Off the Kuff Rotating Header Image

ransomware

TxDOT hit with ransomware

Not great.

Texas’ transportation agency has become the second part of the state government to be hit by a ransomware attack in recent days.

On Thursday, someone hacked into the Texas Department of Transportation’s network in a “ransomware event,” according to a statement the department posted on social media Friday.

The departments’ website says some features are unavailable due to technical difficulties, but it is not clear what functions were affected by the attack. Agency officials did not respond to emailed questions Sunday.

[…]

Upon detecting the hack, staff at the transportation department “immediately” isolated the affected parts of the network and “shut down further unauthorized access,” according to the statement. James Bass, the department’s executive director, said his staff is “working to ensure critical operations continue during this interruption.″ The hacks follow a ransomware attack of unprecedented size that hit more than 20 local governments in Texas last summer.

See here for more on the attack on the court system’s website. In 2019, there was a coordinated attack on the systems of multiple small cities and counties.

I can’t find much in the way of news on this, so here’s TxDOT’s statement, via Twitter:

Maybe these two attacks are unconnected – there’s not enough information, such as what type of ransomware was involved and what the vector for it was, for me to take a guess – but the fact that there were two such attacks in a short period of time on two state systems sure seems suspicious to me. If I were at the state Department of Information Resources, I would be very busy, and more than a little concerned, right now. KXAN, CBS DFW, and Bleeping Computer have more.

Ransomware attack on state court system

Not great.

Websites for the Texas court system were still down Monday after a ransomware attack late last week left the network temporarily disabled, according to the Office of Court Administration.

Officials discovered the breach early Friday and quickly shut down sites and disabled servers to contain it, the office said in a statement. The hack did not impact e-filing and other services, many of which have been transferred to the cloud in recent years, according to the office.

“At this time, there is no indication that any sensitive information, including personal information, was compromised,” the office said. It added that websites for local trial courts are still available online.

The office said it detected the breach early and has refused to pay any ransom. While the courts have moved increasingly to remote hearings amid the coronavirus pandemic, the attack was unrelated, according to the office.

Officials have not said when the system will be back online, but they have set up a temporary website and are working with law enforcement and the Texas Department of Information Resources to investigate the attack.

As the story notes, this is not the first time that Texas governmental entities have been targeted by ransomware. The first thing that TDIR will need to figure out is whether this was actually targeted, or just a crime of opportunity, perhaps the result of someone opening a phishing email. If you follow this sort of news, you know that ransomware attacks are on the increase around the world; here’s a prominent recent example. I’m sure the system will recover from this, and good for the OCA if they detected it quickly. We just need to up our vigilance and defensive measures to stay on top of this.

“Coordinated cyberattack” on several Texas cities

That doesn’t sound good.

Twenty-three Texas towns have been struck by a “coordinated” ransomware attack, according to the state’s Department of Information Resources.

Ransomware is a type of malicious software, often delivered via email, that locks up an organization’s systems until a ransom is paid or files are recovered by other means. In many cases, ransomware significantly damages computer hardware and linked machinery and leads to days or weeks with systems offline, which is why it can be so costly to cities.

According to a weekend update by the Texas DIR, the attacks started Friday morning and though the locations aren’t named, “the majority of these entities were smaller local governments.”

Texas Governor Greg Abbott ordered a “Level 2 Escalated Response” on Friday following the incident, according to a statement from Governor’s Office deputy press secretary Nan Tolson. This response level, determined by the state’s Department of Emergency Management, is part of a four-step response protocol, and is one step below the highest level of alert, level 1 or “emergency.”

According to state emergency management planning guide, this means “the scope of the emergency has expanded beyond that which can be handled by local responders. Normal state and local government operations may be impaired.”

In addition to the state and local agencies assisting with the response, “Governor Abbott is also deploying cybersecurity experts to affected areas in order to assess damage and help bring local government entities back online,” Tolson said.

This NPR story has more details.

The Federal Bureau of Investigation and state cybersecurity experts are examining the ongoing breach, which began Friday morning and has affected mostly smaller local governments. Officials have not disclosed which specific places are affected.

Investigators have also not yet identified who or what is behind the attack that took the systems offline, but the Texas Department of Information Resources says the evidence so far points to “one single threat actor.”

Elliott Sprehe, a spokesman for the department, said he was “not aware” of any of the cities having paid the undisclosed ransom sought by hackers. He said the areas impacted are predominantly rural. The department initially put the number of cities attacked at 23.

Two cities so far have come forward to say their computer systems were affected. Officials in Borger in the Texas Panhandle, said the attack has affected city business and financial operations. Birth and death certificates are not available online, and the city can’t accept utility payments from any of its 13,25o residents. “Responders have not yet established a time-frame for when full, normal operations will be restored,” city officials said.

[…]

Experts say that while government agencies have increasingly been hit by cyberattacks, simultaneously targeting nearly two dozen cities represents a new kind of cyberassault.

“What’s unique about this attack and something we hadn’t seen before is how coordinated attack this attack is,” said threat intelligence analyst Allan Liska. “It does present a new front in the ransomware attack,” he said. “It absolutely is the largest coordinated attack we’ve seen.”

Liska’s research firm, Recorded Future, has found that ransomware attacks aimed at state and local government have been on the rise, finding at least 169 examples of hackers breaking into government computer systems since 2013. There have been more than 60 already this year, he said.

The city of Keene, near Fort Worth, was also hit, and their Mayor said the attack came via their IT provider, as these small towns outsource that task since they don’t have sufficient resources to do it themselves. This is a real problem that’s going to keep happening, and we really should put more money and effort into fighting against it at a state and national level. Good luck to all involved in cleaning up the mess. A more recent statement from the Texas DIR is here, and the Star-Telegram, the Chron, and the Trib have more.