Off the Kuff Rotating Header Image

phishing

“Coordinated cyberattack” on several Texas cities

That doesn’t sound good.

Twenty-three Texas towns have been struck by a “coordinated” ransomware attack, according to the state’s Department of Information Resources.

Ransomware is a type of malicious software, often delivered via email, that locks up an organization’s systems until a ransom is paid or files are recovered by other means. In many cases, ransomware significantly damages computer hardware and linked machinery and leads to days or weeks with systems offline, which is why it can be so costly to cities.

According to a weekend update by the Texas DIR, the attacks started Friday morning and though the locations aren’t named, “the majority of these entities were smaller local governments.”

Texas Governor Greg Abbott ordered a “Level 2 Escalated Response” on Friday following the incident, according to a statement from Governor’s Office deputy press secretary Nan Tolson. This response level, determined by the state’s Department of Emergency Management, is part of a four-step response protocol, and is one step below the highest level of alert, level 1 or “emergency.”

According to state emergency management planning guide, this means “the scope of the emergency has expanded beyond that which can be handled by local responders. Normal state and local government operations may be impaired.”

In addition to the state and local agencies assisting with the response, “Governor Abbott is also deploying cybersecurity experts to affected areas in order to assess damage and help bring local government entities back online,” Tolson said.

This NPR story has more details.

The Federal Bureau of Investigation and state cybersecurity experts are examining the ongoing breach, which began Friday morning and has affected mostly smaller local governments. Officials have not disclosed which specific places are affected.

Investigators have also not yet identified who or what is behind the attack that took the systems offline, but the Texas Department of Information Resources says the evidence so far points to “one single threat actor.”

Elliott Sprehe, a spokesman for the department, said he was “not aware” of any of the cities having paid the undisclosed ransom sought by hackers. He said the areas impacted are predominantly rural. The department initially put the number of cities attacked at 23.

Two cities so far have come forward to say their computer systems were affected. Officials in Borger in the Texas Panhandle, said the attack has affected city business and financial operations. Birth and death certificates are not available online, and the city can’t accept utility payments from any of its 13,25o residents. “Responders have not yet established a time-frame for when full, normal operations will be restored,” city officials said.

[…]

Experts say that while government agencies have increasingly been hit by cyberattacks, simultaneously targeting nearly two dozen cities represents a new kind of cyberassault.

“What’s unique about this attack and something we hadn’t seen before is how coordinated attack this attack is,” said threat intelligence analyst Allan Liska. “It does present a new front in the ransomware attack,” he said. “It absolutely is the largest coordinated attack we’ve seen.”

Liska’s research firm, Recorded Future, has found that ransomware attacks aimed at state and local government have been on the rise, finding at least 169 examples of hackers breaking into government computer systems since 2013. There have been more than 60 already this year, he said.

The city of Keene, near Fort Worth, was also hit, and their Mayor said the attack came via their IT provider, as these small towns outsource that task since they don’t have sufficient resources to do it themselves. This is a real problem that’s going to keep happening, and we really should put more money and effort into fighting against it at a state and national level. Good luck to all involved in cleaning up the mess. A more recent statement from the Texas DIR is here, and the Star-Telegram, the Chron, and the Trib have more.

Cyber insurance

Seems like a good idea.

Houston City Council on Wednesday unanimously agreed to spend $471,000 on cyber insurance, becoming the latest Texas municipality trying to bolster its response to growing technological risks.

The insurance can cover up to $30 million in expenses related to security breaches in the city’s network, including crisis response, recovery of losses and answers to legal claims stemming from cyberattacks.

While some data breaches are preventable, the prevalence of cybersecurity threats against city governments nationwide prompted Houston to take steps to insure itself, said At-large Councilman David Robinson, chairman of council’s Transportation, Technology and Infrastructure committee.

“There are those things that are just beyond the reach or scope of expected due diligence and preparation,” Robinson said. “You need to be prepared for the unknown.”

In the event of a cyberattack, such as hacking or phishing, in which people pose as trustworthy sources to obtain money or information, the insurance coverage could pay for crisis management resources, computer forensics, credit monitoring and call center services.

After a security threat is detected, the new policy could cover any loss of income or expense from the interruption of computer systems, according to council background materials outlining the insurance. It could be used to pay the cost of restoring or recollecting data affected by a cyberattack, as well the cost of investigating threats. The insurance policy also can be used for liability claims made against the city for failing to protect data or prevent access to confidential information.

This makes sense. Of course, as an organization you want to do everything you can to prevent an incident, but as we say in the business, it’s not a matter of if you’ll get hacked, it’s a matter of when. Like what happened to Harris County earlier this year. All of your vendors and suppliers and business partners are potential avenues for compromise, too. While I hope we’ll never need to use it, this is a smart investment.

Harris County could use a bit of cybersecurity training

Oopsie.

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

There’s a lot going on here, and a lot of room for process improvement. The county can provide training to employees to better recognize phishing attempts, and send out test emails to ensure that the training took hold. Extra checks and verifications, like pre-screening vendors an maintaining a list of approved vendors, can be put into place before any payments are made. Keeping on top of threat intelligence, to know what the new scams are that are going around, and ensuring that the email system and the proxy servers recognize junk mail and malicious websites. Cybersecurity is a process, and it contains multiple layers. The fact that the county almost got scammed is in itself not a great shame – it does happen, to many organization – but only if the opportunity to learn and improve from it is fully embraced.