Atlanta Hit By Cyber Attack

Much of Atlanta city government has been forced to rely on pen and paper this week thanks to a Ransomware attack.

One of the largest cities in the American south has been hobbled this week by a cyber attack that seems as though it was fairly easy to pull off:

ATLANTA — The City of Atlanta’s 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on.

But as the city government’s desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world’s busiest airport still could not use the free Wi-Fi.

Atlanta’s municipal government has been brought to its knees since Thursday morning by a ransomware attack — one of the most sustained and consequential cyberattacks ever mounted against a major American city.

The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. In a ransomware attack, malicious software cripples a victim’s computer or network and blocks access to important data until a ransom is paid to unlock it.

“We are dealing with a hostage situation,” Mayor Keisha Lance Bottoms said this week.

The assault on Atlanta, the core of a metropolitan area of about 6 million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night.

Part of what makes the attack on Atlanta so pernicious are the criminals behind it: A group that locks up its victims’ files with encryption, temporarily changes their file names to “I’m sorry” and gives the victims a week to pay up before the files are made permanently inaccessible.

Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands — typically the Bitcoin equivalent of about $50,000 — and for finding and locking up the victims’ most valuable data.

In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city’s network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days.

The Atlanta Municipal Court has been unable to validate warrants. Police officers have been writing reports by hand. The city has stopped taking employment applications.

Atlanta officials have disclosed few details about the episode or how it happened. They have urged vigilance and tried to reassure employees and residents that their personal information was not believed to have been compromised.

Dell SecureWorks and Cisco Security, which are still working to restore the city’s systems, declined to comment on the attacks, citing client confidentiality.

Part of what makes the attack on Atlanta so pernicious are the criminals behind it: A group that locks up its victims’ files with encryption, temporarily changes their file names to “I’m sorry” and gives the victims a week to pay up before the files are made permanently inaccessible.

Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands — typically the Bitcoin equivalent of about $50,000 — and for finding and locking up the victims’ most valuable data.

In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city’s network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days.

The Atlanta Municipal Court has been unable to validate warrants. Police officers have been writing reports by hand. The city has stopped taking employment applications.

Atlanta officials have disclosed few details about the episode or how it happened. They have urged vigilance and tried to reassure employees and residents that their personal information was not believed to have been compromised.

Dell SecureWorks and Cisco Security, which are still working to restore the city’s systems, declined to comment on the attacks, citing client confidentiality.

Ms. Bottoms, the mayor, has not said whether the city would pay the ransom.

The SamSam group has been one of the more successful ransomware rings, experts said. It is believed to have extorted more than $1 million from some 30 target organizations in 2018 alone.

It is not ideal to pay up, but in most cases, SamSam’s victims have said that they can more easily afford the $50,000 or so in ransom than the time and cost of restoring their locked data and compromised systems. In the past year, the group has taken to attacking hospitals, police departments and universities — targets with money but without the luxury of going off-line for days or weeks for restoration work.

Investigators are not certain who the SamSam hackers are. Judging from the poor English in the group’s ransom notes, security researchers believe they are probably not native English speakers. But they cannot say for sure whether SamSam is a single group of cybercriminals or a loose hacking collective.

Ransomware attacks are not a new phenomenon, of course. For several years now, individuals and businesses have found themselves hit by attacks that essentially render their computer systems useless, with some anonymous hacker demanding money in exchange for the information needed to unlock the blocks they put on the system in question. For most individuals, this means either paying up or completely wiping their systems and reinstalling their software while losing all their data unless they have backed up, which is something far too many people fail to do. For business, it means making the choice between paying the ransom demanded by the hackers or trying to rebuild their systems from the ground up, something which often could end up costing more than simply paying the ransom. This, most likely, is the reason why these hackers have managed to actually make money from this scam because it ends up being less expensive for impacted businesses to succumb to their demands than it would cost to rebuild the systems from the ground up. This becomes doubly true, no doubt if it turns out that the Ransomware has been lurking in their systems for so long that simply reinstalling backups doesn’t get rid of the problem at all. The fact that these tactics have now been turned against the systems of a major municipality shows just how brazen and far-reaching these attacks have become.

As The New York Times notes in the report quoted above, there’s an international angle to all of this:

Ransomware emerged in Eastern Europe in 2009, when cybercriminals started using malicious code to lock up unsuspecting users’ machines and then demanding 100 euros or similar sums to unlock them again. Over the past decade, dozens of online cybercriminal outfits — and even some nation states, including North Korea and Russia — have taken up similar tactics on a larger scale, inflicting digital paralysis on victims and demanding increasing amounts of money.

Cybersecurity experts estimate that criminals made more than $1 billion from ransomware in 2016, according to the F.B.I. Then, last May, came the largest ransomware assault recorded so far: North Korean hackers went after tens of thousands of victims in more than 70 countries around the world, forcing Britain’s public health system to reject patients, paralyzing computers at Russia’s Interior Ministry, at FedEx in the United States, and at shipping lines and telecommunications companies across Europe.

A month later, Russian state hackers deployed similar ransomware to paralyze computers in Ukraine on the eve of the country’s independence day. That attack shut down automated teller machines in Kiev, froze government agencies and even forced workers at the Chernobyl nuclear power plant to monitor radiation levels manually. Collateral damage from that attack affected computers at Maersk, the Danish shipping conglomerate; at Merck, the American-based pharmaceutical giant; and even at businesses in Russia.

Attempted ransomware attacks against local governments in the United States have become unnervingly common. A 2016 survey of chief information officers for jurisdictions across the country found that obtaining ransom was the most common purpose of cyberattacks on a city or county government, accounting for nearly one-third of all attacks.

The survey, conducted by the International City/County Management Association and the University of Maryland, Baltimore County, also found that about one-quarter of local governments reported that they were experiencing attacks of one kind or another, successful or not, at least as often as once an hour.

Yet less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.

Experts said government officials needed to be more aggressive about preventive measures, like training employees to spot and sidestep “phishing” attempts meant to trick them into opening the digital door for ransomware.

“It’s going to be even more important that local governments look for the no-cost/low-cost, but start considering cybersecurity on the same level as public safety,” said David Jordan, the chief information security officer for Arlington County, Va. “A smart local government will have fire, police and cybersecurity at the same level.”

In light of the Russia investigation and the weaknesses that have been revealed in American cybersecurity by other incidents in recent years, events like this are particularly concerning. If it’s this easy to bring down the systems of one city, what does that say for more crucial systems throughout the country? And what, if anything, are governments at the Federal, state, and local level doing to stop things like this from happening?

FILED UNDER: National Security, US Politics, ,
Doug Mataconis
About Doug Mataconis
Doug holds a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020.

Comments

  1. Dave Schuler says:

    Get used to it. Security and privacy seem to be particular problems for government at all levels. They have difficulty putting the necessary controls in place.

    3
  2. Franklin says:

    @Dave Schuler: Are you implying this is due to bureaucracy or something? Because it seems to me that the private sector has the same problems.

    5
  3. Dave Schuler says:

    @Franklin:

    Big companies have bureaucracies, too. I think it has more to do with budgetary constraints and how politics works in government. Politics is important in government and big companies but it works differently in each. Also, and it is possible that my experience is atypical, it has been my experience that government at all levels has more homegrown experts. That could be budget-related, too.

    I have been a member of data and security task groups both for state-level government agencies and big companies. I found them quite different.

    1
  4. Sleeping Dog says:

    @Dave Schuler:
    Businesses have paid far more in ransom to cyber criminals than governments, we just don’t hear about it.

    My business email is published on the company website, therefore I receive several ‘fishing’ emails a day, some from the email addresses of customers who have been hacked. All it would take is for me or a peer to open one of those links and we expose the company to a ransomware attack. Knock on wood (hits head) that hasn’t happened. An organizations data security is only as strong as the weakest link, which is the user.

    6
  5. Mister Bluster says:

    Cyber this:

    I have read the NYT excerpt in the OTB post.
    Paragraphs 7, 8, 9, 10, 11 and 12 are duplicated by par. 13, 14, 15, 16, 17 and 18.

    When I click on the link to the NYT item there is no duplication.

    1
  6. Tyrell says:

    Now its Atlanta. Next could be a power grid, a traffic light system, airport, rail system, or hospitals. It will happen again and become more frequent. A while back I was in a home supply store and their systems went down. It took about an hour to get through a line where we had to write down our bank card number and other personal information. I wonder what they did with the paperwork. Probably wound up in a dumpster or the wind blowing it down the street somewhere.

    1
  7. Sleeping Dog says:

    Today Boeing was hit with the WannaCry virus

    1
  8. Kit says:

    While it’s not exactly as if the government enjoys seeing this happen, the agencies that could help have no interest in seeing the situation change. Espionage depends on weak security, and helping to fix security holes is just a losing proposition for them.

  9. george says:

    Its a city government, don’t they have daily tape backup? And paper backup of the daily transactions?