We sat down with Jones|Carter’s Sean McMillan, Electrical Division Manager, who is also a certified Cybersecurity Expert, to talk about the recent cyberattack on Atlanta and what other cities need to be aware of about the attack.
What exactly happened to the City of Atlanta?
The City of Atlanta was the victim of a ransomware attack. The ransomware encrypted files and prevented access. The hackers gave the city seven days to pay a $51,000 ransom to unlock the files. The city was forced to clean the infected computers and restore from backups. This caused disruptions to many city services including the court system, police department and utilities. There is no information available as to whether or not their water or wastewater control systems were compromised.
Is this an isolated event?
No. In fact, this particular ransomware, SamSam, has made the hackers an estimated $850,000 in ransom money since 2015. In recent weeks other cities including Baltimore have been hit with different ransomware attacks. There are many companies and private individuals that have also been the victim of ransomware.
Why did this happen to Atlanta and not Houston (or anywhere else)?
The best guess is bad luck. This type of ransomware is spread by hackers who look through the Internet for vulnerable computers and attack them. The attack doesn’t appear to be an intentional attack on the City of Atlanta. Hackers are looking for the most vulnerable systems to attack. It’s low hanging fruit.
Who is at risk for an attack like this?
Anyone with a computer. The information I have read indicates that some changes were made to a firewall that allowed access to the network through the Internet for about 24 hours. This was enough time for the hackers to find the network and begin the attack. Even computers not connected to the Internet are at risk from malware being transferred through an infected thumb drive.
When reading about this event online, you’ll see words describing it as simply “disruptive” or “inconvenient”. What is the real risk or danger in an attack like this?
There are many risks in an attack like this. In this case the court system and police system was affected, which could hinder the prosecution of individuals who’s cases were in the system during this time. There can be a loss of billing data for utilities, which can have financial impacts or loss of customer’s confidential information such as credit card numbers. There are also impacts from citizens losing trust in the government’s ability to protect their data. In an extreme case, there could be operational impacts to a city’s water, wastewater, or power utility control systems.
Should organizations focus on preventing cyberattacks, planning for what to do after an attack happens, or both?
I would say both. Obviously it is important that you try to protect yourself from attack. You don’t want to be an easy target. Most cities have never gone through an initial gap assessment to understand their weak points. Anything you can do to make your system more secure makes a hacker more likely to move on to an easier target.
Unfortunately, this is a world where the hackers are always a step ahead of the good guys. There will always be some risk of a cyber-attack no matter how prepared you are. That is when it is important to have a plan for restoring your system. The fact that Atlanta had a backup and was able to restore their system means they only lost a few days of data. You want to have a plan ahead of an attack so you aren’t forced to think through how to restore while under duress. Just like you wouldn’t wait until the rain starts to develop a hurricane contingency plan, you shouldn’t wait until you have been attacked to develop a cyber security recovery plan.