With paper and phones, Atlanta struggles to recover from cyber attack

By Laila Kearney

ATLANTA (Reuters) – Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.

On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.

Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating “ransomware” virus attacks to hit an American city.

Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta’s computer network with a virus that scrambled data and still prevents access to critical systems.

“It’s extraordinarily frustrating,” said Councilman Howard Shook, whose office lost 16 years of digital records.

One compromised city computer seen by Reuters showed multiple corrupted documents with “weapologize” and “imsorry” added to file names.

Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients and forced local emergency dispatch systems to move to manual operations.

Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents’ information is in the hands of hackers, but they do not know for sure.

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.

Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the U.S. Census Bureau.

City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.

“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.

“I said, ‘This is wrong,'” she recalled.

City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.

Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.

Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.

OLD-SCHOOL ANALOG

Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.

“Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future,” he said. By the weekend, he added, officers were returning to digital police reports.

Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.

“We don’t know anything,” said one frustrated employee as she left for a lunch break on Friday.

FEEBLE

Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.

“One of the reasons why municipalities are vulnerable is we just have so many different systems,” Noble said.

The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.

Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.

For now his staff are temporarily sharing one aging laptop.

“Things are very slow,” he said. “It was a very surreal experience to be shut down like that.”

Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.

Shook, who chairs the city council’s finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.

The Federal Bureau of Investigation, which is helping Atlanta respond, typically discourages ransomware victims from paying up.

FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.

Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.

Weatherford, who previously served as California’s chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.

“The longer it goes, the worse it gets,” he said. “This could turn out to be really bad if they never get their data back.”

(Reporting by Laila Kearney; additional reporting by Jim Finkle; editing by Daniel Bases and Jonathan Oatis)

U.N.’s North Korea sanctions monitors hit by ‘sustained’ cyber attack

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture

By Michelle Nichols

UNITED NATIONS (Reuters) – United Nations experts investigating violations of sanctions on North Korea have suffered a “sustained” cyber attack by unknown hackers with “very detailed insight” into their work, according to an email warning seen by Reuters on Monday.

The hackers eventually breached the computer of one of the experts on May 8, the chair of the panel of experts wrote in an email to U.N. officials and the U.N. Security Council’s North Korea sanctions committee, known as the 1718 committee.

“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” read the email, which was sent on May 8.

“As a number of 1718 committee members were targeted in a similar fashion in 2016, I am writing to you all to alert you to this heightened risk,” the chair of the panel of experts wrote, describing the attack as part of a “sustained cyber campaign.”

A spokesman for the Italian mission to the United Nations, which chairs the 1718 sanctions committee, said on Friday that a member of the panel of experts had been hacked.

No further details who might be responsible were immediately available.

North Korea’s deputy United Nations envoy said on Friday “it is ridiculous” to link Pyongyang with the hacking of the U.N. panel of experts or the WannaCry “ransomware” cyber attack that started to sweep around the globe more than a week ago.

Cyber security researchers have found technical evidence they said could link North Korea with the WannaCry attack.

Reuters reported on Sunday that North Korea’s main spy agency has a special cell called Unit 180 that is likely to have launched some of its most daring and successful cyber attacks, according to defectors, officials and internet security experts.

The U.N. Security Council first imposed sanctions on North Korea in 2006 and has strengthened the measures in response to the country’s five nuclear bomb tests and two long-range rocket launches. Pyongyang is threatening a sixth nuclear test.

A second email by the U.N. sanctions committee secretary to the 15 Security Council members on May 10 said the U.N. Office of Information and Communications Technology was “conducting an analysis of the affected hard drive.”

“Increased vigilance relating to 1718 Committee-related correspondence is therefore advised until data analysis and related investigations are completed,” the email read.

(Reporting by Michelle Nichols; Editing by Alistair Bell)