Ransomware cryptographers tend to hunt for large-scale commercial loot. However, they also target random victims who are unable to fight off a cyberattack. In this article, we will talk about how malware can harm the life of an entire city.
In early February 2023, the city of Oakland, USA was forced to shut down its IT systems due to a cyber-ransomware attack. The incident did not affect the 911 system, fire and emergency services, but it was necessary to go offline in order to isolate the malware's activity.
As a result of the attack, at least 10 gigabytes of data got into the darknet: identity cards, official documents, passports, home addresses and other confidential information. numerous city employees received notifications that someone was trying to take out a loan in their name — during the attack, fraudsters managed to get the social security numbers of officials. Union officials have begun talking about legal action to provide broader credit protection for thousands of workers whose personal information was stolen last month and posted on the darknet.
The study highlights that the increase in attacks on state and local authorities comes against the background of the opposite trend in other sectors. Other experts also spoke about a decrease in the activity of cryptographers, for example, the authors of the Positive Technologies report on current cyber threats of the third quarter of 2021.:
"Among organizations, state institutions were most often attacked… The main tool of attackers is ransomware, which was used in 46% of attacks using VPO..."
At the same time, the researchers continue, during 2021, the total number of attacks by cryptographers "rapidly" declined. After peaking in April, when 120 attacks were registered, by September the figures had fallen by more than 60%, to 45 attacks. Experts attribute this to "the cessation of the activities of some large groups of ransomware and increased attention... (due to the past high-profile attacks) from the side of law enforcement agencies." This attention has already led to sanctions by the US Treasury Department against crypto exchanges that work with cybercriminals.
Nevertheless, infections of municipal IT infrastructures have been and continue to be a regular problem for cybersecurity professionals. How such an attack goes and what consequences it leads to is clearly seen in the example of the city of Baltimore, USA.
Employees of the municipality lost access to e-mail and were forced to move to work from home. The administration created temporary Gmail addresses for them, which were later automatically blocked on suspicion of unwanted activity. Citizens suddenly lost the ability to pay utility bills, purchase homes, and send emails to the administration. Fortunately, 911 and other emergency services were not affected.
As the media found out, the ransomware demanded a ransom of 13 BTC (about $70 thousand at the exchange rate at the beginning of May 2019). In return, they promised to remove confidential data from their servers, including IP addresses and encryption keys. "Your privacy is very important to us," the attackers said in a message.
According to information security experts, the attack was not targeted and the malware operators came across the Baltimore administration while scanning the Internet. The text of the ransom request is almost identical to the notes that were discovered after the RobbinHood attacks.
In the first days after the attack, the FBI forbade disclosing any information about the investigation — the contents of the note became known through a leak to the media. Later, the mayor of the city, Bernard Young, said at a press conference that the attackers got into the infrastructure using the EternalBlue exploit. He also confirmed that the authorities do not plan to pay the ransom, although the administration has not yet made a final decision.
A few years earlier, a vulnerability in the Windows SMB protocol under the code name EternalBlue leaked from the arsenal of the US National Security Agency. Further, it caused the largest epidemics in the history of cybersecurity, including the attack of one of the most famous cryptographers WannaCry.
In 2019, journalists did not fail to mock how American citizens, who had already given the NSA money to create EternalBlue, now pay for the elimination of consequences. More recent research, however, has cast doubt on the use of this vulnerability in the Baltimore story (the NSA denied linking the attack to their exploit from the very beginning).
A significant advantage in these conditions will be the fact that today's IT services are created taking into account existing threats. Therefore, hacking a digital municipality will be much more difficult than infecting an outdated computer of a city hall employee.
In early February 2023, the city of Oakland, USA was forced to shut down its IT systems due to a cyber-ransomware attack. The incident did not affect the 911 system, fire and emergency services, but it was necessary to go offline in order to isolate the malware's activity.
As a result of the attack, at least 10 gigabytes of data got into the darknet: identity cards, official documents, passports, home addresses and other confidential information. numerous city employees received notifications that someone was trying to take out a loan in their name — during the attack, fraudsters managed to get the social security numbers of officials. Union officials have begun talking about legal action to provide broader credit protection for thousands of workers whose personal information was stolen last month and posted on the darknet.
Hunt for urban IT
This is far from the first such story in recent years, on the contrary, attacks by cryptographers on municipal infrastructure are only growing. At the end of 2022, Sophos researchers reported that such campaigns are becoming more frequent and more complex (PDF, English). The authors attribute this to the use of automation and artificial intelligence technologies.The study highlights that the increase in attacks on state and local authorities comes against the background of the opposite trend in other sectors. Other experts also spoke about a decrease in the activity of cryptographers, for example, the authors of the Positive Technologies report on current cyber threats of the third quarter of 2021.:
"Among organizations, state institutions were most often attacked… The main tool of attackers is ransomware, which was used in 46% of attacks using VPO..."
At the same time, the researchers continue, during 2021, the total number of attacks by cryptographers "rapidly" declined. After peaking in April, when 120 attacks were registered, by September the figures had fallen by more than 60%, to 45 attacks. Experts attribute this to "the cessation of the activities of some large groups of ransomware and increased attention... (due to the past high-profile attacks) from the side of law enforcement agencies." This attention has already led to sanctions by the US Treasury Department against crypto exchanges that work with cybercriminals.
Nevertheless, infections of municipal IT infrastructures have been and continue to be a regular problem for cybersecurity professionals. How such an attack goes and what consequences it leads to is clearly seen in the example of the city of Baltimore, USA.
RobbinHood vs. the Baltimore City Administration
In early May 2019, a newcomer to the then-extortion software arena, RobbinHood, blocked 10 thousand personal computers in the Baltimore city administration. The malware also got to one of the housing and utilities control systems, brought offline the database of parking fines and the local register with 1.5 thousand real estate transactions.Employees of the municipality lost access to e-mail and were forced to move to work from home. The administration created temporary Gmail addresses for them, which were later automatically blocked on suspicion of unwanted activity. Citizens suddenly lost the ability to pay utility bills, purchase homes, and send emails to the administration. Fortunately, 911 and other emergency services were not affected.
As the media found out, the ransomware demanded a ransom of 13 BTC (about $70 thousand at the exchange rate at the beginning of May 2019). In return, they promised to remove confidential data from their servers, including IP addresses and encryption keys. "Your privacy is very important to us," the attackers said in a message.
According to information security experts, the attack was not targeted and the malware operators came across the Baltimore administration while scanning the Internet. The text of the ransom request is almost identical to the notes that were discovered after the RobbinHood attacks.
In the first days after the attack, the FBI forbade disclosing any information about the investigation — the contents of the note became known through a leak to the media. Later, the mayor of the city, Bernard Young, said at a press conference that the attackers got into the infrastructure using the EternalBlue exploit. He also confirmed that the authorities do not plan to pay the ransom, although the administration has not yet made a final decision.
A few years earlier, a vulnerability in the Windows SMB protocol under the code name EternalBlue leaked from the arsenal of the US National Security Agency. Further, it caused the largest epidemics in the history of cybersecurity, including the attack of one of the most famous cryptographers WannaCry.
In 2019, journalists did not fail to mock how American citizens, who had already given the NSA money to create EternalBlue, now pay for the elimination of consequences. More recent research, however, has cast doubt on the use of this vulnerability in the Baltimore story (the NSA denied linking the attack to their exploit from the very beginning).
How can a city protect itself from cryptographers
Cyber Media talked to information security experts to find out: how to reverse the trend and protect urban residents from cybercriminals.Do these attacks have a targeted nature, or do urban IT systems come under attack accidentally, after a blind scan?
What precautions should IT departments of city administrations take to minimize the possible consequences of an attack by a cryptographer?
Protecting digital cities
Many participants in our survey noted that financially motivated attack organizers are unlikely to purposefully monitor municipal infrastructure. At the same time, we can assume that with the development of smart city systems and end-to-end digitalization of transport, housing and public services management systems, this situation may change.A significant advantage in these conditions will be the fact that today's IT services are created taking into account existing threats. Therefore, hacking a digital municipality will be much more difficult than infecting an outdated computer of a city hall employee.
