(TNS) – The city of Fort Worth is investigating the extent of the attack on its systems after one of its websites was hacked, officials said Saturday.
Kevin Gunn, the city’s chief technology officer, said hackers gained access to a municipal website that facilitates maintenance work orders for the city’s departments of transportation, public works, parks and recreation and property management. He said the data did not come from the city’s “public-facing intranet website.”
Gunn told the briefing that officials found “no indication that sensitive information was released.” Officials attributed the attack to a threat group known as SiegedSec.
The hack comes nearly two months after the city of Dallas was the target of a ransomware attack.
Here’s what we know:
How did the city authorities find out about the attack?
According to Gunn, officials were notified about 4 p.m. Friday by a state agency — the Texas Department of Information Resources — about a post by a group that claimed to have gained access to city data.
Gunn said the post included links to copies of the data, and the city confirmed the information came from their computer systems.
The group’s statement was posted on the Telegram messaging app and was also shared on Twitter.
What is targeted?
Officials said hackers gained access to a city website that facilitates maintenance orders for several city departments.
Gunn said the hackers downloaded file attachments for work orders within the system:
“And those attachments include things like photos, spreadsheets, invoices for work performed, emails between staff, PDFs and other related work order materials.”
He said the information was not of a sensitive nature and “basically” what officials would release in a public records request.
As of Saturday, officials said they do not believe any other systems were accessed or that any other evidence of sensitive data, such as Social Security numbers, credit card or bank information, was accessed or released.
Gunn said officials are reviewing the amount of information to make sure they understand the scope and depth of the attack on the website.
How did the hackers gain access to the city’s website?
According to Gunn, it appears that the threat actors stole login information to access the website.
Officials don’t know how they did it.
Some possible methods include: credential stuffing (testing a database or list of stolen credentials), phishing (sending a fake link or attachment), password spraying (testing common passwords), keylogging (recording the strokes a person types on their keyboard), or brute force ( a trial-and-error approach to cracking passwords).
The best protection against someone stealing login credentials is multifactor authentication, said Brett Callow, a threat analyst at cybersecurity firm Emsisoft.
Callow said using MFA is the biggest thing any organization can do to reduce the likelihood of these attacks.
“If you don’t have two-factor authentication for these things or multi-factor authentication, that’s all I need is a username and password,” Jess Parnell, vice president of security operations at Virginia-based cybersecurity firm Centripetal Networks, said in May. “It’s unfortunate, but I must be just one of thousands of user accounts and they are there.”
Officials did not say whether users used two-factor or multi-factor authentication on their website. When they learned of the attack, Gunn said the IT department isolated the system and removed it from the external intranet. He added that officials have forced all of his users to reset their passwords.
Who is SiegedSec and what did they say in their post?
SiegedSec calls itself a “hacktivist” group that was formed in February 2022, according to dark-web monitoring company DarkOwl.
According to DarkOwl, there is no indication that the group uses ransomware or has tried to sell the data it steals. Gunn said no ransom was demanded from the city of Fort Worth, and officials did not discover any file encryption.
In a June 2022 announcement, the firm said the group appeared to be motivated by “the sheer fun of the experience, the potential influence gained by publicly ridiculing organizations with insufficient information security controls.”
Last year, the group said it leaked 8 gigabytes of data from state governments in Arkansas and Kentucky to protest state efforts to ban abortions following the Supreme Court’s ruling in the case that overturned Roe v. Wade. In February, the group leaked Telegram it claimed to have stolen from Australian software giant Atlassian, according to a report by TechCrunch.
In a post to the city of Fort Worth, the group said it was targeting Texas because of the state’s stance on gender-affirming care. Earlier this month, Governor Greg Abbott signed Senate Bill 14, which bans such medical care for minors.
“Their bragging alludes to basically embarrassing the city of Fort Worth and making a political statement,” Gunn said.
Reyne Telles, the city’s communications officer, said at the briefing that officials don’t know anything else about what their motives might be.
“Their motives may not be what they appear to be,” Callow said. “We really have no idea who these people are or what they are trying to achieve.”
While the group presents itself as a hacktivist operation, he said speaking in general terms, “although it’s equally possible that they simply want to create discord.”
© 2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.
Comments are closed.