Talion is a finalist for Best SIEM Solution

Talion is a finalist for Best SIEM Solution for the 4th year in a row

Royal Mail Cyber Attack – Where’s My Mail Gone? - Talion

“When is my parcel arriving?”

“Where are the tracking details?”

“Why have they just left it on my doorstep?!”

We’re notorious for complaining about postal service.

But in the first few weeks of January 2023, delivery really did take a turn for the worst after a cyber attack left international items at Royal Mail suspended from delivery.

Here’s everything you need to know:


What Happened in the Royal Mail Cyber Attack?

On 11th January 2023, Royal Mail disclosed that Russia-linked ransomware gang LockBit (who had a recent arrest back in October 2022) carried out a cyber attack on their organisation, leading to the suspension of international deliveries on the days to follow. It’s been reported that machines used to print custom labels for overseas parcels were infected and, subsequently, printers located in the Northern Irish Royal Mail distribution centre were spurting out copies of a ransom note – a signature tactic of LockBit.

The ransom note, as seen below, said “LockBit Black Ransomware. Your data are stolen and encrypted. You can contact us and decrypt one file for free.” They then proceeded to threaten leakage of this data on the dark web.



In light of this incident, Royal Mail have commented saying, “We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue.” They’ve reassured that their “teams are working around the clock to resolve the disruption and [they] will update you as soon as [they] have more information.”

With the National Cyber Security Centre’s statement announcing assistance and the launch of an investigation from the National Crime Agency, Royal Mail continued to muddle through what was an unexpected and far-reaching incident. But regardless of outcome, this cyber attack has certainly left its mark.


Why were Royal Mail an Ideal Target?

Cyber criminals don’t shoot their shot wide and hope for the best – each victim is often carefully thought out. It comes as no surprise that Royal Mail were targeted because, as a distributor of letters and parcels internationally, they directly impact millions of people. When an organisation like Royal Mail falls victim to a cyber attack, services almost always go down because of it. Cyber criminals will take advantage of this so that they have a higher chance of receiving the ransom payment – because if millions of people are affected, surely Royal Mail will pay up in order to resolve it quickly?

However, this isn’t always the case. So far there is no news on whether Royal Mail have paid up but it seems that they are working on it internally with the National Cyber Security Centre and National  Crime Agency.

Anthony Davis, a former Head of Information Security at Royal Mail until 2009, has commented on the incident saying, “I have a good idea which systems at Royal Mail could be affected. But it’s early days so far, and the incident response will likely take some time.” This could suggest that Royal Mail have legacy systems in place that he believes aren’t reactive enough to resolve the issue efficiently.

In other news, it was also said that Royal Mail’s last half-year report “did not mention cybersecurity once during a presentation but did emphasise that it is ‘targeting our investments to accelerate the automation of processes and the rollout of our digital tools to optimise efficiencies.’” Clearly Royal Mail were in the process of refining their cyber security strategy, but this was not soon enough. Perhaps they didn’t even place enough value on cyber security processes, since only one line in the report mentioned it, which could have simply been to “cover their bases.”

With these two comments in mind, it reiterates how important it is for organisations to evaluate and update their security systems and incident response plans. Investing in cyber security where needed is essential before potential hacks take place because then, it’s too late.



Was it really LockBit who did the “Royal Damage”?

It seemed clear that LockBit were behind the Royal Mail cyber attack. After all, the ransom note was titled “LockBit Black Ransomware” and UK-based CISO Daniel Card reported that the onion URL in the ransom note linked to a payment and negotiation page previously used by LockBit 3.0.

However, LockBit claim it wasn’t them. Usually their ransomware victims are listed on their site, often with a countdown clock to pressurise the victim into payment before it gets to zero and their data is released, but Royal Mail does not make an appearance on the site.

LockBit representative LockBitSupp said that his group wasn’t behind the attack, alternatively sending the blame towards an unknown identity who used an old, leaked copy of LockBit’s builder, which is a software for generating fresh versions of its ransomware executable.

But, like all things, the truth comes out. On 14th January, LockBit confirmed they were in fact behind the cyber attack on Royal Mail after they released a post into a Russian-speaking hacking forum. The ransomware operator LockBitSupp stated that they determined which affiliate conducted the attack and will only provide a decryptor and delete stolen data after a ransom is paid. You can read further updates from Bleeping Computer here.

The screenshots of the chats between LockBit and Royal Mail have now been leaked, as of 14th February 2023 and are available to read here.



It seems that Royal Mail weren’t fully prepared to remediate the LockBit cyber attack.

Ensure your organisation is different.

Read up on 8 ransomware mitigation tactics here.

Or get in touch to discuss your security plans.


Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.