Massachusetts Communities Fight Back Against Cyberattacks

Several local governments and school districts throughout Massachusetts have been victimized by cyber and ransomware attacks this year, a troubling and costly threat that experts don't expect to slow down.

by Elaine Thompson, Telegram & Gazette / September 23, 2019
Shutterstock/deepadesigns

(TNS) — It happened on July 3, the day before the busiest holiday of the summer. A hacker infiltrated the Athol, Mass., Police Department's computer network, paralyzing day-to-day operations and leaving officers to rely on the assistance of neighboring municipalities.

After working around the clock to mitigate the breach, the department was able to perform some of its regular functions. But, more than two months later, the police department in this northwestern Worcester County, Mass., town of about 12,000 is still not back to normal. One officer spends hours each day in addition to his court duties, manually transferring critical data - including investigations, arrest records and digital photographs - from hard copies to the department's server.

"We're still in the rebuilding stage. It's going to take a long time," Police Chief Craig A. Lundgren said of the ongoing headache caused when the hacker demanded $50,000 and later $30,000, which was not paid. "We lost a lot of records that were stored on our servers."

Athol - as well as other Massachusetts communities such as Charlton, Gardner, Leominster School District and Bay Path Regional Vocational Technical High School - is among several municipal governments and school districts throughout the state and across the country that have been victimized by cyber and ransomware attacks, a troubling and costly threat that experts don't expect to slow down. The Federal Bureau of Investigation has received more than 4 million internet crime complaints totaling $7.45 billion in total losses since 2000, when it opened its special IC3 office where complaints are reported. Just from 2017 to 2018, total losses due to those crimes nearly doubled from $1.4 million to $2.7 million.

Worldwide, ransomware damage losses are predicted to reach $20 billion, with an attack on a business every 11 seconds, by the end of 2021, according to Cybersecurity Ventures, a leading researcher and publisher covering the global cybereconomy. Attacks on individuals are more frequent.

Experts, including the FBI say the attacks come from inside and outside the country. And, in some cases, the attack is an inside job. Organized crime, gangs, disgruntled employees are among the growing number of cybercriminals. Tracing perpetrators is difficult.

Attack on Charlton

The FBI, however, was able to identify who attacked the Charlton town government's computer network with malicious software Aug. 30, leading to frozen documents, emails and main servers.

"...The attacker was identified as a group known to the FBI and that their MO was to encrypt data, not take data, and make a request for ransom which once paid an encryption key would be provided to the town," Charlton Town Administrator Robin L. Craver said, declining to discuss any ransom. She said hopefully more information about the criminals will be provided in a subsequent report from the FBI.

The attack was discovered by the Police Department in the early morning hours of Aug. 30 and immediately reported to MicroNet, the town's outside consultant for IT services. MicroNet shut down the servers, terminating the attack, and then began to rebuild servers and restore data, Ms. Craver said.

Three weeks after the attack, 14 of the town's 17 departments are caught up from any downtime and any reentry of data that may have been necessary. Two departments are back up on the system and in the process of reentering data. The Police Department is still in the process of having software brought back on line, and it has not yet been determined how much data will need to be reentered. Total cost associated with the breach has not yet been determined.

"It could have been much worse. Our team came in over the Labor Day weekend and worked every day," Ms. Craver said of the debilitating attack. "This is the first time we've seen anything like this. We have never had any type of attack like this before where our whole system was shut down."

Once the town is fully recovered, the town will review what has been learned from the cyberattack and what should be done to try to prevent future attacks. The town's insurance company is providing assistance from a cyberspecialist.

"The town recognizes that it is not possible to prevent every cyberattack, but wants to develop and implement a plan to ensure a faster recovery in the event of a future attack," said Ms. Craver. "Several municipalities were hit in Massachusetts and many other levels of government as well as the private sector have been hit across the country in the last six months. It has become the new norm and is now when, not if, you will be attacked."

Cities, towns bolster defense

All levels of government and private businesses are spending countless dollars and hours to beef up security and train employees to help thwart attacks. But cybercriminals – bent on causing massive damage and stealing money and information - are always close behind.

Worcester has not been a victim of a cyber or ransomware attack. To help prevent, delay or better respond to a hostile infiltration, the city has hired its first data security specialist to help safeguard the city's data by implementing additional security policies and identifying areas for improvement. A cybersecurity awareness trainer was also hired to deliver training to all city employees on an ongoing basis to make them aware of the various cybercrimes and scams since they are usually the prime targets in cyberattacks on municipalities.

Eileen M. Cazaropoul, the city's chief information officer who heads the Technical Services Department, said to date 1,601 employees who have city computer accounts have received the cybersecurity awareness training. Additional training will be conducted next month to coincide with October's National Cybersecurity Awareness Month.

Worcester was also awarded a grant from the state Executive Office of Technology Services and Security and will receive software licenses for employees to access the state's new cybersecurity training portal and take security courses that will be managed by the city's cybersecurity trainer. Like several other municipalities, Worcester has also received a state Community Compact IT grant to conduct an internal cybersecurity risk assessment.

"All we can do is keep doing what we're doing and hope employees use caution when opening and responding to an email – they are the primary target of a cybercriminal."

Shrewsbury Town Manager Kevin J. Mizikar said the town spends roughly $45,000 annually to bolster its defense against cyberattacks. It began training employees in 2013. Also, a monthly newsletter encourages employees to keep awareness high for things like phishing scams and on password strengthening.

The town in fiscal 2019 was awarded an $111,689 state Community Compact IT grant for the implementation of an integrated cybersecurity platform for town government, the schools and Shrewsbury Electric and Cable Operations.

Mr. Mizikar refuses to say whether the town has ever been a victim, citing an exemption for security measures in the Public Records Request law.

"It's our practice not to respond directly to that. We feel that either answer (yes or no) potentially puts the town in a vulnerable situation in terms of cybersecurity standpoint," Mr. Mizikar said during an interview in his office last week with John Covey, the town's chief information officer.

"We try to do all we can to prevent, protect and recover," Mr. Covey explained. He meets regularly with IT staff in the town and counterparts from other communities that are facing the same challenges. He also helps employees to protect their personal data on their home computer networks.

"Everything is about preparation. ... It keeps me up at night worrying about it," Mr. Covey said, before injecting some lightheartedness. "I tell folks I had a full head of hair when I started here."

Whether to pay ransom

There are mixed feelings on whether to pay a ransom to try to stop an attack. Many experts, including the FBI, suggest never paying the ransom because it may spur additional attacks by the perpetrator or copycats. And there's no guarantee that the decryption tool provided after the payment will work.

"It's sort of a philosophical debate on that," said Kevin Coleman, executive director and CEO of the D.C.-based National Cyber Security Alliance. "Had (the city of) Baltimore paid it, they would have saved themselves literally ($18) million. But if they had paid, it would have set a precedent: We can come back to them anytime because they paid it."

In May, Baltimore officials refused to pay an approximately $76,000 ransom. The city's computer system was crippled for several weeks, and it cost about $18 million to repair the damage.

Mr. Coleman said the position of the NCSA is for organizations and others to take steps up front to protect sensitive data so they don't get to the point of having to decide whether to pay a ransom.

"An ounce of prevention is worth a pound of cure," he said. "You are going to be targeted because everyone is getting attacked. But you won't be a successful target for the attackers."

Leominster paid $10,000 in bitcoin to cyberextortionists who infiltrated the school district's computer system during last year's April break, affecting every school in the district.

"We appropriated the money so they could pay to get the system up and running," Mayor Dean J. Mazzarella said. City Hall had a similar issue a few years ago, but it was unsuccessful because that system is constantly upgraded and servers were backed up, the mayor said.

The state is also investing major efforts to improve cybersecurity. After visiting Israel in 2016 and seeing that country's cybersecurity advancements, Gov. Charlie Baker the following year convened the state's first cybersecurity forum and created the MassCyberCenter at the Massachusetts Technology Collaborative in Westboro. Last year, Stephanie Helm, a former 30-year U.S. Navy captain who served as a cryptologic/information warfare officer, became director of the MassCyberCenter. During her naval career, Ms. Helm served as a cryptologic-information warfare officer. A 19-member Cybersecurity Strategy Council, composed of cybersecurity officials and experts and former military personnel, will assist Mr. Helm in identifying ways to boost the state's cyberresilience and economic growth and to partner with businesses, academia and the public sector to train new cybersecurity workers. The state has more than 9,000 open cybersecurity jobs, according to Cyberseek.

Weeks before Ms. Helm began in the job, a report was released by a special Senate Committee on Cybersecurity Readiness, chaired by Sen. Michael O. Moore, D-Millbury, that found that the state is in a particularly vulnerable position when it comes to preparedness for cyberattacks in both the public and private sectors.

Ms. Helm said a primary goal of the MassCyberCenter is to advise municipalities, businesses and individuals on measures they can do to prevent attacks.

"We mostly work on preparing before an event happens. We focus on conducting events that can promote the collaboration of folks interested in cybersecurity," Ms. Helm said.

The state was recently one of seven selected for a National Governors' Association for a workshop on strategies to enhance statewide cybersecurity. The workshop is tentatively scheduled for Nov. 13 in Boston.

One area that will be worked on is how to better synchronize the different views of the state's 351 cities and towns on how they approach cybersecurity.

"They (NGA) are in contact with all states and territories. They make it their job to see what's working best in other states and provide recommendations," said Ms. Helm.

The state cybersecurity czar will also participate in an event at Nichols College in Dudley on Oct. 16 that is designed to help municipal leadership better understand the threats and criminal activity on the internet and what they can do. Municipal leaders will be able to ask questions and find out about other people and resources that can assist them.

Athol Town Manager Shaun A. Suhoski said the Nichols College session is something he is interested in attending. He also plans to encourage leaders of the state's other small communities to attend.

"I definitely will check that out. I need to be more informed on that to be better prepared," Mr. Suhoski said.

Athol, like many other small towns, does not have an IT department. It has an outside vendor that provides assistance. When the Athol Police Department was struck by a cyberattack in July, Gardner helped by providing a server and assistance from its IT director, Robert O'Keefe. Gardner was the target of an attack a couple of years ago, but because of safety measures Mr. O'Keefe had in place, backups several times a day, it took only an hour to recover. Gardner also has used a state grant to have a an audit done every two years to determine if the city is staying up to date on cybersecurity measures.

Mr. Suhoski said he has floated the idea with the neighboring small towns of Orange and Royalston about possibly sharing an IT director.

"We feel like we're kind of behind. We're not at the front of the curve yet," he said. "We're trying to catch up and get ahead of these threats.

©2019 Telegram & Gazette, Worcester, Mass. Distributed by Tribune Content Agency, LLC. 

Platforms & Programs