Description
The city of Columbus, Ohio, had its communication and digital services impacted for almost two weeks following a cybersecurity incident that was detected on July 18, 2024. City officials clarified that the incident is entirely unrelated to the CrowdStrike incident that occurred during the same period. Email services have been completely down, and some computer services affecting public safety, utilities, and public health were also disrupted. Some resident-facing websites and services have been offline since the attack but the city has assured area residents that 911 and 311 services were never impacted and remain fully operational. An investigation revealed that the city experienced a ransomware attack from an overseas threat actor. Fortunately, the attackers were unable to complete the attack, and the damage was contained thanks to the quick reactions of the city’s IT department. It has yet to be determined if any private information was compromised in the attack.
Identify Indicators of Compromise (IoCs)
The initial source of the attack was believed to be a city employee opening a malicious email containing an embedded link that was clicked. Further investigation revealed that the attack stemmed from a zip file downloaded using an internal website. The city has not disclosed the exact indicators that alerted them to the attack.
Actions Taken
The most effective action taken by the city’s IT department was disconnecting the internet from the network. This prevented the attackers from completing the encryption phase of the attack. Shortly after identifying the attack, the city engaged local law enforcement and brought in outside cybersecurity experts to begin the investigation. The FBI and Homeland Security were involved once the investigation confirmed that the threat activity was a ransomware attack. Both agencies confirmed the identity of the threat actor as being an active player credited with past attacks, though they have refrained from disclosing the specific identity.
Prevention
The city’s IT Department took the recommended action of disconnecting the internet from the local network. This decisive move disrupts the command-and-control capabilities of external threat actors, effectively cutting off their remote access and preventing them from downloading additional payloads or malicious code. Severing the internet connection ensures that attackers cannot manually proceed with the attack or make real-time adjustments to their strategy. This action also curtails any ongoing data exfiltration attempts and contains the attack within the local network.
While it may sound logical to shut down all servers, this is highly discouraged by cybersecurity experts for the following reasons:
- Rebooting the server can erase valuable forensic evidence stored in the volatile memory (RAM) that investigators will want to review.
- Rebooting the server may lock administrators out of the system entirely if the attack has modified any boot processes or credentials.
- Data restoration operations will not be able to be conducted on the server while it is shutdown.
- A reboot could trigger additional malicious actions or payloads that can expand the attack.
Response efforts should be focused on containing the attack to prevent it from spreading to other areas of the organization. Once an attack is contained, cybersecurity professionals can work to mitigate the attack while investigators learn how the incident unfolded.
HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.