https://twitter.com/
https://www.cbc.ca/news/canada/new-brunswick/cyber-security-saint-john-1.5803298
Cleanup from Saint John cyberattack could last months, says cyber security expert
'If they can get it ... running in a normal capacity in the next couple of months, I'll be amazed'
CBC News· Posted: Nov 16, 2020 10:45 AM AT
Saint John announced Sunday that it was victim of a 'significant' cyber attack. (Martchan/Shutterstock)
A cyberattack on a municipality never comes at a good time, but a cyber security expert says the attack on Saint John's internet infrastructure comes at a particularly bad time.
On Sunday, the city announced there'd been a "significant" cyberattack, which forced it to shut down several online services, including payment systems, email and the city's website.
David Shipley, the CEO of Beauceron Security, a New Brunswick-based cybersecurity firm, said the city has a long road ahead of it after the cyberattack, one complicated by the COVID-19 pandemic.
"You've got to figure out in a pandemic how you're going to be able to check all these computers and thoroughly assess if they're safe to go back on the network," Shipley said Monday.
"With a sophisticated attack, and this looks to be among the ranks of very sophisticated attacks, you're going to have to almost completely reset everything in order to be sure that the system you're rebuilding from the ground up is trustworthy."
The city has advised people who may have used its online services to check their bank accounts and credit cards for suspicious activity.
Russian origins suspected
While there has been no official word on who may be behind the attack, Shipley said the modus operandi of the attacks fits similar attacks caused by groups connected to Russian organized crime.
This includes groups using a type of the ransomware, Ryuk, which Shipley said is responsible for 30 per cent of similar attacks in recent months.
He said the Saint John cyberattack is the first major one on a New Brunswick municipality, but there have been others in Canada.
It is unclear whether the Saint John problem falls under the category of a ransomware attack, in which the group or person doing the attacking asks for money to restore the system.
Cleanup of the Saint John attack will involved checking all computers and thoroughly assessing whether they're safe to go back on the network, David Shipley, the CEO Beauceron Security, a New Brunswick-based cybersecurity firm. (Jonathan Collicott/CBC)
"Ransomware has been an issue," said Shipley.
"We saw three Ontario cities in 2019 go down to it. To my knowledge, Saint John may be the largest Canadian city to go down to ransomware attack, but we've seen far larger cities, like Atlanta, go down to sophisticated attacks similar in nature to this."
Shipley said this is becoming a growing problem. Some cities and organizations are choosing to pay the ransom, while others refuse.
To pay, or not to pay
While paying a ransom may quickly solve the immediate access issue, it raises several concerns.
"Number one, you don't know if you actually pay it [if] it'll work," said Shipley.
"Number two, these criminal groups will recycle that money … it's problematic because you're fuelling that organized crime. And third, many of these groups are under U.S. sanctions, and so paying ransoms may trigger certain unhealthy international relations between Canada and the U.S."
Shipley said the Saint John attack is the first major cyber attack on a New Brunswick municipality, but there have been others in Canada. In the U.S., Atlanta is among the cities attacked and spent months recovering. (Shutterstock / vchal)
Shipley said regardless of the specifics of the attack, the cleanup for the city will last weeks if not months.
"If they can get it up, back up and running in a normal capacity in the next couple of months, I'll be amazed," he said.
"I mean, we look at Atlanta. It took them from March to June to get everything back up and running."
With files from Information Morning Saint John
43 Comments
This needs an inquiry !
I'm a rookie trying to learn French, and I'm not too far advanced. Fancified Chiac lingo? I might get there some day.
Ach no! Are ye daft man?
Chiac is derived from Shediac (looked it up). I'm not even living here yet and have learned something about the place. French ladies? Why in my parts we call dem Femmes.
David Raymond Amos scribd "from whence I came"
https://www.cbc.ca/news/canada/new-brunswick/city-silent-after-cyber-attack-1.5803998
Saint John city hall silent on cyberattack details
Experts say it has the hallmarks of a ransomware attack
· CBC News· Posted: Nov 16, 2020 6:02 PM AT |
Vicky Buchan said $3,000 was etransferred from her bank account while she slept early Monday morning. (Submitted by Vicky Buchan)
When Vicky Buchan woke up for work at 3 a.m. on Monday, cyber thieves had already transferred $3,000 out of her account.
Because she's made online payments to the City of Saint John, she believes she's part of the recent cyberattack on the city.
Although the money isn't back in her account yet, her bank assures her that it will be within three to five days. If she hadn't caught it so quickly, she was told, it could have taken longer to get it back — if she got it back at all.
And she wouldn't have caught it so quickly if she hadn't gotten up for the early shift at the gym she owns, Port City Training and Fitness.
Buchan believes the cyber thieves deliberately acted in the middle of the night.
"Oh, 100 per cent deliberate. It's the best likelihood that you're going to be asleep, so that they are long gone by the time you get up and hopefully they get away with it, right?"
At 1 a.m., she received a message from her bank, alerting her that the security questions had been changed. By the time she got up two hours later, the money had been transferred from her business account to her chequing account and then etransferred elsewhere.
Buchan said her bank told her that because she caught it so quickly, the money was still being "held" and hadn't been transferred to the thieves' account.
But while the timing is suspicious, it may be a coincidence, say cyber security experts.
They say Saint John's attack appears to be a ransomware attack.
Essentially, someone breaks into a computer system, encrypts all of the data and then offers to sell you a key to unlock all of your data, explains Mike Smit, an associate professor in Dalhousie University's school of information management.
Mike Smit, an associate professor in Dalhousie University’s school of information management, says Saint John's cyberattack has all the hallmarks of a ransomware attack. (Submitted by Mike Smit)
But Buchan's experience is a good reminder for people to check their accounts often, said Smit.
Brett Callow, a threat analyst with the British Columbia firm Emsisoft, agrees that Saint John is likely dealing with ransomware.
"Based on the limited amount of information made available, it certainly appears to have all the hallmarks of a ransomware attack," he said
"It really is the worst possible time for a city to be hobbled by ransomware. The need for staff to be able to work remotely and for the public to be able to access services remotely makes it critical that IT systems and online portals are available."
City officials not talking
City officials, meanwhile, aren't talking about the cyberattack. Several calls to various city departments, including to Mayor Don Darling, went unanswered or unreturned on Monday.
CBC News was told the mayor would not be granting any interviews and that any updates would be issued through social media.
On Monday at about 5:30 p.m., the city tweeted to say it "has been working around the clock to contain the attack and mitigate any current and future risks to the municipality.
The response was immediate, and remains in the best interest of the City and residents. Pertinent updates will continue to be provided to the media and public as more information becomes available, the city said.
The city also said it wants to ensure it doesn't release too much information, "including information on the effectiveness of the attack, the systems affected, and success of our containment efforts.
"Providing this level of detail would be beneficial to the attacker as they could attempt further attacks; it would also provide valuable information to potential copycat hackers; and could compromise investigative efforts."
The city said it continues to work with a number of partners "to help manage any risks."
Not us, says parking app
The online parking app, HotSpot was quick to separate itself from the recent cyberattack. In a Twitter post sent Monday morning, the company said, "The cyberattack that has impacted the City of Saint John has not compromised HotSpot's customer information or data."
In December 2018, another cyber breach exposed the names and credit card information of thousands of the city's parking customers.
Big business
Smit said cyberattacks are a profitable business. He said tracing payments through bitcoins have revealed hundreds of millions of dollars in ill-gotten gains for cyber criminals last year.
Although there are many players internationally, he said such schemes usually roll out "pretty consistently."
They'll identify a target and then look up all of the publicly available email addresses.
"And they'll run some fairly sophisticated, targeted phishing attack, where they try to get the receiver of the email to click a link in that email."
Clicking on that link, compromises the computer, and alerts someone that an entry has been made.
"At that point, a human takes over and accesses that system and just starts to poke around."
Smit said the person who takes over starts looking for passwords and possible entry points into bigger and more valuable targets.
Most often, the process stops there, "but sometimes they get lucky," said Smit.
Sometimes they find access into bigger systems. Once there, the intruders find out what's available and usually run in one of two directions.
They can either go after personal financial information and try to steal smaller sums, or, usually in cases of larger organizations or governments, they can shut the whole system down and go after a ransom.
Smit said organizations usually find out that they've been attacked when their systems go down or they find a ransom note.
Andrei Barysevich, CEO of Gemini Advisory, a Florida-based cyber intelligence company, said the ransom demanded of governments usually falls in the range of $50,000 to $250,000 US, although there have been some as high as several million.
He said cyber attackers want to make the amount tempting for the victims, so the amount is tailored to the specific circumstances of the organization targeted.
Barysevich said cyber criminals have been busy during the pandemic and may have found more success with so many employees working from home.
He said it's a "very common attack vector"— to target people on their personal computers and then try to gain access to the employer's system.
26 Comments