Most state and local governments struggle to deliver basic services to fight fires and address rising crime rates. Cities keep one eye on the budget while trying to maintain aging water and sewer lines or gas pipelines. Municipal hacks and cybersecurity are often an afterthought with most cities and towns just having the basic infrastructure protection of firewalls and antivirus solutions.
Unfortunately, cybersecurity has become more than a budgetary line item as attacks on municipalities seem to be surging. Ransomware attacks on local governments and agencies started a steady increase in 2019. In 2020, more than 2,000 government and associated agencies experienced ransomware attacks. Thus far in 2021, cybersecurity hacks against municipalities and government agencies appear to be on track to beat 2020 data.
For example, Rhode Island Public Transit Authority was the target of a ransomware attack that shut down operations and disrupted services in early August 2021. Although the buses continued to operate, payments could not be processed. As a result, passengers using digital payment methods were denied rides until the Transit Authority allowed passengers to ride regardless of payment status.
Given that October is National Cybersecurity Month, municipalities should use the coming weeks to revisit their cybersecurity plans. The Cybersecurity and Infrastructure Security Agency (CISA) participates in the month-long awareness effort with online resources to help state and local governments with cybersecurity.
Who’s at Risk for Municipal Hacks?
Every state and local government is at risk because cybercrime is not only big business, it is organized. Hackers band together to form organized groups that scour the internet for opportunities. These groups of ten or twenty individuals troll the internet looking for known vulnerabilities. When they get a hit, they are ready to launch the attack because these criminals already have the malware available to take advantage of the vulnerability. 
Most often, due to poor cybersecurity hygiene, state and local governments are often caught in this “spray and pray” method of attacks. In 2019, seven Rhode Island municipalities fell victim to ransomware municipal hacks. One municipality paid a six-figure ransom to get the data unlocked.
Cybercriminals stole four years’ worth of data from the Pawtucket’s fire department in a ransomware attack. The information included fire reports and call logs stored on the compromised system. Although the department still felt the after-effects of the compromise late into the year, the city did not comply with the demands. Instead, they are attempting to rebuild the files.
Also in Rhode Island, East Greenwich suffered a ransomware attack in December 2019. While the hack significantly disrupted their systems, they had a bargaining chip in that the IT department had done a full backup just one hour before the hack took place. Having a thorough backup offsite saved the town from the expense of paying a ransom to retrieve their data. Other targets included Newport School District and the city of Exeter. All were local government hacks designed to disrupt services and steal local data.
In spring 2021, Microsoft detected multiple attacks against on-premise Exchange Servers. Microsoft notified the federal government and the White House cautioned public and private firms to ensure their Exchange Server instances were updated to address known vulnerabilities. Before the hackers were contained, more than 30,000 organizations were compromised. Local governments and their various agencies, including police and fire departments as well as hospitals, took an especially hard hit as a result of this breach.
What Types of Attacks Are Used in Municipal Hacks?
The most popular cyberattacks use ransomware or business email compromise (BEC) tactics to extort money from government agencies. Government agencies are more likely to pay invoices using wire transfers which is why cybercriminals deploy BEC tactics in these sectors. Ransomware attacks can disrupt services and compromise data, resulting in municipalities making payments to regain control of their systems.
Ransomware
Ransomware (this will link to the other Oct blog on ransomware) is malware that is designed to extort money from targeted victims. But, today’s ransomware is not the same as the original malware that could be thwarted through system backups. Hackers have the ability to customize the malware once it’s on a system, making it even more difficult to counter their demands.
Ryuk is a form of ransomware that attacks both production and backup files. Once the malware is on a system, it looks for any backups or conflicts that would prohibit the ransomware from running. It locks those files and processes before launching the attack. Most ransomware attacks also extract information to use as an added incentive to pay the ransom. In some cases, they will use the data to extort money from the owner of the information.
In 2019, New Bedford, Massachusetts suffered a ransomware attack. The hackers originally asked for $5 million in Bitcoin to unlock the system. The city countered with $400,000, which was the amount covered by their cybersecurity insurance. When the counteroffer was rejected, the city attempted to restore the system. Fortunately, only 4% of the city’s computers were active at the time of the attack, making recovery less costly.
Business Email Compromise
Some hackers use business email compromise (BEC) tactics to misdirect legitimate payments to a fraudulent account. In 2020, this type of billing or payment fraud rose 155%. The scam starts with social engineering where hackers can steal important details about a company’s operations. 
Using the information gained from browsing the system, hackers send an email from a corporate executive or senior management authorizing the accounting department to make a wire transfer. When the funds are transferred, they are quickly moved to other accounts, making it difficult to recover the lost funds.
In 2021, Peterborough, New Hampshire, lost $2.3 million dollars to a successful BEC attack. Cybercriminals impersonated a local school district that received funds every month from the city. In July, the city learned that the school district did not receive its $1.2 million monthly payment. Instead, the finance department had wired the funds to a bogus account where it was moved through several financial institutions until it was converted to a cryptocurrency.
How Much Does a Cyberattack Cost?
Although cyberattacks can be measured in dollars and cents, state and local governments have more to lose than money. Municipalities lose public trust. When services are disrupted, people wonder what type of municipal cybersecurity is in place. They wonder if their personal data has been compromised. 
Depending on the agency, hackers could have access to voter registration details, driver and car licenses, marriage, birth, and death certificates. They may gain access to financial information if online payments are supported. The wealth of information means cybercriminals can sell information for identity theft or create false identities.
Municipal budgets need to expand beyond virus detection software. They need to include infrastructure upgrades and added insurance coverage for cyberattacks. Unfortunately, these budgetary increases mean increased taxes for many residents.
Security breaches call into question the efficacy of government. Individuals become disgruntled over higher taxes or identity theft. Compensation costs for identity theft can be significant as can the expenditures to recover from an attack. When increased insurance premiums are added to the budget, local governments are faced with difficult decisions.
What Can Be Done to Prevent More Municipal Hacks?
State and local governments need to develop a cybersecurity plan that addresses the capabilities of today’s cybercriminals. Virus detection and firewalls are not enough to keep bad actors out.
Given that many municipalities lack security expertise, they need to partner with experienced IT security consultants to help evaluate and develop a strategy to minimize the risk of a successful attack. Working with such experts can significantly minimize costs while acquiring security expertise to protect critical digital assets.
