Cyberwars: Attacks and Counterattacks (i.e., Response and Prevention) Presented by Nora E. Wetzel League of California Cities October 16, 2020 4 Nora E. Wetzel Nora is a commercial litigation attorney in Burke’s San Francisco office with a focus in data privacy matters. Nora has been designated as a Certified Information Privacy Professional, United States (CIPP/US) by the International Association of Privacy Professionals (IAPP). www.bwslaw.com 5 This presentation will identify forms of attack, such as ransomware, malware, phishing, and Introduction business email compromise, as well as inadvertent exposure through loss of paperwork, sending data to the incorrect recipient, and loss of encrypted or un-encrypted devices. www.bwslaw.com 6 Overview of cyber incidents inthe public sector Remote Desktop Protocol Email Phishing Campaigns Software Vulnerabilities Vulnerabilities www.bwslaw.com 7 Other methods of Cyber Attacks Advanced Persistent Malware 01 04 Threats Denial of Service (DOS) Password 02 05 Attacks Attacks Insider Man in the Middle 03 06 Attacks (MITM) Attacks We Learn From The Best In 2020, bad actors have made use of the Covid 19 pandemic to deploy cyber-attacks. www.bwslaw.com 8 Bad actors are sending out spam attacks based on Covid-19 a sextortion scheme threatening to infect the recipient’s family with Covid 19 if the recipient does not pay the amount demanded a fundraising request purporting to be from the World Health Organizing (WHO) requesting donations in Bitcoin to fund Covid 19 research messages purportedly coming from WHO but including documents with malware www.bwslaw.com FBI Warnings An e-mail from an unknown The recipient is accused of The e-mail or letter threatens The recipient is instructed to party and, many times, will be visiting adult websites, to send a video or other pay the ransom in Bitcoin written in broken English with cheating on a spouse, or being compromising information to grammatical errors involved in other family, friends, coworkers, or compromising situations social network contacts if a ransom is not paid 01 03 05 07 02 04 06 The recipient's personal The e-mail or letter includes a The e-mail or letter provides a information is noted in the e- statement like, "I had a short window to pay, typically mail or letter to add a higher serious spyware and adware 48 hours degree of intimidation to the infect your computer," or "I scam. For example, the have a recorded video of you" recipient's user name or as an explanation of how the password is provided at the information was allegedly beginning of the e-mail or gathered letter www.bwslaw.com 10 In 2019, cyber- attacks cost entities $3.5 billion in losses FBI 2019 Internet Crime Report 11 an increase in BEC attacks to divert payroll funds • The Bogus Invoice Scheme • CEO Fraud • Account Compromise • Attorney Impersonation • Data Theft Business Email Compromise A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company's supervisors, CEO, or vendors. 12 • Criminal claiming to provide technical support or service in an effort to defraud unwitting individuals • May pose as support or service Tech Support representatives offering to resolve such issues as a compromised e-mail or bank Fraud account • Recent examples included attackers posing as customer support for travel industry companies, financial institutions, or virtual currency exchanges www.bwslaw.com “CALIFORNIA WAS THE STATE WITH THE MOST VICTIMS AND HIGHEST LOSSES CAUSED BY CYBER ATTACKS” 8 Types of Cyber Attacks Small to Medium-Sized Businesses Face 14 Ransomware In 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack EXAMPLES OF — a 41 percent increase from the year before CYBER ATTACKS Cyber Insurance ON CITIES Some businesses and city governments are taking out insurance to be ready for ransomware demands www.bwslaw.com 15 Hartford, Connecticut Attacked in early September 2020 by ransomware that affected 200 of the city’s servers, including those used by the school system, the police department, and emergency dispatchers. According to the city, it quickly shut down servers and froze its technology systems. It continued to run all the city’s first responder systems, though reopening of its school system was delayed, and the city did not have to pay a ransom to regain access to its servers, though the city did not explain how it was able to avoid doing so. 16 Lafayette, Colorado Suffered a cyber attack in late July 2020, which resulted in disrupting the city’s phone, email, online payment, and reservations systems. Ransomware called “Snatch” infiltrated the city’s computer network through a phishing or brute force attack and started locking down computer files. This type of ransomware typically uses remote desktop protocol, brute force methods, and/or take advantage of an unplugged hole in a computer network. The city paid a $45,000 ransom to unlock its data 17 Florence, Alabama Experienced a ransomware attack in June 2020 that shut down the city’s email system, and the city decided to pay over $250,000 from the city’s insurance fund to recover data encrypted in the attack, though the city was able to negotiate down the ransom demand from the initial amount of $378,000 18 Torrance, CA Attacked in March 2020 when its computer systems were compromised, interrupting the functioning of its email accounts and servers. City documents including city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager were leaked to the dark web. The hackers claiming responsibility, DoppelPaymer operators, stated that they erased the City's local backups and then encrypted approximately 150 servers and 500 workstations. The hackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files 19 Durham, North Carolina The City and County of Durham, North Carolina was struck with ransomware Ryuk in March 2020, which was thought to be the same one responsible for the 2019 New Orleans attack noted below. This attack was actually two separate attacks, and though they were detected and contained, they caused most city networks and phones to remain offline during the recovery process, and resulted in 80 servers needing to be rebuilt and 1,000 compromised computers to be reimaged 20 North Miami Beach Police Department North Miami Beach Police Department was hit with a ransomware attack in February 2020 demanding $5 million to get the department’s information back 21 Colonie, New York Suffered a cyber attack in January 2020. Though it could not determine how the ransomware infected its systems, the city had reliable backups that allowed it to continue operation without having to pay the $400,000 bitcoin ransom demanded to retrieve the files the ransomware unlocked 22 Las Vegas, Nevada suffered a cyber-attack on January 7, 2020. The city commented that it was likely bad actors gained access to the city’s network via a malicious email. The city had taken a public position not to pay a ransom back in July, though it is unclear if the attack involved ransomware. The city reportedly caught the attack early and claims that it does not believe any data was lost or taken 23 New Orleans, Louisiana New Orleans fell victim to a cyberattack in December 2019. It detected suspicious activity on the City’s network, investigated and discovered there was a ransomware attack affecting roughly 4,000 City computers. The city’s IT department ordered all employees to power down computers and disconnect from Wi- Fi. All city servers were also powered down, and employees told to unplug any of their devices. The city had cyber insurance and expected it to cover nearly $1,000,000 in costs the city has incurred since the onset of the attack, though it did not cover the costs of paying a ransom 24 Pensacola, Florida Was hit by a cyberattack in December 2019, affecting city email and landlines, a customer service line, and online bill payments for energy and sanitation. As a result of the incident, staff disconnected computers from the city’s network until the issue could be resolved. Pensacola did not reveal any further information about how the cyberattack first occurred, what type of personal data was breached, or whether the attack stemmed from malware or ransomware 25 San Marcos, California Was targeted in October 2019 by a suspected cyber attacker. San Marcos’s email system used by city employees was affected, leaving employees unable to communicate with some of the public. Employees discovered the problems, and the city manager confirmed the city was victim of a suspected hacking. 26 Baltimore, Maryland Baltimore fell victim to ransomware known as "RobbinHood" -- attacks some experts say involved a tool developed by the National Security Agency. The attack locked the city out of its computer servers for ransom. City systems are reported to be slowly recovering from the attack, which officials said cost Baltimore more than $18 million 27 Atlanta, Georgia Atlanta’s computer networks were targeted in March 2018. The hackers demanded $51,000 in Bitcoins, and held the city hostage for nearly a week, while the city refused to pay. Apparently, some city services used hardcopy paper to continue operations. The city reportedly did not want to reward and encourage more ransomware attacks, and considered there was no guarantee that systems would be restored even if it paid. This stance has hit the city hard—costs associated with the attack are estimated to be as high as $17 million. Now, the U.S. Justice Department reports that two Iranian hackers were behind the attack on Atlanta.