Cyberattacks have shifted away from simpler, automated affairs. Attacks are now thorough, and the targets strategically selected for the value of the information, the ease of an attack, and the chance of a ransom payment to protect extracted data.
California municipalities have been increasingly targeted by ransomware and malware attacks since the beginning of 2023, and while some attacks have been less serious, others have temporarily crippled municipalities and police departments. Healthcare has also faced its share of cyberattacks, and with sometimes dire consequences.
Meanwhile, employees have been tasked with walking a minefield of data warfare, while newspaper articles allege coverups of compromised information. As it stands now, most data exfiltration and encryption incidents are underreported, adding yet another layer of mystery to the dark world of the dark web, with criminal identities and the depth of their actions obscured by technical acumen.
Under-resourced Cities Targeted
High-profile ransomware incidents in 2021 spurred action as the federal government and state governments began to take cyber threats seriously. As Emsisoft pointed out in its “The State of Ransomware in the US: Report and Statistics 2022” there seemed a collective sense of urgency as committees were formed and meetings were held. And still, reports of ransomware attacks stacked up, with Emsisoft noting that only a fraction of ransomware attacks on private sector organizations are publicly disclosed or reported to authorities.
However, where major cities like Atlanta and Baltimore were victims of cyberattacks in previous years, only smaller municipalities were apparently targeted in 2022. This might suggest that larger governments are making good use of bigger cybersecurity budgets, while “smaller governments with smaller budgets remain vulnerable.”
“The reality is that nobody knows for sure whether the number of attacks are flat or trending up or down,” according to Emsisoft. “What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported.”
Cybersecurity incidents are so unnerving that many communities and companies never reveal the ransom demand or if they pay it. However, the California law requires that a business or local or state agency notify any California resident whose personal information was acquired by an unauthorized person. The law also requires that a breach notice sent to over 500 California residents needs to be provided to the California Attorney General. Simply scrolling through breach notices shows a sharp increase in incidents beginning in 2020.
Quincy, Massachusetts is the only local government to admit paying a demand in 2022: $500,000, while Wheat Ridge, Colorado faced the highest ransom to become public knowledge.
But what was reported showed that while cybersecurity measures may have been stepped-up, they need to be bolstered significantly.
Reported cybersecurity incidents for 2022 according to the report:
106 local governments
44 universities and colleges
45 school districts operating 1,981 schools
25 healthcare providers operating 290 hospitals
While financial losses and temporary losses of infrastructure are obviously concerning, one sector that seems to take moral precedence is the potential loss of life from a ransomware attack, as evidenced by the CommonSpirit Health hack, a group responsible for the operation of 150 hospitals.
Not only did the health organization lose financially, but personal data of patients was also compromised, and the computer system responsible for calculating doses in one of the affected hospitals went offline and resulted in a 3-year-old patient receiving a “massive overdose of pain medication. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals,” according to Emsisoft.
While the immediate disruption of services is the more noticeable risk to patients, there is also concern of the long-term impacts of delayed procedures and treatments, which may not become apparent until weeks, months, or years after the incident.
City of Modesto
The long-running cybercrime group called “Snatch” claimed responsibility for a ransomware attack of the Modesto, California police department that “crippled police car laptops, forcing the police department to revert back to radios and write down the details of dispatch calls by hand.”
The hackers were able to access names, addresses, social security numbers, and medical information that was included in work status reports including driver’s license numbers and state-issued ID numbers, according to The Record.
“Until further notice, community members and other members of the public should contact and otherwise conduct business with the City by telephone, mail or in person,” according to The Record.
City of Oakland
The hacking group called Play claimed credit for the cyberattack of Oakland California that took place in February. The hack disrupted services like police report filing and tax payments, a situation that prompted the city to declare a state of emergency and the shutting down of several city networks and systems.
The city of Oakland had to request assistance from IT experts with the California National Guard and other state agencies in the attack that crippled the city’s operations for weeks.
In March, “the [hacking] group released 9 GB of data stolen during the breach, which includes records linked to police misconduct allegations, bank statements belonging to the city’s operating account, and employee rosters spanning the last 12 years accompanied by personal identifying information such as Social Security numbers, birth dates, and home addresses,” according to SC Media, a publication from CyberRisk Alliance Resource.
The city was still impacted by the attack months later as Play exposed stolen data in multiple instances, with 600 GB of compromised data released on the dark web in April.
By May, city officials discussed “outstanding progress” in recovery efforts, noting that almost all impacted IT systems, including digital services and internal systems were restored.
“Our extensive manual review of the data determined to be involved has to date determined that the personal information of certain current and former employees and a limited subset of residents – such as some individuals who filed a claim against the City or applied for certain federal programs with the City – was involved in this incident,” according to a City of Oakland press release.
The cyberattack prompted Oakland City Mayor Sheng Tao to propose an extra $10 million to upgrade its systems and strengthen overall cybersecurity as a portion of the city’s overall budget of $4.2 billion through 2025.
City of Hayward
Hayward, California, located in the greater San Francisco area, was forced to shut down its website and a few online municipal portals due to a cyberattack. Emergency infrastructure like 911, emergency dispatch, firefighter, police and medical services weren’t disrupted, according to the city. Nor was there any disruption to city water and sewer operations.
Thus far, the city hasn’t discovered any breach of personal information of employees or members of the public but noted that if a breach is discovered the city will contact them directly.
An investigation of the incident is ongoing as the city continues to assess and recover from the incident in which “intruders attempted to disrupt and hold hostage aspects and components of its computer systems and networks,” according to a press release. Meanwhile, public access to its official website has been restored as experts continue recovery efforts.
The Evolution of Cyberattacks
Emsisoft makes a great point about how ransomware has changed over the years. Early ransomware attacks “were simple and mostly automated.” Whereas now, attacks are often human-directed events that are complex “in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain.”
To simplify: There is currently confusion as to what qualifies as a ransomware attack, particularly since so many attacks are purely exfiltration without encryption. This means ransomware-less attacks by ransomware groups are prevalent.
The lingo shift, as Emsisoft notes, should be to think of these events as “data extortion events,” as the sort of main category, with subcategories of encryption-based data extortion and exfiltration-based data extortion.
Regardless of the selected definition, cyberattacks have rapidly evolved and accelerated and cybersecurity measures need to be enhanced to safeguard not only customer, client, and patient information, but in some cases, their lives.
