City of Flint - Pwned Hard

by lg0p89

Most people are familiar with the city of Flint (Michigan) due to its water issues over the years.  When you tell people you're from the Flint area, you get the look.  That's a story for another day.  The city of Flint, even though the population base has been decreasing along with the tax base, has a population of approximately 80,000 people.

With the lowered tax base comes the budget issues, which trickle down to the departments, including IT and security.  This provides for a softer target for the adversaries.

Attack

A few years ago, Genesee County (where the city of Flint is located) had an issue when they were on the receiving end of a completely successful ransomware attack.  It appears this time around it was the city of Flint's turn to test their incident response plan.

The city was attacked with ransomware, which compromised their systems.  And, oh my, did they ever!  The attack began early in the morning on Wednesday, August 14, 2024.  The penetration's extent into the system indicates the adversaries' plan was thorough and well-engineered.  It's almost as if they had their well-used game plan and just followed it step-by-step.  The adversaries removed the phone system and Internet, including email for the staff to communicate and collaborate.  As a byproduct, the attack also removed the citizen's ability to conduct business with the city.

Effects

This was a big deal for the city.  They saw the county deal with a similar issue years prior.  With that issue, there was intense disruption to city services, along with Internet and internal network outages.  The city was not able to accept payments online due to the credit systems not being operable.  The phones and computers were likewise not operable.  The mapping services were not available.  If this wasn't bad enough, even a portion of their emails were lost.  On a slightly positive note, some of the staff access to their email was available.  Other services not affected and still operating were 911, dispatch, law enforcement, fire operations, garbage collection, and street maintenance.  They were able to accept cash or check payments for water, sewer, and tax charges.

Actions

The city of Flint followed the usual playbook and contacted the FBI.  In addition, the state of Michigan attorney general was contacted.  The city also contracted with cybersecurity experts for the investigation and forensic work.

Review

There was no timeline for restoration.  The groups were "...working hard to resolve the issue."  They were able after days to start to get the systems up and running.

In reading through the published articles, this feels like the standard, old-fashioned successful phishing attack.  The compromised account would act perfectly as the pivot point into the network.  This is another example of why the staff needs phishing training, not once a year for compliance, but throughout the year to build up their identification skills.  I know this won't be absorbed by most, however, this regular training is important.  The repeated message starts to sink in after the third exposure.

Return to $2600 Index