Information technology officials in Baltimore warned the city’s leaders that their network infrastructure was out of date and susceptible to repeated cyberattacks well before the city became the victim of a widespread ransomware infection that has disabled municipal services for more than three weeks.
The warning was reported Thursday by the Baltimore Sun, which obtained an undated risk assessment urging city leaders to move their computer systems to a secure environment to minimize the risk of a financially costly incident, such as a ransomware attack. Not doing so would make Baltimore “a natural target for hackers and a path for more attacks in the system,” the IT officials’ report said, according to the Sun.
Meanwhile, the city is getting the first picture of how expensive this incident will be. Baltimore’s budget director, Bob Cenname, told the city council Wednesday that $4.6 million has already been spent on replacing software and hardware and bringing in additional personnel, and that the city may need another $5.4 million this year. Cenname also said the cyberattack has also cost the city $8.2 million in productivity, bringing its potential cost to $18.2 million.
Baltimore officials said May 7 that many of the city’s computer systems were disabled by a ransomware virus known as RobbinHood, which left affected municipal computers flashing ransom notes saying the city’s network would remain frozen unless it paid 13 bitcoins — currently about $105,000 — for a decryption key.
The systems known to be locked by the malware include city employees’ emails, voice-over-internet-protocol phones, online bill payments and real-estate transactions, though the city implemented a “manual workaround” using paper documents to get the housing market moving again. Baltimore health officials also can’t connect to a Maryland state government program that issues warnings about bad batches of illegal drugs.
The RobbinHood incident is also not Baltimore’s first encounter with ransomware. In March 2018, the computer-aided dispatch system it uses to field 911 and 311 calls was briefly disabled, forcing dispatchers to take manual notes for several days.
According to the Sun, the risk assessment — which appears to be from before September 2017, when the Baltimore City Information & Technology office took its current name — focused on a pair of servers responsible for more than 100 applications operating on a version of Microsoft Windows that is no longer supported by the technology giant. The New York Times reported Sunday that a leaked National Security Agency hacking tool known as EternalBlue, which targets a Microsoft vulnerability, was used to infect Baltimore’s systems with the RobbinHood malware, though cybersecurity experts have cast doubt on that account.
Still, the revelation that Baltimore’s IT office told the city’s leadership that its computing architecture was dangerously out of date recalls a warning issued to Atlanta in January 2018, two months before that city became the victim of the SamSam ransomware. An Atlanta city auditor’s report found that nearly 100 government servers were running on Windows Server 2003, which Microsoft stopped updating in 2015.
Microsoft released a patch for EternalBlue in 2017 shortly after the tool was leaked by a group known as the Shadow Brokers. It’s unclear if Baltimore ever installed it, but on Thursday, NSA senior adviser Rob Joyce told guests at a cybersecurity conference that network administrators have to think about more than one patch at a time.
“Vulnerabilities will continue to be found,” Joyce said.