The encryption over the weekend by hackers of part of the computer networks of San Francisco’s light-rail system is yet another sign that public service sectors are increasingly falling victim to global extortionists.
It’s also a reminder of the widespread vulnerabilities of American computer systems and of the dilemma faced by President-elect Donald Trump, who’s refused to embrace the U.S. intelligence establishment’s conclusion that Russian hackers were behind the invasion of the Democratic National Committee computers earlier this year.
Private and public entities across the Western world are experiencing a surge in attacks by hackers who implant malicious computer code in their networks. The code encrypts files or entire hard drives. The hackers then demand a payment in bitcoin to obtain a decryption key.
Hackers tied to Eastern Europe and Russia this year have hit nearly two-dozen U.S. hospitals and medical device companies. In March they froze the computers of a small police department in Melrose, Mass. The department later reportedly paid one bitcoin to decrypt its computers.
San Francisco’s Municipal Transportation Agency said the problem was “contained” and that service was not affected. Riders of the Muni system, which includes light rail, bus and the famed cable cars, found gates open over much of the weekend, allowing them to ride for free. Computer screens at ticket kiosks flashed: “You Hacked, ALL Data Encrypted.”
The hackers used an email address hosted by a Russian internet services company, Yandex, and quickly responded, in fractured English, to an email query Monday.
“San Francisco People ride for free two days! Welcome!” a hacker who used the name Andy Saolis said in an email. He added that the hack affected 2,000 servers and computers and affected “all payment kiosk and internal automation and email.”
The hacker indicated that his team wormed its way into the San Francisco system through a “completely random” penetration and had demanded 100 bitcoin, a form of digital currency, to decrypt locked computer files, an amount equivalent to about $73,000.
If the demand isn’t met, he said, his team would release 30 gigabytes of documents including contracts, employee data and “low level design plan,” which would include information on “power plants, cabling, maps and switching.”
“Sorry For My English anyway ;),” he wrote.
Similar attacks have disrupted U.S. life in an increasingly brazen fashion, extorting ransom payments but also penetrating servers of the Democratic National Committee and state election bodies, underscoring the vulnerability of the entire U.S. political system.
The Obama administration on Oct. 7 blamed Russian state hackers for the DNC break-in, and said it had to have been approved at the highest levels of the Russian government, indicating that President Vladimir Putin had given the green light. Trump has declined to endorse the finding, and has vowed to work more closely with the Russian leader on a series of global problems.
The connection between the ransom hacks and the DNC penetration is anything but clear. But the growing incidence of hacking involving Russia-based entities appears undeniable, and its spread to the public service sector suggests the possibility of the disruption of key services.
Public-sector entities have more rules and policies about how to deal with criminal extortion attempts than private companies, which can act quickly to deal with such harassment.
I wouldn’t consider Muni a particularly good target for ransom.
Tim Erlin, TripWire, an Oregon cybersecurity firm
“I wouldn’t consider Muni a particularly good target for ransom,” said Tim Erlin, a security and risk strategist at TripWire, a Portland, Ore., company that focuses on threat detection and security software.
“I think Muni was just an unlucky victim of an attack that is threatening many other organizations,” echoed Graham Cluley, a British expert who blogs about cybersecurity.
As a first step, Cluley said, investigators should “contact Yandex and the authorities in Russia to see if they can shed any light on who was accessing that email account. However, I wouldn’t hold up much hope.”
For private businesses, finding that computer files and hard drives have suddenly been encrypted is an expensive nuisance. Many do not publicize how they deal with the attacks.
This is probably the tip of the iceberg as far as who has been hit.
James Pleger, RiskIQ, a San Francisco cybersecurity company
“This is probably the tip of the iceberg as far as who has been hit,” said James Pleger, director of threat and security research at RiskIQ, a San Francisco cybersecurity company.
Pleger said those making ransom demands are likely not those who designed the malicious code that found its way into computer systems.
“What they are doing is they are purchasing infections. There’s an underground market where you can buy infected computers,” Pleger said. “Let’s say you are a ransomware author. You say, ‘I want to buy 1,000 computer installations.’ ”
The buyers then control the infected computers and implant whatever virus or exploit they desire to make a ransom demand, he said. Such attacks show no sign of abating.
“It’s still going up. Over the last four or five years, we’ve seen an uptick every year in ransomware. I don’t personally see it going down because of how effective it is,” Pleger said.