In the early morning of March 22, a large ransomware cyberattack dealt a widespread blow to the city of Atlanta, the state capital and home to the nation’s busiest airport. The breach shuttered many devices at City Hall for about five days in an extensive infection. Elsewhere across the enterprise, it significantly impacted law enforcement — temporarily returning police to writing incident reports by hand and costing the department access to nearly all its archived in-vehicle video.
It also affected internal- and external-facing applications alike, forcing the manual processing of cases at Atlanta Municipal Court and stopping online or in-person payment of tickets, water bills, and business licenses and renewals. Out of caution, officials also disabled the Wi-Fi at Hartsfield-Jackson Atlanta International Airport until April 2.
But while the city’s multifaceted response won some praise from cybersecurity professionals and criticism from others, officials say their work is far from over and describe their posture as one of continued alertness and ongoing evaluation. The attack remains the subject of an ongoing federal criminal investigation.
In May, the city restored its online water bill payment system, and the court’s online bill payment option and docket boards returned in June. Any additional systems not yet restored, according to then-Interim CIO Daphne Rackley, are minor, lower-impact systems and are being closely scrutinized for their enterprise-level usability.
Historically, the attack on Atlanta is considered the largest, most expensive cyberdisruption in city government to date. A troubling new trend may be part of the reason why the attack was so pervasive. Ransomware attacks have become more sophisticated, according to Kevin Haley, Symantec’s director of product management for security technology and response. Bad actors who entered the arena when the crime rose in popularity about two years ago have since left it to criminals who are really good at what they do, he said.
“I think many of us think that sort of thing is just not going to happen to us. You may be one of the lucky ones, but it’s less and less likely that you’re going to be one of the lucky ones every day,” said Haley. Lower-level, lower-cost attackers are still out there, but the duration of service impacts in Atlanta and the potential cost of the city’s response to the breach confirm a significant event occurred.
Brian Calkin, vice president of operations at the Multi-State Information Sharing and Analysis Center (MS-ISAC), supports the sophistication theory. Attackers are well aware they can increase ransom demands proportionately relative to the amount of data they encrypt, he said.
Marc Spitler, senior manager at Verizon Security Research and co-author of its most recent 2018 Data Breach Investigations Report, also sees a disturbing trend toward more professional attacks aimed at government and other institutions. “The breadth of the attack certainly shows that this was not your everyday, fire-and-forget, see-if-someone-takes-the-bait-style of attack,” he said.
Despite the breach, Atlanta’s 911 system and its emergency response were unaffected; and major utilities including water and sewer services continued unabated, said Roy Hadley, attorney at Adams and Reese LLP in Atlanta and legal counsel for cybersecurity controls to the city. This was possible because Atlanta retained the manual processes and institutional knowledge it needed to revert to traditional methods of service provision; and had plans in place to keep doing business while the incident unfolded, said Hadley and other city officials.
As the city responded to the breach, business continuity and operational impact assessment were going on simultaneously, said Ria Aiken, Atlanta’s director of the Office of Emergency Preparedness.
“A lot of municipalities and private-sector counterparts get so caught up in the response effort that they don’t recognize that as part of that response, you should immediately be thinking about how you are going to continue operations,” she added.
In the days following the breach, press conferences with Atlanta Mayor Keisha Lance Bottoms and other city officials emphasized that citizen data had not been compromised nor major services interrupted. (Photo: APImages.com)
City officials quickly reached out to the FBI, the Department of Homeland Security and the Secret Service and experts in the private sector, including Secureworks, as well as incident response teams from Microsoft and Cisco. They also worked with staff from Atlanta Information Management (AIM) to identify the threat and its magnitude, and to protect the perimeter of the technology footprint.
To keep residents and the media informed about the problem, the city utilized social media, adding a page to its website with information and news about the response and embedding video of two press conferences with Mayor Keisha Lance Bottoms. In the days immediately after the breach, C-level executives including Rackley and Chief Operating Officer Richard Cox joined Bottoms at press conferences that were livestreamed. Bottoms emphasized the uninterrupted availability of major public services and said residents’ information was not believed to have been compromised.
Calkin said MS-ISAC, part of the not-for-profit Center for Internet Security, offered to assist the city but got no response because they were busy, he assumed. “It sounds like they did everything that they could, leveraged all the resources both from the federal side and the private sector,” he said.
“To be able to pull that off successfully and then end up with a mitigated incident at the end, I think, speaks a lot to their strategy on how they’re coordinating all of this. And how well it’s going,” said Calkin, who characterized the breach as “significant.”
City officials have said little about the type of attack leveled against the city, its origin and whether they met attackers’ demands. But earlier this year, Kennesaw State University Professor Andrew Green, who lectures on information security and assurance, reviewed screengrabs of information from an Atlanta NBC affiliate and said it’s likely the attack was based on a virus from the Samas or SAMSAM family, which typically encrypts information or portions of a disk. The bad actor or actors in this breach reportedly demanded payment of around $50,000 in bitcoin.
Green criticized the city for withholding details about the attack. “I find it disappointing that the city has chosen to stay mostly closed-mouthed about the incident,” he said in an email. But Hadley pointed out that the criminal investigation led by the FBI is still ongoing, which “limits what we can say in terms of the vectors and the actual variant of the malware and stuff like that.” Atlanta City Council President Felicia Moore confirmed that the City Council hasn’t received “the extreme details” either, but acknowledged the sensitivity of the situation.
Ransomware on the Rise
Symantec’s pointed out that ransomware infections have steadily increased year-over-year since 2013, reaching a record high of 1,271 detections per day in 2016. However, in 2017 the number of new types of ransomware actually dropped, indicating a lack of new attack groups, according to the report.
While the number of attacks may be fluctuating, ransomware is no longer considered just another tool for cybercriminals. According to Symantec, ransomware is morphing into a highly sophisticated weapon of choice. For example, attack groups, including nation-states, are using ransomware to raise revenue, such as badly needed foreign currency reserves. Ransomware has also been used as a decoy to steal data or to sow confusion and to delay an effective response, which was the case when hackers used it to disrupt the electrical grid in Ukraine.
However, ransomware attacks continue to be costly. In 2017, costs from ransomware attacks reached $5 billion, 15 times the amount in 2015, according to CSO Online; damages from ransomware in 2019 are expected to hit $11.5 billion, according to Cybersecurity Ventures.
“The day-to-day operations is the responsibility of the executive branch and to the extent that it had sensitive security information, I think you have to accept that you don’t want to push for something that could jeopardize what they’re doing,” Moore said.
The cost of the city’s response to the cyberattack is also unclear, Aiken said, in part because while the city has cyberinsurance, the reimbursement process is ongoing. Citing a confidential, seven-page document it obtained in collaboration with a television news station, the Atlanta Journal-Constitution reported in August the city’s cost could top $17 million, a figure Moore also mentioned. “The last I heard, we were around $17 million, and it may be more. It’s not a static, one-time thing. It’s gone toward the emergency shoring-up, emergency procuring, for people, the company we hired,” Moore said.
The city council president’s characterization of Atlanta’s response — as an ongoing, evolving matter — reflects the city’s actual strategy following the breach and for the foreseeable future, officials said.
“We really want to look holistically at our applications and really rationalize applications,” Rackley said, noting that when the cyberattack happened, Atlanta had plans in place to migrate some applications, and had already moved its email systems and main enterprise resource planning system to the cloud.
According to Hadley, not all services will be 100 percent until that evaluation is complete. “As the threat continues to evolve, the city’s posture, architecture and holistic view will continue to evolve,” he said. “We’re restoring stuff but we’re also taking the opportunity to revalidate things and say ‘OK, is there a better way, a safer way, a more secure way in order to continue to provide these functions to the citizens of Atlanta?’”
When it comes to best practices to avoid a debilitating cyberattack, outright prevention should be a goal, said Verizon’s Spitler. IT officials must know their network architecture, invest in email infrastructure, and remain vigilant at all levels, scrutinizing emails and their attachments and looking for browser vulnerabilities. Multi-factor authentication is immensely valuable and segmentation is crucial, he added. Finally, state and local governments should have security zones segmented well within their own network to hinder bad actors from moving laterally should they open one device by brute force.
“If you cannot get on one system, then you cannot use that system to get on another one,” said Haley, the Symantec executive, who also urged agencies to have a plan to do backups, to back up data regularly and make it secure; and to be prepared to quickly take infected machines off the network should an incident or breach occur. He recommended agencies consult guidelines from the National Institute of Standards and Technology.
Calkin said governments should do regular user training and awareness, which are “often overlooked,” despite the fact that many compromises the organization has seen come from people “receiving phishing emails and clicking on links or opening malicious attachments.”
Atlanta officials highlighted the importance of protecting government data and information, and of bringing discipline to an agency’s approach to cybersecurity. According to Rackley, the city’s approach to cybersecurity rests on three pillars: governance with compliance, vulnerability management and overall threat management. In addition to limiting the financial impact of an incident or breach, a cyberinsurance policy can serve as a road map and help an agency develop the sustained drive it needs to further its cybersecurity goals, Hadley said.
“Part of the takeaway would be yes, get insurance. But use that insurance and the process of getting it to take a more critical look at what you’re doing as a municipality. Because it can help you figure out where you need to go, from a planning standpoint, from a resource standpoint,” Hadley said.
He also stressed the value in connecting with potential partners in the public and private sectors before an incident or breach occurs; and of identifying available resources before they may be critically needed.
But equally valuable is the idea of taking a step back from the smaller day-to-day tasks of enterprise-level IT management and cybersecurity to see the larger view. Getting the big picture, they noted, can better inform C-level executives on the individual surfaces in their enterprise; identify existing IT investments and any roadblocks such as siloing; and help reduce unnecessary applications.
“Our ultimate goal continues to [be to] evaluate the overall architecture, infrastructure, and evaluate our understanding of what the interdependencies are between systems and minimize the vulnerability of bringing particular applications online,” Aiken said. “Quite honestly, this will never stop. Because this is truly our core of our governance.”