• Transparent, timely communication preserves trust with stakeholders.
• Investment in cyber hygiene and modern security tools reduces both likelihood and impact of future attacks.
• Collaboration—with law enforcement, external experts, and the wider public sector community—amplifies capabilities and knowledge.

IT leaders in local government must be prepared for inevitable challenges, with the agility and structure to respond decisively and recover quickly.

Conclusion: Building Resilient Public Sector IT Environments

The Glasgow Council cyber attack serves as a stark reminder that robust cybersecurity is not optional for public sector organizations. IT leaders must champion a culture of preparedness, ensuring that technical controls, operational processes, and staff awareness evolve to meet both current and emerging threats.

Continuous improvement—through regular assessments, investment in modern technologies, and open communication—forms the backbone of resilience. As cyber risks persist and attackers adapt, proactive planning and rigorous execution become the primary defenses against disruption.

Building resilience is an ongoing journey. By implementing the lessons from Glasgow Council’s experience and following best practices outlined here, public sector IT professionals can safeguard essential services, protect sensitive data, and maintain the public’s trust in digital government.