Hackers may have been spying in Hamilton network for months before cyberattack
City in second week of dealing with ransomware attack that could take ‘weeks or months’ to solve
The hackers who crippled Hamilton’s municipal computer network may have been lurking unnoticed in the city’s systems for weeks, even months, before triggering a sprawling ransomware attack, says a leading cybersecurity expert.
“I don’t have specific information about the exact attack that happened in Hamilton, but in general in some of the most sophisticated hacks, the attackers are in the targeted network for months before launching the attack,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst in Brampton.
Like the planners of a bank heist, hackers spend time casing their target.
Without anyone being the wiser, they will root around in a network probing its security systems, looking for vulnerabilities, and locating key data.
Once they get the lay of the digital landscape, they trigger their ransomware attack, seizing control of the network and possibly compromising personal data. That data is then encrypted and the hackers won’t release a decryption key until their ransom is paid.
“Part of the work that I’m sure that the City of Hamilton’s teams are doing right now is to understand how this attack penetrated their networks. And with that they may gain an understanding of how long the attackers have been there for,” Finlay said.
City officials and consultants continue to respond to the ransomware attack that has affected a range of municipal operations and services into a second week.
The cyber-breach targeting the city’s IT systems has knocked out phone lines, websites and municipal Wi-Fi, leading to the cancellation of city committee meetings.
Electronic payments — including a delay in property tax auto-withdrawals — have been affected, while recreation users have been given access to programs for free.
Public health hasn’t been able to access vaccination records and parents have had trouble reporting immunizations to the department during the outage.
Buses are running but without electronic functions such as dispatching and stop announcements for riders. Similarly, emergency services are relying on “manual” processes, the city says, but has so far declined to say what that precisely that means.
“Right now, we’re committed to doing the best thing for the city and protecting our residents,” city manager Marnie Cluckie told reporters Monday. She has not provided any updates since then.
Cluckie has not said if anyone has claimed responsibility for the hack, or if the city is negotiating with hackers. Officials “do not believe that people’s personal data and information has been accessed, and we are doing everything that we can to keep it that way,” she said.
However, Finlay said it may still be too early to know with certainty what data has been accessed or stolen.
“These attacks can take a significant amount of time to remediate. Unfortunately, the patience of the citizens of the City of Hamilton is going to be tested,” he said. “These attacks can take weeks or months to fully resolve. And it can take that long for city systems to come back online.”
He pointed to the November ransomware attack on Toronto’s public library. Those systems have only recently come back online.
Experts who spoke to The Spectator say these attacks are sophisticated and orchestrated by an international black market ransomware industry that is worth billions. With that kind of money comes the resources to breach the less well funded systems of a municipality.
Sometimes that breach comes from a hacker exploiting a system vulnerability and forcing their way into a network unseen. Other times it involves targeting the human beings working in that system, said Ken Frose, senior managing director at Delta Consulting Group Canada Ltd, a firm that helps municipalities and corporations investigate and audit their security systems.
The firm recently concluded an audit into the theft of $52,000 from the city by a hacker pretending to be a representative of a city contractor. The criminals were able to get the city to redirect payments by targeting staff with legitimate looking emails.
In that case, Delta found that some city protocols were too lax, and a now-retired employee did not follow existing procedures — including double checking corporate and banking information — that may have prevented the theft.
“It’s a pretty common thing. We’ve seen that across a whole number of companies and businesses, governments, municipalities,” Frose said. “They are doing their best to implement controls, but fraudsters do keep looking for new gaps. So you have to keep evolving and reviewing and I guess the general comment would be that governments and businesses are sometimes slow to adapt.”
That is why in addition to having robust security systems, including multifactor authentication to access a network, staff training and education is critical, said Sami Khoury, head of the Canadian Centre for Cyber Security.
“Some of these (breaches) are not system vulnerabilities. They can be triggered with phishing email,” Khoury said.
Those emails will contain “extremely well written” lures that can “fool maybe the most savvy user,” into clicking a link that will allow a hacker into the system.