Municipal governments battle cyber attacks.

The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco’s cybersecurity response team, to investigate the situation.

The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.

In Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.

Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado’s state Department of Transportation.  In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note. The wording — including typos — is identical to the examples shared by researchers working for Cisco’s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.

Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group’s actions, it isn’t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn’t released any technical details to the public.

In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.

InGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, “this is bigger than a ransomware attack, it’s an attack on government and therefore an attack on all of us.”

It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.

InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:

  • Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet – use VPNs and firewall white lists
  • Confirm that no operations systems use SMB version 1
  • Apply Windows group policy objects (GPOs) to harden government systems uniformly
  • Do not allow users to have local administrative privilege on their desktop machines
  • Make sure that all patches are deployed quickly – malware victims have lost a race with an attacker

Additional Resources

Small Towns Confront Big Cyber Risks (GovTech)

Atlanta Working “Around the Clock” to Fight Off Ransomware Attack (NPR)

We Are a Resilient City – Atlanta Works to Move Forward Following Cyber Attack (11Alive)

Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)–politics/metro-atlanta-city-reports-its-own-data-breach-warns-customers/GsK565pH9L8y3GOk0NvERI/

Atlanta’s Computers Crippled by Ransomware – Issues Unresolved After 4 Days (SmartCities Dive)