Details on RDOS cyberattack finally discussed in public
Major ongoing investments will be required to fend off cyberattacks like the one that crippled the Regional District of Okanagan-Similkameen last summer, elected officials heard Thursday.
“The sophistication of these attacks is increasing year over year,” said Danny Francisco, the local government’s manager of information services.
“It’s something that can just not be ignored moving forward at all.”
Francisco appeared before the RDOS board’s corporate services committee to release for the first time publicly some details of the cyberattack, which resulted in some critical internal systems, like email, online bill payments and mapping services, going dark.
Email accounts for RDOS staff and directors weren’t restored until late September 2020, and it took until March 2021 to complete all recovery work and re-secure the system.
Francisco said a third-party forensic investigation determined the cybercriminals gained access to the RDOS network on July 25, 2020, using a valid test account.
From there, the bad guys were able to poke around and gather enough information to create a new user account with administrative privileges with which they intended to launch their ransomware attack from somewhere in Europe.
Their goal was to encrypt data within the RDOS system and then demand a ransom to unlock it, according to Francisco.
Fortunately, RDOS security software finally recognized something was amiss on Aug. 10, 2020, and put the entire system offline, thereby thwarting the ransomware attack before it could be launched.
Since it was insured against cyberattacks, the RDOS paid just a $15,000 deductible to cover the cost of recovering from, and analyzing, the incident.
Francisco said the RDOS had been following good cybersecurity practices, such as using encrypted servers, adopting password protection policies, and running ransomware monitoring software, but it simply wasn’t enough.
“It comes down to the fact that all of this stuff is important, but it’s not everything that we do need to be getting into,” said Francisco.
“Modern cybercrime is getting more sophisticated… and there are ways around all these (security) tools.”
Among the new security measures recommended by the outside consultant is cybersecurity training for all RDOS and monitoring the dark web to see what information about the RDOS comes up for sale on the black market.
“You can buy a login ID like the one we had compromised off the dark web,” added Francisco, who also suggested the system may require 24-7 staff monitoring.
RDOS chief administrative officer Bill Newell said some of the recommended cybersecurity measures are being built into the proposed 2022 budget and work plans.
Some improvements have already been made in response to a separate third-party review of RDOS technology systems that was completed in late 2020.