Baltimore Government Becomes the Victim of a Ransomware Attack

us government breach data breach breach report email compromised cyber security news hackers us breach

Several major US cities have been the victim of ransomware attacks recently. The list is pretty long and includes names such as San Antonio, Atlanta, Cleveland and Allentown.

In most of the cases, the target of the attack were government organisations. And the latest addition to that list is Baltimore - the city housing the headquarters of the NSA.

The Event:

The government office of Baltimore became the victim of a cyberattack on 7th May 2019 rendering thousands of computers useless. This event heavily disrupted all the governmental services including real estate sales, utility services, and essential services such as health. Emergency services, though, such as 911 and 311 were out of the reach of the attack, Lester Davis confirmed, a spokesman for the Mayor of the Baltimore.

The event surfaced when the city workers' computers froze on that dreaded day. The ransom message filled the computer screen stating all the city files have been encrypted and they need to pay in order to safely decrypt the files. The culprits demanded 3 BTC (~$25,000) for each of the computers or a lump sum of 13 BTC (~$100,000) for unlocking all of the machines. The ransom note, as usual, reminded the officials to not involve FBI into this matter.

This event led to the disruption of the local administrative works for nearly 3 weeks. The IT engineers and network technicians had to work day in, day out to put everything back on track and ensure that none of the systems remains infected.

The Background of cyber crime:

One thing that was common in most of the ransomware attacks on the various city government offices is the tool called EternalBlue.

The EternalBlue is a tool that was originally created by the NSA themselves. Its purpose was to creep into the rival's system and take over its control. But quite ironically NSA lost control of this top-secret tool back in 2016. Afterwards, this specific tool (or some variant of it) has been used by many hacking groups from different corners of the world to paralyze the local governments. Hacking groups from China, North Korea and Russia have been allegedly accused of disclosing confidential information and hacking banks, hospitals, and airports time and time again.

Back in August 2016, a mysterious hacking group named the Shadow Brokers announced in a Tumblr post that they have been successful in getting their hands on the cyber weapons of the Equation Group, one of the most sophisticated and advanced hacking groups considered by many experts that is suspected to also be tied to the NSA. They were running an auction for selling those tools to the 'interested' customers who were willing to spend only 1 million BTC (as of August 2016, $550+ million!!!). The tools that were compromised in this event included DoublePulsar, EternalBlue, EternalSynergy, EternalRomance and the FuzzBunch framework.

Although it is assumed that the Shadow Brokers was behind the leak of the NSA's top-secret tools, Symantec researchers now claim that there is evidence suggesting the equally mysterious Buckeye cyber espionage group (also known as 'APT3' and the 'Gothic Panda') were using this tool at least a year prior to the Shadow Brokers event. Despite the lack of information and evidence as to how Buckeye was able to get their hands on the Equation Group tools, it is assumed from the available bits of information that this was the result of an attack on the Chinese servers by the NSA. The Buckeye most probably were able to reverse engineer this tool from the captured network traffic.

The disclosed snooping tools were later used in many other ransomware cyber crimes around the globe. The usage of EternalBlue was later confirmed in both the ransomware Campaigns WannaCry and NotPetya that caused billions of dollars of loss worldwide.

The Follow-up:

Christopher Elisan, one of the so-called subject matter experts of this field and the director of intelligence at Flashpoint, claimed that this most likely is not a targeted event looking at the relatively small amount of demanded ransom. Although many experts and investigators are suspecting that the masterminds behind this heinous act are most probably from China or Russia, Elisan did not forget to add that evidence such as incorrect grammar, the active hours and cyber footprint - all could be fabricated.