The City of Dallas, Texas, was forced to shut down police communications and IT systems on Monday morning, May 1, due to a suspected ransomware attack.
According to a media statement from the City: "Wednesday morning, the City's security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website."
Here's the Dallas Morning News' report on the incident. The article quotes a statement from City Manager T.C. Broadnax, who said he is optimistic that the risk is contained.
"Since City of Dallas' Information and Technology Services detected a cyber threat Wednesday morning, employees have been hard at work to contain the issue and ensure continued service to our residents," he said.
Among affected systems were city websites and services, notably the city’s 911 dispatch service, causing local police and firefighters to revert to manual dispatching. In addition, staff at jails were hampered with intakes and offense reports. The city's court system was knocked offline, canceling jury trials and causing a backlog that will need to be worked through.
Bleeping Computer covered the breach in this article.
Frequent SecureWorld speaker and PLUS Course instructor Shawn Tuma, Co-Chair of the Data Privacy and Cybersecurity Practice at Spencer Fane, LLP, gives this commentary on the situation in Dallas:
"This is a horrible event that will surely impact the lives of many people, and unfortunately it has become a fact of life in today's times. We are always quick to blame the victim of the attack and say 'why did they allow this to happen?', but we can't forget that the odds of security means that those defending must get their security right 100% of the time and the adversary needs only one lucky shot to have a successful attack and cause extraordinary damage.
Unfortunately, 'cybersecurity' is not a technical problem that can just be fixed with a patch, security update, change of code, or even a tool or service—no matter how great the tool or service may be—but is an ongoing battle with an active adversary that is countering every move and continuously probing for new weaknesses to exploit. What we have seen over the last 12 to 18 months is, as more and more companies are getting more proficient at protecting themselves on the technical side, the threat actors are returning to their old bread-and-butter tactics of attacking the humans through social engineering because that is the time-tested method of attack that the tools can't protect.
Our team has handled several ransomware attacks by the Royal threat actor group, and each of those started with a callback phishing attack that exploited people, first, to gain initial access into the network, so it would not surprise me if that is what happened in this attack on the City of Dallas, as well.
As someone who lives in the Dallas-Fort Worth Metroplex, I know that people in this area are anxious to get more information about what has happened, how they may be impacted, and what the City is doing in response. But, as a professional breach quarterback who routinely leads organizations through similar attacks, I am confident that the City is being led by an expert team of experienced incident response counsel and cybersecurity providers that are most likely working in conjunction with its cyber insurance providers and, right now, information sharing is not and should not be their top priority.
In fact, sharing such information could even jeopardize much of the work they are trying to accomplish in working through this incident and end up causing more harm to the people around Dallas-Fort Worth than it does good. At this point, what has been done has been done and nothing will change that so the focus has to be on mitigating the situation as best as possible from this point forward and, right now, everyone needs to be patient and let the experts do their job to the best of their ability and trust that, at an appropriate time that does not compromise the investigation and recovery process, more information about this incident will be provided."
Darren Guccione, CEO and Co-Founder at Keeper Security, had this to say about the Dallas attack:
"This egregious cyberattack is an example of the pervasive threat that predatory cybercriminals pose to everyone from multinational businesses to local governments. No one is safe from cybercrime, and often the most vulnerable among us are the most likely to be targeted or victimized. In this case, threat actors targeted city operations that could have caused a major disruption to 911 and emergency operations. From a positive perspective, the city's security monitoring tools appear to have served their intended purpose by alerting the city’s response team."
Tuma is teaching a PLUS training course on May 17, the day prior to the SecureWorld Houston conference, on the topic of "Real-World Cyber Risk Management and Resilience Planning." He will also present at the May 18 event on "Cybersecurity Really Is a Team Sport." Register here.
This fall, Tuma will be joined by peers Steven Anderson, Director of Cyber Underwriting, Safety National; Theresa Le, Chief Claims Officer, Cowbell Cyber; and Sean Scranton, Consultant, Cyber Risk Solutions Team, WTW, at SecureWorld Dallas on October 26 for a panel discussion titled "Cover Your Cyber Assets."