[BreachExchange] Cyberattack Shackles Town

[Terrell Byrd]

https://www.moonshineink.com/tahoe-news/cyberattack-shackles-town/

In the early morning hours of July 22, the Town of Truckee’s manager,
Jennifer Callaway, learned from a member of the town’s IT staff, Kimberly
English, that the town’s IT system was breached and being attacked.

“The breach did not happen by clicking on a link in an email; it was a
variant of malware that mines for passwords and once a password is
obtained, infiltrates into the system,” Callaway told Moonshine Ink in a
later email.

Staff members quickly shut down the entire IT system and activated the
town’s Emergency Operations Center. Internet capabilities were gone,
historic records and emails were blocked, and requests could not be
fulfilled, Callaway said.

Investigators directed people involved not to comment about the attack
right away. At the town council’s regular second monthly meeting on Sept.
28, Callaway gave her first public account. “You don’t realize how
paralyzing this is until you go through it,” she said.

The cyberattack was an infection of malware that disables or encrypts an IT
system, rendering it unusable. It’s a trend: Bad actors from overseas and
within the U.S. have been launching similar attacks, often demanding money
in exchange for freeing up the software or information. Such ransomware
incidents multiplied by 300% last year, and the dollar amounts of demands
have risen, according to the U.S. Department of Justice.

The attacks have resulted in temporary ceasing of operations for many
organizations, as one did this spring when a breach similar to the Town of
Truckee’s led to a precautionary shutdown of a network in one of the
nation’s largest pipelines, Colonial Pipeline. The incident caused gas
shortages and high gas prices across the East, according to reporting by
National Public Radio. That attack happened through a leaked account
password, according to Bloomberg.com. In May this year, the Metropolitan
Transportation Authority of New York announced a cyberattack had exposed
vulnerabilities in its system without forcing a shutdown of services,
according to the New York Times.

In her 10-minute, pre-written report, Truckee town manager Callaway
described how in the morning after the attack, employees plugged away
despite having none of their regular work tools: no computers, internet
access, or recent records.

“Town staff responded immediately and effectively by shutting down the
town’s IT network completely, literally pulling cords,” she said. “This
included all of our phones, access to data, and our access to all that
exists behind our firewall. All of that was shut down.”

Truckee Mayor Anna Klovstad later affirmed the hard work in an email to
Moonshine Ink. “It has been more difficult on staff than anyone outside the
organization can really comprehend,” Klovstad said. “Just try to imagine
being shut out of all your email and work files completely and you still
have to do your job.”

The town’s insurance provider was contacted, Callaway said, and they
assembled their response team. “The response team provided us with
instructions and recommendations on how to move forward,” she said. The
town notified the FBI, the California Office of Emergency Services, and
other public entities that have experienced similar events.

Investigators of the town incident either do not know yet, or will not
reveal, who precipitated the attack. Answering questions that stemmed from
public rumors that a ransom was paid, Callaway told Moonshine Ink, “We are
not at liberty to discuss that much at this point.”

As tough as the situation has been for staff members, it also shackled the
work of some residents and employees. For example: builders who’d applied
for permits for houses, decks, and additions found their applications
stalled; people searching historical records hit blank holes; employees
could not access emails of the past.

Town employees hesitated to say much about the incident in the early days
of the enforcement agencies’ investigations. This impacted people needing
services.

“There was zero transparency,” said Michael Douglas, a draftsperson who was
already frustrated by long building department delays that had evolved
during the Covid-19 pandemic as people moved to town, bought houses, and
scheduled improvements.

“There is a short window for prime construction weather in Truckee,” he
said. “The cyberattack happened at the worst possible time. There should
have been a little bit more communication/leniency … Projects that were
supposed to be under construction this year got pushed to next year.”

The town worked through the backlog and began accepting permit applications
again on Aug. 23, according to Callaway.

Her report addressed the community frustration. “With an abundance of
caution, as we move to the recovering and rebuilding efforts, we have not
been able to be as transparent as we normally would, or we’d like to be —
as transparent as our community expects and deserves,” she said. “So, we
apologize for that. But I have to say that my first obligation is to make
sure our town is protected, and our town assets are protected, and that’s
what we’ve been focused on the last couple of months as we’ve been
recovering, rebuilding, and restoring.”

The town lost access to valuable information, “[including] permits that had
been submitted and those that were in the review process,” Callaway said.
“In response, staff rebuilt the entire permit queue and all the permit
files by working directly with applicants and our third-party plan review
firms. We were only recently able to recover the data and we are now caught
up with resubmittal … We are approximating about six weeks behind in that
process. We’re working hard to bring on additional staff to reduce
turnaround times.”

Public records were also affected. “We have several pending public records
requests, many of which we cannot fill at this point,” she said. “We are
still working to bring Laserfiche back, which contains the majority of the
town’s historical documents. Once this is restored, which we expect to be
[in] approximately three weeks, we can begin to process the requests we
have.”

Some data will remain permanently out of reach, including staff emails
written before the attack. “At this point it doesn’t appear we’ll be able
to restore our legacy emails or emails prior to about a month ago,”
Callaway said. “That particular server, which contained Microsoft exchange,
was impacted with a malicious piece of malware, and it’s been recommended
by our forensic investigators that we don’t turn that on at the risk of
spreading that further into our system. That could change in the future,
but this is what we know as of today.”

Council members approved spending a total $1.13 million to recover from the
attack and upgrade the town’s IT system to meet the National Institute of
Standards and Technology Cyber Security Framework. About $262,000 was for
remediation and forensic investigation covered through insurance, according
to a staff report, and the rest was for software rebuilding and purchase,
backup solutions, networking, and other costs. Expenses not covered by
insurance will come from the town’s general fund and enterprise fund
(building and safety, parking, transit, and solid waste), according to the
staff report. It stated the town was already in process and had allocated
some funding for an IT upgrade before the attack. The town hired
cybersecurity experts from the company ePlus to guide the rebuilding
process.

Callaway said the town is moving forward at a good pace. “We’re now two
months and a few days post breach, and while the past few months have been
incredibly challenging — and I can’t stress that enough — at this point
we’ve been able to build new security systems, recover our data, and
restore many of our systems.”

Protect Thyself:
The Department of Justice recently created a website, stopransomware.gov,
to help cyberattack victims recover. “Roughly $350 million in ransom was
paid to malicious cyber actors in 2020, a more than 300% increase from the
previous year,” the site reports. “Further, there have already been
multiple notable ransomware attacks in 2021, and despite making up roughly
75% of all ransomware cases, attacks on small businesses often go
unnoticed. Like most cyberattacks, ransomware exploits the weakest link.”

Stopransomware.gov recommends taking the following steps to help prevent a
cyberattack:

Update software and operating systems with the latest patches. Outdated
applications and operating systems are the target of most attacks.
Never click on links or open attachments in unsolicited emails.
Back up data on a regular basis. Keep it on a separate device and store it
offline.
Follow safe practices when using devices that connect to the Internet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211015/c54de995/attachment.html>