Failed RDOS cyberattack still under investigation
Imagine you’re away for the weekend when you get a call from your alarm company regarding a possible break-in at your home. When you arrive home, you find a door is broken, but it’s not immediately apparent if anyone got inside or anything was stolen.
The only way you can really know for sure is by searching the entire house to check if anything is missing or if an intruder left behind any evidence.
Now imagine your house is actually the technological backbone of a local government that services 85,000 people over a 10,000-square-kilometre area and your possessions are the millions of data files contained within it.
It’s a rough analogy, but it fairly describes what happened Aug. 10, when the Regional District of Okanagan-Similkameen lost access to most of its information technology systems: email, bill payments, maps, employee files, planning documents, schedules and much more.
The services were taken offline automatically by the RDOS’ cybersecurity system when it detected unusual activity.
“This attempt caused a system crash which kicked the attacker and (legitimate users) out of the system. As a result, the attacker was not able to complete the attack,” Danny Francisco, manager of the RDOS information services department, said in an email.
It’s believed the culprit was preparing to launch a so-called ransomware attack, which would have locked out the RDOS from its own systems and demanded payment to restore access. In effect, the RDOS’ data would have been held hostage.
Such ransomware attacks are becoming increasingly common. Just this month, TransLink, which operates public transit in Metro Vancouver, announced a ransomware attack was responsible for customer payment problems that lasted three days.
As in real-life hostage situations, organizations rarely reveal publicly whether or not they paid ransom, although doing so can save money in the long run. For example, the City of Atlanta in 2018 refused to pay a $51,000 ransom and then spent approximately $17 million rebuilding its systems.
Fortunately, the RDOS wasn’t forced to make such a calculation because its defences appear to have successfully thwarted the threat by putting everything offline and out of the attacker’s reach.
“The RDOS has not been made aware of any compromised data through the cyber investigation thus far,” noted Francisco.
“All passwords were reset and accounts disabled on the day of the attack. The RDOS continues to work with the cyber response company, following their recommendations and using a combination of monitoring tools and best practices to keep data secure.”
While the attempted attack itself isn’t believed to have done any direct damage to the RDOS’ information technology system, getting the system up and running again has proven to be a months-long challenge that left staff and directors without full email access until late September.
The attack could hardly have come at a worse time: the RDOS was still figuring out how to conduct business electronically during the pandemic and the start of the Christie Mountain wildfire and evacuation orders for 300 properties were just a week away.
In hindsight, it was probably just a matter of time before the RDOS’ aging IT system failed. An assessment of the system had been ordered in March and was due to be completed in August. The scope of that $25,000 review was later amended, and a draft report presented to the board Dec. 17.
“It’s not pretty,” said Michael Rogers of TMC Consulting.
Of note, he found the RDOS hadn’t been taking standard security precautions like hiring firms to test its online defences or investing in backup systems to quickly relaunch IT services after they were taken offline.
“Had you seen this (report) before you actually had your cyberattack, you would have heard us say you don’t have adequate security capabilities and you don’t have failover capabilities for your systems. Unfortunately, you did have that event and I think you’ve all kind of seen and felt the effects of that,” Rogers said.
Even now, he continued, the RDOS team has “reactivated” most online systems, but that’s a Band-Aid solution at best. “There’s a difference between rebuilding and improving and just getting them back up and running again,” Rogers said.
“Obviously the most important is rebuilding your infrastructure. There is some immediate things that need to happen in 2021 to improve security and reliability. But on an ongoing basis there will continue to be upgrades that you need to do in order to keep things secure and keep them reliable.”
He estimated it will cost about $380,000 in 2021 just to secure the system and another $550,000 in 2022 to bring it up to date.
A second consulting firm has been hired by the RDOS’s cyberinsurance company to do a forensic investigation of the attempted ransomware attack to get a better idea of how far it got and where it originated. A report from that probe is due in January. RDOS board chair Karla Kozakevich said the cyberattack was a wake-up.