The IT team in Methuen, Mass., stopped what officials called a nearly successful “world-ending” ransomware attack that originated from a malicious email attachment sent to a city staffer.
(TNS) — An attempt over the summer by Eastern European hackers to gain entry into the city's computer system — with its information about taxpayers, employees and much more — was nearly successful, according to city officials, but quick action helped keep the information secure.
Mayor Neil Perry said Tuesday the hacking attempt was one of the reasons city councilors held an executive session July 13, during which they voted to spend $272,000 in emergency funds to buy hardware and software to combat the threat. The funding was also used for a forensic audit of the entire IT system to determine if there were other hidden threats.
That behind-closed-doors vote was criticized by some and prompted the Eagle-Tribune to file a claim with the state Attorney General that the city violated the Massachusetts open meeting law by voting to spend money out of view of the public. The Tribune has withdrawn the complaint in light of the new information.
Perry, along with several city councilors and City Solicitor Richard D'Agostino, outlined the details of the hacking threat in a Zoom call with The Eagle-Tribune, while also justifying why they had to take the vote behind closed doors.
They said that now that the system has been beefed up with added security measures, new computers and more, they can discuss the matter publicly without fear of additional harm from other hackers.
During the July executive session, Perry made a compelling case to councilors about why they should agree to a $272,000 emergency spending request to buy equipment and pay the city's consultants to shut down what he called a "phishing attack."
On July 8, he reported, the city learned that hackers had sent an email to an unsuspecting employee, who then opened an attachment that contained ransomware.
Ransomware, he said, is used to take over the IT systems of cities, towns, businesses, school districts and other entities that might pay a ransom to get their systems and data back.
Baltimore, for example, was attacked several years ago and paid $6 million in ransom. Then the city spent another $18 million building an entirely new IT system.
Had the hackers succeeded in Methuen, Perry told the councilors in executive session, it would have been a "world-ending event for Methuen."
The city was facing a deficit brought on by the COVID-19 crisis and any kind of ransom paid to hackers would have made matters much worse.
It was this type of doomsday scenario officials hoped to avoid when asking for the approval to spend more than a quarter-million dollars.
A company called ITMS and another called Blackpoint, both of which worked for the city at the time, identified the ransomware threat within an hour of the email being opened by the employee, Perry said. The companies then successfully isolated it.
But the threat continued nearly every day for three months, forcing ITMS and Blackpoint to continually isolate the ransomware while also building a new IT system.
"This was a repetitive cyberattack," Perry said. "Every couple of days, they were trying to get in."
Perry said ITMS told the mayor and other city officials that Methuen's aging IT infrastructure made it highly vulnerable.
The city was using Windows 7, an outdated operating system that Microsoft stopped supporting in January.
"The city has neglected IT for a decade, just kicked it down the road," said City Councilor Nicholas DiZoglio, who serves on the City Council's IT subcommittee, which has been pushing for improvements to the system since Perry came into office in January. "The license of Windows 7 went out a year ago. Our tech is too old and somebody got ahead of us."
Had the attack succeeded, DiZoglio added, personal information about residents would have been compromised, including "death certificates, birth certificates, Social Security numbers — all would be vulnerable — and all our employees' information."
He said the cyberattack sped up much-needed improvements.
Since July, the city has installed Windows 10 and Microsoft Office 365, the latest technology package. That improves, but doesn't guarantee, the security of data, Perry said, adding that a number of other measures have been implemented that he could not discuss.
City Councilor Steve Saba, a frequent critic of the mayor, said in this case, Perry did all the right things.
"I said, here's a guy who was a senior manager at of one of most secure companies in the world, Raytheon, and when he updated what was happening during that executive session, he was scared," Saba recalled. "The council understood something had to be done immediately."
Saba and other city officials stressed that the meeting had to be held in secret because broadcasting that the city was under threat of a ransomware attack would only embolden other hackers.
Perry said the hackers "compete with each other" over vulnerable systems, and probably would have done that in Methuen.
"That's the reason we kept this on the down-low," he said.
City Solicitor Richard D'Agostino agreed.
"We had to be secret, or it would have opened the floodgates of cyberhacking," he said. "We were able to hold it to one intruder we knew of, and there were no other attempts by others. Had we revealed it, others would have tried. ... It becomes a race to kidnap your system."
In the aftermath of the attacks, the city is conducting cybertraining for all employees, as well as on Windows 10 and Office 365. Desktop computers have been replaced in every major department in the city.
©2020 The Eagle-Tribune, Distributed by Tribune Content Agency, LLC.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.