[BreachExchange] Azusa police suffered a ransomware attack in 2018. The city kept it secret

Fri Jun 4 16:49:49 EDT 2021

https://www.latimes.com/california/story/2021-06-03/azusa-ransomware-attack-2018-kept-secret

The recent ransomware attack that spilled thousands of sensitive Azusa
Police Department files online was not the first time hackers demanding
money had infiltrated the agency’s computer systems.

In response to queries from The Times, city officials acknowledged this
week that foreign hackers seized control of the police dispatch system and
other data for more than a week in 2018.

The attack forced Azusa to rely on other departments for help with 911
operations and cost the city more than $50,000, but officials never
informed citizens it occurred.

“We did not make a public statement and did not have to file anything
legally because we could confirm that no data was migrated out” of the
police servers, said city manager Sergio Gonzalez.

About a week into the 2018 hack, the city’s cybersecurity insurance
carrier, Chubb, paid $65,000 to the attackers to regain access to a server
containing the dispatch system and arrest data, the most critical of about
a dozen servers affected, Gonzalez said.

Subsequently, a Chubb “breach coach” was able to locate digital keys online
that allowed the city back into its other servers without paying additional
ransom. Gonzalez said the process took “a few weeks.” Because of its
insurance deductible, Azusa had to cover $50,000 for costs including
computer forensic work.

The hack was ultimately traced to an email attachment opened by a police
employee. Though the sender appeared to be an official at a state agency,
the email originated with the hackers, and the attachment unleashed a virus
that allowed the hack.

Employees were counseled extensively to be on guard for suspicious emails,
but this spring, a different hacking group pierced the system again.

“We looked at our software system, antiviral system [and got it] to what we
thought was a better position,” Gonzalez said, “but these attacks have
become a lot more sophisticated.”

Ransomware attacks have surged this year around the globe. Law enforcement
agencies in Illinois, Maine and Washington, D.C., have been hit alongside
private-industry targets.

The entry point appears to have been a link in an email that seemed
innocuous, he said.

In the most recent hack, the police were not locked out of their computers.
Instead, the suspected assailants, a group known as DoppelPaymer, announced
in early March that they had copied huge amounts of data and would release
it on the so-called dark web if a ransom wasn’t paid.

DoppelPaymer demanded 15.5 bitcoin, which was worth about $800,000 at the
time, Gonzalez said.

Chubb balked, citing recent warnings from the U.S. Department of Treasury
about possible sanctions for ransomware payments to groups designated as
“malicious cyber actors.” One group placed on the Treasury sanctions list
in 2015, Russian-based Evil Corp., is believed to be connected to
DoppelPaymer.

When the ransom deadline passed, the hackers placed 7 gigabytes of Azusa
data online. The materials included investigative files, including
recordings of witness interviews, a gang database and arrest reports, as
well as officer payroll data. As of Monday, the index page for the data had
received more than 11,000 views.

Azusa has urged anyone who has provided personal information to the Police
Department to contact a special helpline — (855) 535-1860, 6 a.m. to 6 p.m.
Monday through Friday — and to check with credit agencies to ensure they
haven’t been targeted for identity theft.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210604/0da02fcb/attachment.html>