Cybersecurity and Municipalities
Cities are being targeted at greater levels. Atlanta, Albany in New York, Baltimore, and Flint are merely a few of the recent examples. These successful attacks are not inexpensive, as the costs for the consultants, forensic cybersecurity subject matter experts, hardware, and other costs add up. While a portion or majority of the costs may be recouped by the insurance company, the direct labor to re-enter data or apply the prior back-ups affect also the operations for a varied amount of time.
Target
For this round, Augusta, Maine was targeted and successfully attacked. Specifically, the Augusta City center was targeted and pwned.
Attack
In this case, the attacker’s tool was ransomware. This has been such a successful tool to use for these attacks. All it takes is one employee. For Augusta, it appears an employee clicked on a file or link they really should not have. The attackers demanded over $100k for the decrypt key. If they did not receive the funds, the threat was the entire computer system would be shut down. One defensive measure against ransomware is the simple, yet pertinent, back-up. The city stored its data on a mass storage device. Thankfully this was not compromised as part of the attack.
Mitigations
As the attack’s symptoms were felt by the city, to mitigate the issue the IT department began pulling cables from the computer equipment. This is somewhat basic, however, this was sufficiently effective. The immediate effect was to close the offices for two days. The IT department also froze the systems responsible for the municipal financial systems (i.e. payroll, accounts payable, and accounts receivable), billing, automobile services, assessor records, and general assistance. The plan was solid, as the IT department did not want this to spread further through the system.
Payment and Beyond
The city did not pay and had no intention of paying the ransom. In general, this is the preferential plan. For this option to work, however, there has to be viable back-ups, and these had to have been tested. The total costs for this were significant. Most of these costs were for the staff of five persons in the IT department for overtime. They had to put in 80-100 hours over eight days. The staff also was tasked with entering data which was lost due to the outage. The system may have been down for 1-1.5 weeks. The city also investigated the issue in order to attempt to find the attackers. This endeavor was not successful.
What We Can Learn
The attack vector was a seemingly inconspicuous email with a happy, little attachment or link. The click-happy staff member’s action took down the city’s systems. There is always an opportunity for cybersecurity training and updates on different attacks, which may be directed at the staff.
Resources
AP Maine. (2019, April 29). Hacker wanted more than $100k to restore city computers. Retrieved from https://www.fosters.com/article/20190429/AP01/304299990
AP News. (2019, April 29). Hacker wanted more than $100k to restore city computers. Retrieved from https://www.caledonianrecord.com/news/region/hacker-wanted-more-than-k-to-restore-city-computers/article_
Edwards, K. (2019, April 28). Augusta cyberattacker sought over $100,000 in ransom. Retrieved from https://www.pressherald.com/
The Associated Press. (2019, April 29). Hacker wanted more than $100k to restore main city’s computers. Retrieved from https://bangordailynews.com/2019/04/29/news/augusta/hacker-wanted-more-than-100k-to-restore-maine-citys-computers/ and https://www.usnews.com/news/best-states/maine/articles/2019-04-29/hacker-wanted-more-than-100k-to-restore-city-computers
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.