At 5:40 a.m. on Thursday, March 22 the City of Atlanta’s municipal computer system was hit by a ransomware attack that encrypted a number of important internal and customer facing applications, including some that residents use to pay bills or access court-related information.
As an added precaution, the city’s Hartsfield-Jackson Airport, one of the busiest in the world, shut down its free WiFi network. The city’s 8,000 employees were told to unplug their computers and refamiliarize themselves with pens and paper. Mayor Keisha Lance Bottoms even joked that it might be “a good exercise in penmanship for younger employees.” On a more serious note, the mayor added:
This is really much bigger than a ransomware attack. This was an attack on our government, which means it was an attack on all of us. This is a hostage situation.
Six days later, city workers were allowed to reboot, but affected programs—like apps to allow residents to pay their water bills or traffic tickets online—were still locked and encrypted. An all hands on deck alert has drawn security experts from the federal Department of Homeland Security, the U.S. Secret Service and the FBI as well as the city’s incident response team and its counterparts from Microsoft and Cisco. The city has also hired Secure Works, a Dell subsidiary based in Atlanta to identify and fix the vulnerabilities.
SecureWorks has identified the hackers as the shadowy SamSam group, one of the more successful of the dozens of internet crime gangs. The group is believed to have extorted more than $1 million from some 30 target organizations in 2018. Unlike many common malware attackers, SamSam does not rely on social engineering or phishing but on exploiting a vulnerability in JBoss, Red Hat’s Java-based web server environment.
The exploit itself (Google “jboss vulnerability” for details), is not particularly sophisticated but the group has shown itself particularly adept at choosing targets that likely need to deliver essential services--i.e. hospitals, universities and city governments--and will pay up rather than risk being offline for many days. The group generally demands a payment of the equivalent of $50,000 in bitcoin to provide the keys to unencrypting the affected system.
They are also ruthless, often using blunt force to make their point. The Colorado Department of Transportation was able to restore its systems on its own after a SamSam attack, without paying, but a week later, the hackers struck the department again with a new, more virulent ransomware.
The threat is growing
Ransomware attacks on local governments in the United States have become depressingly common. A 2016 survey of chief information officers for cities across the country found that extorting ransom was the most common purpose of cyberattacks on a city or county government, accounting for nearly one-third of all attacks.
Even more shocking, the survey, conducted by the International City/County Management Association and the University of Maryland, Baltimore County, also found that about one-quarter of local governments reported that they were experiencing attempted attacks at least as often as once an hour and yet less than half of the local governments surveyed said they had developed a formal cybersecurity policy and only slightly more than one-third said they had a written strategy to recover from breaches. Jack Danahy, the co-founder and CTO of malware defense pioneer Barkly said in an interview that this is a serious lapse:
Ransomware is going to be with us for a very long time. These attackers exist to monetize their computer skills in a criminal enterprise, and the value of traditional stolen data (credit cards, Social Security numbers, health-care records) has cratered because of the ongoing and remarkable success of thieves stealing it. The threat of downtime, data loss, or lawsuits and public humiliation from disclosure, remain potent, so we are going to see more, and more sophisticated, weapons that make this kind of crime a reality.
Bad News for Smart Cities
As cities become smarter, they also become more dependent on their IT infrastructure to keep essential services up and running.
The Internet of Things (IoT) offers virtually limitless possibilities to automate the physical assets that every city needs to operate--water supply, electricity, mass transit, and medical services, even residents’ vehicles. The consequence of someone exploiting vulnerabilities in these systems go far beyond ransomware and into the much more dangerous realm of national security.
Just days before the Atlanta attack the FBI and Homeland Security issued a joint bulletin indicating that Russian hackers successfully penetrated control systems at energy, nuclear, water, aviation, and manufacturing sites.
Remember October of 2016 when the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet to spread a malware called Mirai.
Once infected, computers continually search the internet for vulnerable IoT devices and then use known default usernames and passwords to login, infecting them with malware. These devices are things common devices like digital cameras and DVR players. The attack resulted in huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.
It’s hard to be a tech-loving Luddite nowadays but count me as one of those people who is a little bit frightened by the prospect of being totally dependent upon computers and networks for virtually all human activity. There is a reason so many American states have decided to go back to paper ballots for the upcoming elections. The sheer number of attacks and the seeming inability of governments—at any level—to fend all of them off does not inspire faith that our institutions, businesses and governments are prepared to survive a massive cyberattack aimed at, say, destroying critical infrastructure or bringing cities to a destructive halt.
The most frightening element of all is the general public’s complacency and blind faith that technology will somehow build a “wall” that will keep all the bad things out. It hasn’t so far. The major problem may be that our highest government officials simply don’t understand the dangers and ramifications of a digitally connected—and interdependent--world. The U.S. Congress is peopled by mostly old men who came of age before cell phones and the Internet. Our President has convinced a third of Americans that the Russians didn’t interfere in the 2016 election or wage social media warfare.
Sadly, real people are probably going to have to die from the consequences of cyberwarfare on real people in real cities before the public and government leaders give the issue the priority and urgency it needs. You can count Atlanta mayor Keisha Lance Bottoms as a convert:
We have to really make sure that we focus on the things that people can’t see, and digital infrastructure is very important. Certainly not something that I thought on Day 70 would become a priority of this administration, but at Day 80-something, it certainly has gone to the front of the line for me.