[BreachExchange] 8 days after cyberattack, Baltimore’s network still hobbled

Destry Winant destry at riskbasedsecurity.com
Thu May 16 10:18:07 EDT 2019


https://wtop.com/baltimore/2019/05/8-days-after-cyberattack-baltimores-network-still-hobbled/

More than a week after a cyberattack hobbled Baltimore’s computer
network, city officials said Wednesday they can’t predict when its
overall system will be up and running and continued to give only the
broadest outlines of the problem.

Baltimore’s government rushed to take down most computer servers on
May 7 after its network was hit by ransomware. Functions like 911 and
EMS dispatch systems weren’t affected, officials say, but after eight
days, online payments, billing systems and email are still down.
Finance department employees can only accept checks or money orders.

No property transactions have been conducted since the attack,
exasperating home sellers and real estate professionals in the city of
over 600,000. Most major title insurance companies have even
prohibited their agents from issuing policies for properties in
Baltimore, according to the Greater Baltimore Board of Realtors.

Citing an ongoing criminal investigation, Baltimore’s information
technology boss Frank Johnson and other city leaders said Wednesday
they could provide no specifics about the attack from the ransomware
variant RobinHood or realistically forecast when the various hobbled
layers of the city’s network would be back up.

“Anybody that’s in this business will tell you that as you learn more
those plans change by the minute. They are incredibly fluid,” said
Johnson, stressing that city employees, expert consultants and others
were working “round the clock” to mend the breached network.

The FBI’s cyber squad agents have been helping employees in Maryland’s
biggest city try to determine the source and extent of the latest
attack.

Johnson’s tenure has now included two major breaches to the city’s
computer systems. This month’s problems come just over a year since
another ransomware attack slammed Baltimore’s 911 dispatch system,
prompting a worrisome 17-hour shutdown of automated emergency
dispatching. The March 2018 attack required operating the critical 911
service in manual mode.

Johnson is one of the city’s highest paid employees, earning $250,000
a year. That’s more than the mayor, the city’s top prosecutor and the
health commissioner are paid. This latest attack came about a week
after the firing of a city employee who, the inspector general said,
had downloaded thousands of sexually explicit images onto his work
computer during working hours.

While all municipalities are menaced by malware, cybersecurity experts
say organizations that fall victim to such attacks often haven’t done
a thorough job of patching systems regularly.

Asher DeMetz, lead security consultant for technology company Sungard
Availability Services, suggested that eight days was a long time for a
network to remain down.

“The City of Baltimore should have been prepared with a recovery
strategy and been able to recover within much less time. That time
would be dictated by a risk assessment guiding how long they can
afford to be down,” DeMetz said in an email. “They should have been
ready, especially after the previous attack, to recover from
ransomware.”

City Solicitor Andre Davis said Baltimore was working “hand in glove”
with the FBI, Microsoft officials, and expert contractors that he and
other officials declined to identify. Before TV news crews, Davis
likened the cyberattack to a brutal assault, a comparison that many
residents can clearly understand in a city struggling to bring down
one of urban America’s highest rates of violent crime.

“My preferred way of thinking about it is: The city network was
viciously assaulted by a culprit and seriously injured,” Davis said.
Baltimore’s top lawyer portrayed the city network as an injured
patient who has emerged from the ICU and faces a “long course of
physical therapy.”

Baltimore authorities, who hope to prosecute the culprit behind the
latest attack, said they were in close contact with counterparts in
Atlanta. Last year, a ransomware attack significantly disrupted city
operations there and caused millions of dollars in losses. In
December, two Iranian men already indicted in New Jersey in connection
with a broad cybercrime and extortion scheme were indicted on federal
charges in Georgia related to that ransomware attack demanding payment
for a decryption key.

It’s not clear what culprits are demanding from Baltimore’s City Hall.

“We’re not going to address or discuss in any way the ransom demand,”
Davis said.


More information about the BreachExchange mailing list