SF Muni hack contained. Next transit hack could be train wreck
The San Francisco transit system avoided paying a ransom and restored its
systems. But the hack shows US infrastructure is vulnerable.
File it under "Bad, but could have been worse."
The SF Municipal Transportation Agency fell victim to a hacking attack in
which someone or some group tried to extort about $73,000 from the transit
service in exchange for giving back control of its computer systems. Rather
than pay ransom, the agency, called Muni by locals, took back control after
three days.
While Muni was restoring its systems, cybersecurity experts ended up hacking
the transit hacker, poring through the servers and emails used by whoever is
behind the attack and sharing the information with reporters.
Hacks of public services and government systems are becoming routine. In
2015, a hack of the US Office of Personnel Management led to the theft of
data of more than 22 million federal employees. During the countdown to the
2016 US election, hackers accessed data on 200,000 Illinois voters from the
state's voter registration database.
With the hack on Muni, it's clear attacks on government-run infrastructure
are possible -- and the next hack on a transit agency could be much more
dangerous than this one was.
n fact, this might be the rare hack that doesn't turn into a PR disaster.
That's because Muni, which runs San Francisco's bus, light rail and trolley
car systems, had a backup of its system and no customer data was stolen.
Muni lost money by giving away free rides over the weekend, but it didn't pay
the 100 bitcoins in ransom demanded by a hacker or hackers calling themselves
"Andy Saolis." Instead, Muni restored its systems with help from the agency's
internal tech team.
What's more, the hack wasn't as bad as the hacker claimed in an email sent to
CNET and other news agencies, a Muni spokesman said. "Our customer payment
systems were not hacked," Muni said in a statement Monday. "Also, despite
media reports -- no data was accessed from any of our servers."
Thomas Pore, director of IT and services at cybersecurity company Plixer,
said the the attack could have been "far worse" if Muni hadn't been able to
restore its systems from backup copies of its data. The attack also lost some
of its oomph because it didn't directly affect transit service in San
Francisco. Instead, the hacker locked out some Muni personnel from their
workstation computers and left the agency without access to some of its
systems over the weekend.
The attack started Friday and plagued the agency until Sunday night.
The so-called Saolis gave a different account of the attack, gloating about
his ability to compromise Muni systems. The hacker claimed Monday to have
stolen 30 gigabytes of Muni employee, customer and technical data, in
addition to hacking payment kiosks.
Saolis has been responding to questions sent to an email address registered
with Yandex.com, a Russian email service. The email address was displayed by
the attacker on Muni workstation screens.
In broken English, Saolis detailed these supposed achievements and said he
was showing the world how bad the cybersecurity at Muni is. "Welcome !" he
wrote in an email.
Saolis also provided a Bitcoin wallet in case anyone wanted to send a
donation in gratitude for his hack. Muni is the bad guy here, Saolis seemed
to insist.
"They give Your Money and everyday Rich more! But they don't Pay for IT
Security and using very old system's !" Saolis wrote in the email.
The fact that Muni was able to restore its systems from backups suggests the
agency is following the FBI's general recommendations for fighting this type
of attack. Called ransomware, the attack often gets victims to click on
malicious links, then downloads malicious software that scrambles up the
victim's data. Then hackers demand a ransom to get it back. Saolis reportedly
asked for 100 Bitcoin (about $73,000) in return for decrypting the agency's
systems.
Beware of ransomware
Pay up or else: Ransomware is the hot hacking trend of 2016
Hackers sweet-talked their way into the CIA director's email account
Hacking trust: Fears of election-tampering shake faith in US democracy
Muni "never considered paying the ransom," the agency's statement said. Muni
doesn't yet have an estimate on how much money it lost by giving away free
rides over the weekend, said spokesman Paul Rose. He added that the
ransomware used to target Muni spreads through links in pop-up ads.
While Muni is looking smart right now for backing up its data and systems,
the hacker, it seems has become the hacked.
Security writers Brian Krebs of KrebsOnSecurity and Thomas Fox-Brewster of
Forbes each reported Tuesday that a cybersecurity expert contacted them to
say they'd accessed the servers of the person behind the Muni hack. The
expert, who spoke with r