Cyberwars and : Attacks and Counterattacks Friday, October 16, 2020

Nora E Wetzel, Partner, Burke, Williams & Sorensen LLP

DISCLAIMER This publication is provided for general information only and is not offered or intended as legal advice. Readers should seek the advice of an attorney when confronted with legal issues and attorneys should perform an independent evaluation of the issues raised in these materials. The League of California Cities® does not review these materials for content and has no view one way or another on the analysis contained in the materials.

Copyright © 2020, League of California Cities®. All rights reserved. This paper, or parts thereof, may not be reproduced in any form without express written permission from the League of California Cities. For further information, contact the League of California Cities at 1400 K Street, 4th Floor, Sacramento, CA 95814. Telephone: (916) 658-8200.

League of California Cities 2020 City Attorneys’ Department Virtual Conference Cyberwars: Attacks and Counterattacks (i.e., Response and Prevention) League of California Cities Nora Wetzel Partner with Burke, Williams & Sorensen LLP October 16, 2020

1

Introduction: A cyber attack is an attempt by an individual or group to infiltrate and compromise a system network, or device with the intention of causing harm.1 and resulting data breaches are a growing and persistent threat to public entities. The attacks on the cities of Hartford, Connecticut, Lafayette, Colorado, Knoxville, Tennessee, and Torrance, California, are just a sampling of the numerous examples of attacks on cities. Yet, cities are often unaware of what do to combat cyberattacks, prevent data breaches, or what to do when they occur. In this paper and my presentation, I provide an overview in the public sector of methods of cyberattacks which often result in data breaches. I examine deliberate forms of attack, such as ransomware, , , and business compromise, as well as inadvertent exposure through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices. I offer guidance on what to do when a cyber incident happens. And, I offer some recommendations on best practices to prevent cyberattacks and data breaches through implementing best practices for cybersecurity, training, and appropriate policies and procedures.

Section 1: Overview of cyber incidents in the public sector

There are several stages to a typical cyber attack: reconnaissance, perpetration, and exiting and/or obscuring the attack.2 Reconnaissance refers to the phase where attackers gather information like IP addresses, domain names, names, or email addresses from a variety of sources, tools, and techniques, ranging from phishing campaigns, social network sites, Darknet3 data dumps, and scans of a corporate network. The attack can then be perpetrated in various ways. Popular methods include sending phishing , creating a false website, deploying password-guessing tools, or looking for open ports or vulnerabilities to gain access to an entity’s online services or network. Once the attack succeeds, the expands his access. He may establish a persistent presence, retrieve information, make changes for his benefit, disrupt normal business operations by overloading an entity’s connection, or create a pathway for re-entry to either use for himself later or to sell to someone else to allow access to this third party. After completing the objective of the attack, an attacker may try to mask or hide his attack, making the attack more difficult to detect, thereby giving an attacker more time to complete his or her objectives.

There are many types of cyber attacks, but the following techniques are commonly used to infect victims with ransomware, one of the most common types of attacks on public entities:

1 “How Cyber Attacks Happen”, https://www.equifax.co.uk/resources/identity_protection/how-cyber-attacks- happen.html;” Cyberattacks on the rise: What to do before and after a or data breach” https://us.norton.com/internetsecurity-emerging-threats-cyberattacks-on-the-rise-what-to-do. 2 “The Anatomy of a cyber attack: Dissecting the science behind virtual crime,” Naveen Joshi, Dec. 21, 2018, https://www.allerin.com/blog/the-anatomy-of-a-cyber-attack-dissecting-the-science-behind-virtual-crime; “The Seven Steps of a Successful Attack”, Chris Stoneff, Jun. 5, 2018 , https://www.beyondtrust.com/blog/entry/the- seven-steps-of-a-successful-cyber-attack; “Stages of a cyber attack”, Nathan Cranford, Aug. 7, 2017, https://www.rcrwireless.com/20170807/network-function-virtualization-nfv/20170804stages-of-a-cyber-attack- tag27-tag99 3 The darknet or dark web is a network, built on top of the internet, that is purposefully hidden, meaning it has been designed specifically for anonymity. It is only accessible with special tools and software—browsers and other protocol beyond direct links or credentials. You cannot access the darknet by simply typing a dark web address into your web browser. https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what- youll-find.html . See also https://dictionary.cambridge.org/us/dictionary/english/darknet

2

• Email phishing campaigns4: The cyber criminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. Cyber criminals historically used generic, broad-based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cyber criminal to use a victim’s email account to further spread the infection. • Remote Desktop Protocol vulnerabilities5: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems. • Software vulnerabilities6: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.7

Other methods of cyber attacks include advanced persistent threats (“APT’), denial of service (“DOS”), insider attacks, malware (ransomware is a type of malware), password attacks, and man in the middle attacks (“MITM”).

APTs are where a hacker gains access to a computer or network over a long period of time with the intent to gather information.8

DOS attacks deny service to a legitimate user through two methods--specially crafted data which involves sending specialized data to a system that causes an error within the system thereby preventing the system from working, or flooding which involves overloading a system to slow it down so the system does not work.9 These are similar to ransomware attacks in that the attacker can essentially hold a system hostage until a user pays a fee to stop the attack and allow the system to return to normal. Distributed DOS (DDOS) attacks are when multiple are used to carry out the attack as opposed to a single computer.10

4 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 5 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 6 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 7 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx 8 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 9 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 10 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/

3

Insider attacks are attacks started by an internal user of a system—employees, contractors, or other internal users. Sometimes these can be unintentional mistakes where an employee does not practice good cyber safety, or it can be intentional where a current or former employee might attack a system for personal gain or revenge.11

Malware refers to “malicious software” which are programs designed for download to a computer to cause damage or breach without the owner’s knowledge.12 This class of software includes viruses, worms, , and keyloggers.13 Ransomware is a specific type of malware that encrypts data and/or devices to block user access until a ransom is paid in accordance with the hacker’s demands. 14 Formjacking is a type of malicious javascript code used to steal details from payment forms on the checkout webpage of e-commerce sites.15 Formjacking has been associated with a group of referred to as Magecart which is believed to be behind the attacks on British Airways, Ticketmaster, Kitronik, and VisionDirect.16

Password attacks, also described as “brute force attacks”, occur when a hacker inputs multiple password combinations to try to access a network.17 Usually, this is carried out by using an automated system to input passwords repeatedly until a correct one is found by the automated program.18

Man in the middle attacks refer to when a third party intercepts communications between two parties and then monitors the communications for valuable information shared in the communications such as login credentials or personal information.19

In 2020, bad actors have made use of the Covid 19 pandemic to deploy cyber-attacks.20 One of the most prevalent scams is new websites offering supplies or medicine to prevent or fight infection like offering Hydroxychloroquine.21 Some of these sites forward to overseas pharmaceutical sites or webstores.

11 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 12 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 13 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 14 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 15 Symantec ISTR Threat Report, Vol. 24, Feb. 2019, https://cdn2.hubspot.net/hubfs/5156294/SED/SED%20SYMC/6819_SED_SYMC_ISTR_24_2019_April_en.pdf 16 Symantec ISTR Internet Security Threat Report, Vol. 24, Feb. 2019, https://cdn2.hubspot.net/hubfs/5156294/SED/SED%20SYMC/6819_SED_SYMC_ISTR_24_2019_April_en.pdf 17 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 18 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 19 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face”, Don Carfagno, Jun. 22, 2017, https://www.blackstratus.com/7-types-cyber-attacks-small-medium-sized-businesses-face/ 20 “Facing Down the myriad threats tied to Covid 19,” Sean Gallagher, Andrew Brandt, Apr. 14, 2020, https://news.sophos.com/en-us/2020/04/14/covidmalware/ 21 “Facing Down the myriad threats tied to Covid 19,” Sean Gallagher, Andrew Brandt, Apr. 14, 2020, https://news.sophos.com/en-us/2020/04/14/covidmalware/

4

Bad actors are sending out spam attacks based on Covid 19. They include • a sextortion scheme threatening to infect the recipient’s family with Covid 19 if the recipient does not pay the amount demanded. • a fundraising request purporting to be from the World Health Organizing (WHO) requesting donations in to fund Covid 19 research. • messages purportedly coming from WHO but including documents with malware.22

The FBI warns that the Covid 19 extortion scam often consists of23:

• “an e-mail from an unknown party and, many times, will be written in broken English with grammatical errors. • The recipient's personal information is noted in the e-mail or letter to add a higher degree of intimidation to the scam. For example, the recipient's user name or password is provided at the beginning of the e-mail or letter. • The recipient is accused of visiting adult websites, cheating on a spouse, or being involved in other compromising situations. • The e-mail or letter includes a statement like, "I had a serious spyware and adware infect your computer," or "I have a recorded video of you" as an explanation of how the information was allegedly gathered. • The e-mail or letter threatens to send a video or other compromising information to family, friends, coworkers, or social network contacts if a ransom is not paid. • The e-mail or letter provides a short window to pay, typically 48 hours. • The recipient is instructed to pay the ransom in Bitcoin...”

Another email scam using Covid-19 includes a scheme whereby a bad actor sends an email allegedly from a company’s CEO, claiming to have scheduled a transfer of a $1 million, but requests that the transfer date be moved up and the recipient account be changed due to the Coronavirus outbreak and quarantine processes and precautions.24 Similarly, there have been several state government agencies that have been victimized by bad actors when the agencies attempted to buy ventilators or personal protective equipment and transferred funds to fraudsters impersonating brokers or sellers before receiving items they ordered—in one specific case, the FBI warned that an individual who claimed to represent a company the purchasing agency had an existing relationship with was able to get away with most of the funds transferred to the fraudster by the time the purchasing agency became suspicious of the transactions.25

Several types of malware have communicated with Covid-19 related websites, and ransomware have referenced coronavirus in their ransom notes. One type of malware called “RATicate” uses

22 “Facing Down the myriad threats tied to Covid 19,” Sean Gallagher, Andrew Brandt, Apr. 14, 2020, https://news.sophos.com/en-us/2020/04/14/covidmalware/ 23 “Online Extortion Scams Increasing During the Covid-19 Crisis”, Apr. 20, 2020, https://www.ic3.gov/media/2020/200420.aspx 24 “Covid-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic”, Jun. 9, 2020, https://www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic 25 “Covid-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic”, Jun. 9, 2020, https://www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic

5

an attachment disguised as information about the pandemic but which is actually a malware installer.26

In 2019, cyber-attacks cost entities $3.5 billion in losses.27 Business email compromise or email account compromise was a significant portion of the reported to the FBI in 2019. This scam has evolved over the years to” include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.”28

In 2019, there was an increase in BEC attacks to divert payroll funds. “In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.”29 When a BEC attack occurs, there are some steps to take to try to recover funds that are transferred. The FBI advises organizations to contact the originating financial institution as soon as the fraud is recognized to try and recall or reverse the transfer and request a Hold Harmless Letter or Letter of Indemnity.30

Another significant trend in 2019 was tech support fraud. This is where a “criminal claiming to provide customer, security, or technical support or service in an effort to defraud unwitting individuals. Criminals may pose as support or service representatives offering to resolve such issues as a compromised e-mail or bank account, a virus on a computer, or a software license renewal.”31 Recent examples included attackers posing as customer support for travel industry companies, financial institutions, or virtual currency exchanges.32

In 2019, phishing was the most effective vector for cyber-attacks measured by number of victims, though business email compromise was the vector with the highest dollar value of loss.33 California was the state with the most victims and highest losses caused by cyber attacks.34 This means it is particularly important for California-based entities to be on alert.

The most common type of data affected by cyber incidents that qualified as a breach in the first quarter of 2019 were email addresses and passwords.35 Unsurprisingly, cyber attackers are targeting mobile devices increasingly. Ransomware can infect mobile devices just like it can infect work stations and .36

26 “Facing Down the myriad threats tied to Covid 19,” Sean Gallagher, Andrew Brandt, Apr. 14, 2020, https://news.sophos.com/en-us/2020/04/14/covidmalware/ 27 FBI 2019 Internet Crime Report, Available at https://pdf.ic3.gov/2019_IC3Report.pdf 28 Id. at p. 9. 29 Id. at 9. 30 Id. at 10. 31 Id. at 13. 32 Id. at 13. 33 Id. at 19-20. 34 Id. at 18. 35 Data Breach QuickView Report First Quarter 2019-Data Breach Trends, Apr. 30, 2019, Risk Based Security, Inc. at p. 8. 36 Symantec ISTR Internet Security Threat Report, Vol. 24, Feb. 2019, https://cdn2.hubspot.net/hubfs/5156294/SED/SED%20SYMC/6819_SED_SYMC_ISTR_24_2019_April_en.pdf

6

Examples of Cyber Attacks on Cities There have been many cyber attacks on cities. I provide some examples below.

Hartford, Connecticut was attacked in early September 2020 by ransomware that affected 200 of the city’s servers, including those used by the school system, the police department, and emergency dispatchers.37 According to the city, it quickly shut down servers and froze its technology systems. It continued to run all the city’s first responder systems, though reopening of its school system was delayed, and the city did not have to pay a ransom to regain access to its servers, though the city did not explain how it was able to avoid doing so.

Lafayette, Colorado suffered a cyber attack in late July 2020, which resulted in disrupting the city’s phone, email, online payment, and reservations systems.38 Ransomware called “Snatch” infiltrated the city’s computer network through a phishing or brute force attack and started locking down computer files. This type of ransomware typically uses remote desktop protocol, brute force methods, and/or take advantage of an unplugged hole in a computer network. The city paid a $45,000 ransom to unlock its data.39

Knoxville, Tennessee had a ransomware attack in June 2020 that the city thought may have come from an email an employee opened.40

Florence, Alabama experienced a ransomware attack in June 2020 that shut down the city’s email system, and the city decided to pay over $250,000 from the city’s insurance fund to recover data encrypted in the attack, though the city was able to negotiate down the ransom demand from the initial amount of $378,000.41

Torrance, California was attacked in March 2020 when its computer systems were compromised, interrupting the functioning of its email accounts and servers.42 City documents including city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager were leaked to the dark web. The hackers claiming responsibility, DoppelPaymer operators, stated that they erased the City's local backups and then encrypted approximately 150 servers and 500 workstations. The hackers demanded a 100 bitcoin

37 https://www.nytimes.com/2020/09/08/nyregion/hartford-schools-ransomware.html 38“After a small Colorado city paid cyber attackers a ransom, there’s concern about the rest of the state,” Tamara Chuang, Aug. 10, 2020, https://coloradosun.com/2020/08/10/cyber-attack-ransomware-small-towns-data-breach- malware-lafayette/ 39“Colorado City pays $45,000 Ransom After Cyber Attack”, Associated Press, Aug. 4, 2020, https://www.usnews.com/news/best-states/colorado/articles/2020-08-04/colorado-city-pays-45-000-ransom-after- cyber-attack 40 “Knoxville shuts down IT network following ransomware attack”, Catalin Cimpanu, Jun. 11, 2020, https://www.zdnet.com/article/knoxville-shuts-down-it-network-following-ransomware-attack/ 41 “Alabama City to Pay Cyber-Ransom”, Sarah Coble, Jun. 10, 2020, https://www.infosecurity- magazine.com/news/alabama-city-to-pay-cyberransom/ ; “City of Florence out nearly $300,0000 after ransomware hack”, Mike Brown and Bernie Delinksi, Jun. 11, 2020, https://www.waff.com/2020/06/11/city-florence-out-nearly- after-ransomware-hack/ 42 “California city hit with cyber attack, hacked data posted online”, Jason Axelrod, Apr. 27, 2020, https://www.americancityandcounty.com/2020/04/27/california-city-hit-with-cyber-attack/

7

($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files.43

The City and County of Durham, North Carolina was struck with ransomware in March 2020, which was thought to be the same one responsible for the 2019 New Orleans attack noted below.44 This attack was actually two separate attacks, and though they were detected and contained, they caused most city networks and phones to remain offline during the recovery process, and resulted in 80 servers needing to be rebuilt and 1,000 compromised computers to be reimaged.

North Miami Beach Police Department was hit with a ransomware attack in February 2020 demanding $5 million to get the department’s information back.45

Colonie, New York suffered a cyber attack in January 2020. Though it could not determine how the ransomware infected its systems, the city had reliable backups that allowed it to continue operation without having to pay the $400,000 bitcoin ransom demanded to retrieve the files the ransomware unlocked.46

Las Vegas suffered a cyber-attack on January 7, 2020.47 The city commented that it was likely bad actors gained access to the city’s network via a malicious email. The city had taken a public position not to pay a ransom back in July, though it is unclear if the attack involved ransomware. The city reportedly caught the attack early and claims that it does not believe any data was lost or taken.48

New Orleans fell victim to a cyberattack in December 2019. It detected suspicious activity on the City’s network, investigated and discovered there was a ransomware attack affecting roughly 4,000 City computers. The city’s IT department ordered all employees to power down computers and disconnect from Wi-Fi. All city servers were also powered down, and employees told to unplug any of their devices.49 The city had cyber insurance and expected it to cover nearly

43 “DoppelPaymer Ransomware hits Los Angeles County city, leaks files,” Lawrence Abrams, Apr. 21, 2020 https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los-angeles-county-city-leaks- files/ 44 “Two Russian Ransomware Attacks Take Down North Carolina City and County Government Systems,” Davey Winder, Mar. 10, 2020, https://www.forbes.com/sites/daveywinder/2020/03/10/two-russian-ransomware-attacks- take-down-north-carolina-city-and-county-government-systems/#6d02e02588fa 45 “North Miami Beach Police Department Hit with Ransomware attack” , Feb. 10, 2020, https://www.nbcmiami.com/news/local/north-miami-beach-police-department-hit-with-ransomware-attack/2189279/ 46“Town of Colonie got hacked: looks to avoid paying ransomware demand of about $400,000”, Jim Franco, Jan. 17, 2020, https://www.spotlightnews.com/news/2020/01/17/town-of-colonie-got-hacked-looks-to-avoid-paying- ransomware-demand-of-about-400000/ 47 “Las Vegas Suffers Cyber Attack”, Sarah Coble, Jan. 8, 2020, https://www.infosecurity-magazine.com/news/las- vegas-suffers-cyber-attack/ 48“Las Vegas hit by cyberattack as it hosts CES” Ian Sherr, Jan. 9, 2020. https://www.cnet.com/news/las-vegas-hit- by-cyberattack-as-it-hosts-ces/ 49“New Orleans Declares State of Emergency Following Cyber Attack” , Davey Winder, Dec. 14, 2019, https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber- attack

8

$1,000,000 in costs the city has incurred since the onset of the attack, though it did not cover the costs of paying a ransom.50

Pensacola was hit by a cyberattack in December 2019, affecting city email and landlines, a customer service line, and online bill payments for energy and sanitation. As a result of the incident, staff disconnected computers from the city’s network until the issue could be resolved. Pensacola did not reveal any further information about how the cyberattack first occurred, what type of was breached, or whether the attack stemmed from malware or ransomware.”51

City of San Marcos was targeted in October 2019 by a suspected cyber attacker. San Marcos’s email system used by city employees was affected, leaving employees unable to communicate with some of the public. Employees discovered the problems, and the city manager confirmed the city was victim of a suspected hacking.52

Baltimore fell victim to ransomware known as "RobbinHood" -- attacks some experts say involved a tool developed by the .53 The attack locked the city out of its computer servers for ransom. City systems are reported to be slowly recovering from the attack, which officials said cost Baltimore more than $18 million.54

Atlanta’s computer networks were targeted in March 2018.55 The hackers demanded $51,000 in , and held the city hostage for nearly a week, while the city refused to pay. Apparently, some city services used hardcopy paper to continue operations. The city reportedly did not want to reward and encourage more ransomware attacks, and considered there was no guarantee that systems would be restored even if it paid. This stance has hit the city hard—costs associated with the attack are estimated to be as high as $17 million.56 Now, the U.S. Justice Department reports that two Iranian hackers were behind the attack on Atlanta.57 The two

50 “New Orleans cyberattack costing the city close to $1 M so far”, Charles Watson, Dec. 18, 2019, https://www.foxnews.com/tech/new-orleans-cyberattack-costing-city-close-to-1m 51 “Cyberattack Downs Pensacola ‘s City Systems”, Lindsay O’Donnell, Dec. 10, 2019, https://threatpost.com/cyberattack-downs-pensacolas-city-systems 52 “Cyber Attack Shuts Down Email System Used by San Marcos City Employees” , Oct. 29, 2019, https://www.nbcsandiego.com/news/local/san-marcos-city-hall-computer-system-email-hack-cyber-attack- emergency-services 53 Hack that cost Baltimore $18M a mystery after experts eye NSA link”, Daniel Uria, Jun. 10, 2019, https://www.upi.com/Top_News/US/2019/06/10/Hack-that-cost-Baltimore-18M-a-mystery-after-experts-eye-NSA- link/7961559775882/ 54“Hack that cost Baltimore $18M a mystery after experts eye NSA link”, Daniel Uria, Jun. 10, 2019, https://www.upi.com/Top_News/US/2019/06/10/Hack-that-cost-Baltimore-18M-a-mystery-after-experts-eye-NSA- link/7961559775882/ 55 What Cities Can Learn from Atlanta’s Cyberattack,” Adam Sneed, Oct. 29, 2019, https://www.citylab.com/life/2019/10/cyber-security-cities-atlanta-cyberattack-ransomware-data/600982/ 56 “What Cities Can Learn from Atlanta’s Cyberattack,” Adam Sneed, Oct. 29, 2019, https://www.citylab.com/life/2019/10/cyber-security-cities-atlanta-cyberattack-ransomware-data/600982/ 57 “Feds: Iranians led cyberattack against Atlanta, other U.S. entities,” Stephen Deere, Nov. 28, 2018, https://www.ajc.com/news/local-govt--politics/feds-iranians-led-cyberattack-against-atlanta-other- entities/xrLAyAwDroBvVGhp9bODyO/#

9

hackers are thought to have developed the SamSam ransomware which is a type of malicious software.58

22 Texas Cities’ computer systems were infiltrated by hackers demanding a ransom.59 A mayor of one of those cities said the attackers asked for $2.5 million to unlock the files. Officials did not identify which specific cities were affected. The Texas Department of Information Resources stated that the evidence pointed to a single threat actor. A representative for the department reported that he was “not aware" of any of the cities having paid the undisclosed ransom sought by hackers, and disclosed that the impacted locales were mostly rural.60

Additional recent attacks affecting government entities globally follow below:61

August 2020. Hackers for hire suspected of operating on behalf of the Iranian government were found to have been working to gain access to sensitive information held by North American and Israeli entities across a range of sectors, including technology, government, defense, and healthcare.

August 2020. An Iranian hacking group was found to be targeting major U.S. companies and government agencies by exploiting recently disclosed vulnerabilities in high-end network equipment to create backdoors for other groups to use.

February 2020. The U.S. Defense Information Systems Agency announced it had suffered a data breach exposing the personal information of an unspecified number of individuals.

January 2020. The FBI announced that nation state hackers had breached the networks of two U.S. municipalities in 2019, exfiltrating user information and establishing access for future compromise

December 2019: A Chinese state-sponsored hacking group attacked government entities and managed service providers by bypassing two-factor used by their targets.

December 2019: Unknown hackers stole login credentials from government agencies in 22 nations across North America, Europe, and Asia.

October 2019. An Israeli cybersecurity firm was found to have sold spyware used to target senior government and military officials in at least 20 countries by exploiting a vulnerability in WhatsApp.

58 https://www.ajc.com/news/local-govt--politics/feds-iranians-led-cyberattack-against-atlanta-other- entities/xrLAyAwDroBvVGhp9bODyO/# 59 “22 Texas Towns Hit with Ransomware Attack in ‘New Front’ of Cyberassault”, Bobby Allyn, Aug. 20, 2019, https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of- cyberassault 60“22 Texas Towns Hit with Ransomware Attack in ‘New Front’ of Cyberassault”, Bobby Allyn, Aug. 20, 2019, https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of- cyberassault 61 https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents

10

September 2019. A Chinese state-sponsored hacking group responsible for attacks against three U.S. utility companies in July 2019 was found to have subsequently targeted seventeen others.

September 2019. North Korean hackers were revealed to have conducted a phishing campaign over the summer of 2019 that targeted U.S. entities researching the North Korean nuclear program and economic sanctions against North Korea.

July 2019. State-sponsored Chinese hackers conducted a spear-phishing campaign against employees of three major U.S. utility companies.

Inadvertent exposure There are other unintentional methods of data exposure that can result in a significant breach event for cities. Inadvertent exposures can occur through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices.

Section 2: What to do when a cyber incident happens There are typical phases of response to a cyber attack which include investigation, containment, remediation, and notification, if appropriate. While every incident and organization’s response will be unique, some broad considerations for reacting to cyber incidents follow.

First, the organization has to detect or be alerted that a cyber attack has occurred. Having clear instruction to your staff and/or vendors about what qualifies as a security incident, who to notify, how to notify, and the timing for notification is critical. This can be accomplished in an incident response plan or other written policies. The challenge here can be that technology and hackers’ methods evolve constantly. Keeping up to date with the all new forms of attack can be hard, if not impossible. Try to strike a balance between drafting policies and plans that are not too specific so that they are outdated within weeks or months, but specific enough to generally keep up with developments. Make sure to involve your security providers and IT departments for their insight in this effort.

For those who have cyber insurance (which should be every one), notify or tender to your cyber insurer right away upon detecting a qualifying cyber incident, so you can obtain coverage and resources available to you.

Once an incident has been detected, classify the incident. Examples include critical, significant, or minor. Determine ahead of time what is critical, significant, or minor for your organization.62

Then, investigate and contain the incident. Again, notification to your cyber insurer is important, so you can obtain coverage and resources available to you from your insurer. Investigation of the incident will largely fall to the IT department or your outside forensic investigator. Matters to investigate include how the incident was detected— e.g., through proactive monitoring, during an audit, an outside notification from law enforcement, or finding your data on the web—how

62 What to do when first hit by a cyber attack, Apr. 10, 2017, Gemma Moore, https://www.computerweekly.com/opinion/What-to-do-first-when-hit-by-a-cyber-attack

11

the incident was perpetrated, the applications affected, the data affected, and the persons whose data was affected.63

Documenting the investigation and everything that follows, including remediation and notification efforts, helps to preserve a record of what occurred. Obtaining legal counsel right away may give the best chances of preserving attorney -client privilege or attorney work product doctrine over communications and other materials related to the cyber incident. This may be accomplished by calling your cyber insurer right away and getting a “breach coach” assigned. A breach coach is an attorney assigned by your cyber insurer to lead you through the process of dealing with an incident. You may alternatively call external counsel who is a breach coach. Also, refer to the event as an “incident,” not a breach, until you have a legal determination that the incident qualifies as a “data breach” under applicable law.

Triage and set objectives64. Consider what is most important for your entity—is it resuming service as quickly as possible? Is it protecting confidential information? Is it confirming the integrity of data where the integrity of data is critical for the entity? This likely will differ with what data, applications, and/or operations are affected.

For remediation, the goal is to restore the organization to its normal functioning. When a ransomware attack occurs, the best method of restoration, if you have implemented best practices and have backups, is to restore your system to normal functioning from your backups. Alternatively, it might be paying a ransom to get your files back, which we note is not endorsed by the FBI.

For notification, rely on legal counsel’s advice as to whether a data breach has occurred under applicable law. If it has, then you will likely need to notify affected individuals, and you may have to notify states attorneys general, credit agencies, or other entities as specified by the applicable law. You should consider whether to offer identity protection services to help remedy any potential harm to affected individuals. If there are a large number of affected individuals, you should consider using a vendor to (1) mail all your notification letters and manage bounce- backs, and (2) staff a call center to handle calls from affected individuals.

Section 3: Cybersecurity Best Practices In terms of preventing or minimizing the risk of breaches during the era of Covid-19 in particular, the FBI recommends the following65:

. Be skeptical of last minute changes in wiring instructions or recipient account information. . Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email.

63 What to do when first hit by a cyber attack, Apr. 10, 2017, Gemma Moore, https://www.computerweekly.com/opinion/What-to-do-first-when-hit-by-a-cyber-attack 64 What to do when first hit by a cyber attack, Apr. 10, 2017, Gemma Moore, https://www.computerweekly.com/opinion/What-to-do-first-when-hit-by-a-cyber-attack 65 “FBI Anticipates Rise in Business Email Compromise Schemes Related to the Covid -19 Pandemic”, Apr. 6, 2020,

12

. Ensure the URL in emails is associated with the business it claims to be from. . Be alert to hyperlinks that may contain misspellings of the actual domain name. . Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

There are general best practices for cybersecurity outlined by the FBI. They include the following: 66

• Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data. • Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on principles and techniques. • Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system. • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. • Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind. • Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Office files transmitted via email instead of full Office Suite applications. • Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs. • Employ best practices for use of Remote Desktop Protocol (“RDP”), including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts. • Implement application “whitelisting.” Only allow systems to execute programs known and permitted by security policy. • Use virtualized environments to execute operating system environments or specific programs. • Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment. • Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or . For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.

66 FBI Public Service Announcement, Oct. 02, 2019, Alert No. I-100219-PSA. https://www.ic3.gov/media/2019/191002.aspx

13

There are also some specific recommendations by the FBI to take for protection against Business Email Compromise attacks. 67

• Employees should be educated about and be alert to business email compromises. There are a variety of tools that can be deployed to train employees-- webinars, in-person presentations, phishing exercises, etc. • Use secondary channels or two-factor authentication to verify requests for changes in account information. • Ensure the URL in emails is associated with the business it claims to be from. • Be alert to hyperlinks that may contain misspellings of the actual domain name. • Refrain from supplying login credentials or personal identifying information in response to any emails. • Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits. • Keep all software patches on all systems updated. • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from. • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

Finally, some general resources to consider checking include the FBI’s internet crime complaint center website, ic3.gov; the U.S. General Services Administration’s website on cybersecurity programs and policy: https://www.gsa.gov/technology/government-it- initiatives/cybersecurity/cybersecurity-programs-policy; the FTC’s website for and Security for business: https://www.ftc.gov/tips-advice/business-center/privacy-and-security; NIST’s cybersecurity webpage https://www.nist.gov/topics/cybersecurity; and the Department of Homeland Security’s CISA webpage https://www.cisa.gov/ and ready webpage https://www.ready.gov/cybersecurity.

67 FBI IC3 Alert No. I-091019-PSA, Sept. 10, 2019 https://www.ic3.gov/media/2019/190910.aspx

14