[BreachExchange] Online leak undermines Torrance’s claim that no personal data was affected by cyberattack

[Destry Winant]

https://www.scmagazine.com/home/security-news/cybercrime/online-leak-undermines-citys-claim-that-no-personal-data-was-affected-by-cyberattack/

A new online post by the DoppelPaymer gang further suggests that a
cyberattack experienced by Torrance, California in late February-early
March was a case of ransomware — one that appears to have affected
personal data, despite the Los Angeles-area city’s claims otherwise.

Brett Callow, threat analyst at Emsisoft, shared several examples of
sensitive data published on DoppelPaymer’s doxxing site, where the
threat actors post documents stolen from victims as part of an
extortion scheme. Examples included a probation violation form from
the Torrance City Attorney’s Office; a declaration in support of
access to juvenile records filed with the Superior Court of
California, County of Los Angeles; and a budget import audit listing.

BleepingComputer has reported that the attackers demanded a 100 ransom
— which falls a bit short of $700,000 — after decrypting key files and
exfiltrating breached data under the threat of publishing it.

In a March 1 press release set up on a temporary website, Torrance
acknowledged the attack in generic terms, referring to an incident as
a “digital compromise interrupting email accounts and server
function,” resulting in the disruption of some city business services.
Ransomware was not specifically cited as the cause.

In that statement, the city asserted that “Public personal data has
not been impacted.” But if DoppelPaymer’s new post is, indeed,
authentic, then this statement is wrong.

“I don’t know why governments make these hasty claims,” Callow told SC
Media. “A more accurate statement would be, ‘We’ve been hit by a
ransomware group which is known to steal data, but cannot yet say
whether our data was stolen. We’ll only know that when either a) the
criminals publish it or b) we complete our forensic investigation in a
month’s time. Meantime, people should be on the lookout for spams,
scams and fraudulent activity on their accounts.'”

However, Michael Smith, public information officer with Torrance, told
SC Media that “Our initial press release still stands [on] its
merits,” also noting that “there’s no update at this point.”

Smith said all systems were restored to normal functionality prior to
the March COVID-19 lockdowns experienced by California and most other
U.S. states. In that sense, the city was fortunate to have bounced
back before encountering a major crisis that could very well have
slowed down its recovery.

SC Media asked cyber companies what might happen if an attack similar
to the one experienced by Torrance were to take place under current
COVID-19 conditions.

“In the case of an attack like this, they have to: one, see where it
is spread, and two, see where it came from. They have to work
backwards from the breach down to the actual systems that are
infected,” said Brook Chelmo. software and security product marketing
strategist at SonicWall. “This will limit city service and possibly
make it difficult for employees to work from home.”

In this hypothetical scenario, “the city may be focusing on keeping
VPN connectivity and the network stable for their work-from-home
users,” continued Chelmo. Noting that in real life many IT admins “are
complaining that procrastination sites and other streaming services
are impacting their ability to keep the network functional,” Chelmo
further observed that “trying to keep the network functional while
remediating this issue [would] be a difficult task. “