Hackers used stolen online credentials to get into the city of Dallas’ system and steal files during a cyberattack earlier this year, according to a city internal review of the data breach.
In an after-action report released this week, Dallas information technology officials said the stolen credentials allowed hackers with the group Royal to connect to a city server and gave them remote access to the system starting on April 7. Royal spent about a month going through the city’s network, downloaded almost 1.2 terabytes of data through that server, and launched a ransomware attack at 2:04 a.m. on May 3.
The report said Royal left a text file titled “README” letting the city know they were responsible for the hack.
“Using its previously deployed beacons, Royal began moving through the city’s network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools,” the report said.
Four months after Dallas announced the ransomware attack, officials have for the first time released a timeline of what happened and a list of what city systems were impacted. The city published the 31-page report sometime after Wednesday’s briefing to City Council. The release was delayed two weeks than originally announced after a previous briefing was postponed.
Hackers accessed some of the most sensitive information stored by the city, including medical information, health insurance information, and Social Security numbers of Dallas employees, retirees and their relatives. The personal information of at least 30,253 people was exposed, though city officials believe that number could increase later this year after further review of the data breach.
Last month, the city sent 27,000 letters to people impacted by the data breach informing them of the leak and offering them two years of free credit monitoring.
On Aug. 9, the City Council approved setting aside nearly $8.6 million to pay vendors for hardware, software, incident response and consulting services in response to the ransomware attack. The report said that amount will likely grow.
Bill Zielinski, the city’s chief information officer, and Brian Gardner, Dallas’ chief information security officer, declined to publicly elaborate to council members Wednesday how hackers were able to get access to the city’s network, citing an ongoing criminal investigation. They also declined to say whether any of the files downloaded had been stored improperly by the city. They both described hackers using “stolen credentials.”
“That’s actually one of the strengths that these attackers have is that they’re very sophisticated,” Zielinski told council members Wednesday. “Once they get into the system, they’re very good at avoiding that detection.”
It also still isn’t clear from the report, or the two officials, which departments had data accessed by hackers other than the human resources department.
The FBI and the federal Cybersecurity and Infrastructure Security Agency have said a common way Royal gains access to networks is through phishing, using links sent in emails and attached PDFs to lure people into sending their information.
Zielinski told The Dallas Morning News earlier this month the data stolen was equal to roughly 819,000 files stored by the city.
He also said the internal review determined files associated with the breach were on roughly 996 of more than 15,000 computers, servers and other devices connected to the city’s network. He said 230 servers and 1,168 workstations were also hit during the attack. One hundred servers were ultimately removed from the city’s network.
Zielinski and Gardner told council members Wednesday they believed the impacts from the hack could have been worse if the city hadn’t been beefing up its IT investments in recent years. The information and technology services budget related to data has grown from $77 million in 2018 to $110 million this year. In the latest city budget approved on Wednesday, the spending plan for the department related to data has grown to $132 million.
The duo also cited a recent report from IBM on cyberattacks that on average organizations impacted by ransomware reported it taking an average of 73 days to contain data breaches. Zielinski and Gardner noted it took one day for Dallas.
According to the after-action report, it took 50 minutes for the city to get its first alert of a cyberattack on May 3.
By 5 a.m., city workers started procedures to try to reduce the attack. From 5:32 to 6 a.m., several servers were determined to have been impacted, including those involving the sanitation department.
Notifications of widespread service outages were made to city staff at 8:05 a.m., followed by notifications to the city’s top IT and financial officials, city attorney’s office, emergency management office and federal authorities by 8:30 a.m. An incident response plan was also launched at that point, according to the review.
The Mayor and City Council were notified of the incident at 9:05, the report said. City officials deemed trying to restore the police and fire computer aided dispatch system as a priority at 9:35 a.m.
The report says by 11:10 a.m., “critical public safety servers” were determined to have been infected by ransomware and the city began disconnecting servers to prevent it from spreading. Despite that, new servers were determined to become infected at 1:22 p.m.
By 2:15 p.m., the city determined 173 servers have been impacted as well as several departments. About three hours later, at least one server was determined to have been reinfected.
It wasn’t until around 6 a.m. the next morning that city workers and outside vendors brought in to help were able to get rid of the ransomware.
“Subsequent to this occurrence, no further indications of threat actor activities identified,” the review said.
The report said all of the city’s more than 40 departments were impacted by the hack. It also lists at least 17 systems that were down at some point during the ransomware attack, including city fax and print services, police surveillance cameras, public safety file sharing, the building permitting system, library management services, fire station alert systems, police and fire mobile data computers, court-ordered warrant management system, and the ePay system for residents to pay their water bills and bills from other departments.
Among the recommendations in the report were for the city to update its cybersecurity program, determine the security risks of each department, improve data backup and restoration processes, update its incident response plan, and better manage the software it uses.
“Many city applications and services are not operating the most current versions of the underlying software,” the report said. “Several significant applications and services are operating on software versions that are no longer supported by software manufacturers and vendors.”