Municipal employees in the suburbs of Anchorage, Alaska, have had to revert to typewriters to accomplish some tasks since some government systems were taken down by a sophisticated malware cocktail last week.
The Matanuska-Susitna Borough has been dealing with the aftermath of the cyberattack since July 24, when malware was detected on several internal servers. The FBI’s Cyber Crime division is investigating the incident, along with a similar hack reported in the neighboring city of Valdez.
“This is a very insidious, very well-organized attack,” borough IT Director Eric Wyatt said on a conference call last week with the FBI, Valdez officials, and others responding to the incident. “It’s not a kid in his mom’s basement. Because we are getting the information out and sharing it with other entities, hopefully they can weather the storm.”
The incident led borough officials to take some systems offline, including email, phones and other networked devices. Many public-facing systems, including the borough’s main website, have remained online, but residents have lost the ability to make online payments or use credit and debit cards at local libraries and animal-care facilities.
Nearly 500 of the borough’s Windows computers and 120 of its 150 servers were encrypted, locking out government staff from their email accounts, phone network and their backup and disaster-recovery systems. Even the card-swipe mechanism borough employees use to lock and unlock doors at borough buildings was encrypted, though the doors themselves continued to work.
In the meantime, many government functions in Mat-Su, as the borough’s some 106,000 residents call it, have been carried out with antiquated equipment, employees pulling old typewriters out of storage and recording library loans and landfill fees by hand, the borough’s public affairs director, Patty Sullivan, said last Friday.
Borough officials described the virus that infected government systems as a complex mixture of ransomware and other malware designed to prolong the cyberattack.
“This was a multi-pronged, multi-vectored attack,” Wyatt wrote in a report published Monday .
Wyatt, who’s worked in military and civilian IT for more than thirty years, wrote that the malware featured the ransomware program known as BitPaymer, which locks down infected systems unless the victims pay anywhere between 20 and 53 bitcoin — $154,400 to $409,160 at today’s exchange rate. But the package on Mat-Su’s systems also contained Trojan horse and “time-bomb” components, Wyatt continued.
The original infection was most likely delivered, he said, through a phishing link in an email to a borough employee.
That elaborate setup gave the cyberattack a long lead time, wrote Wyatt, who added that the malware was “lying dormant” on a borough server since as early as May 3. It wasn’t until July 17, after Wyatt’s team installed the latest update of its McAfee anti-virus software, that it started detecting activity from the Trojan component.
The McAfee program appeared to be doing its job of detecting and eliminating the Trojan horse for about the next week, but it was leaving behind other components while the number of affected computers reached “alarming levels,” Wyatt wrote.
On July 23, the IT staff developed a script to remove the bits McAfee missed, but it now appears that triggered the worst part of the cyberattack: “This action, of attacking back, seemed to trigger the virus to launch the Crypto Locker component,” Wyatt wrote. “This trigger may have been automated, a Dead Man’s Switch, or there may have been a person manually monitoring activity and executed their Command and Control (C2) to launch the attack.”
According to evidence borough officials found in their response, Mat-Su was at least the 210th victim since BitPaymer was first detected in June 2017 .
While Wyatt wrote that the backup and disaster-recovery servers were built to defend against all known cyberthreats, he conceded in his report that they were compromised by a “theoretical exploit.” Still, he wrote, that both systems used a “multi-tiered tiered approach to data protection” that will allow the city’s data to be recovered. The borough’s Microsoft Exchange email server, though, appears to be lost and will have to be replaced entirely. Government workers are temporarily using an external email system.
Officials reported Monday they discovered over the weekend that while most borough data was not lost in the cyberattack, it will take a while before its data can be recovered.
Affected desktop computers are being re-imaged at the rate of about 38 per day, according to the city, while copies of the infected data are being turned over to the FBI’s investigation.
The borough’s phone server was also rebuilt Sunday evening, Sullivan said. Wyatt wrote that other systems can be recovered in time, including geospatial imaging data Mat-Su officials use to map the borough.
How well other entities can cope with BitPaymer is in large part up to large anti-virus and IT security companies. Wyatt wrote he sent the virus files to McAfee so it can analyze and update the anti-virus software to prevent future attacks.
“We are awaiting the reply,” he wrote.