A ransomware attack and data leak that hobbled Oakland's city services and exposed current and former city workers to possible credit card fraud has San Francisco on its toes.
“We are definitely at a higher alert now than we were before,” said Michael Makstman, head of San Francisco’s Office of Cybersecurity.
Makstman, whose office was formed last year, said cities are uniquely vulnerable to cyberattacks due to the wide range of services they provide compared with private companies, making their infrastructure more varied, complex and harder to defend.
“We fly planes, we build roads, we operate the largest trauma center on the West Coast,” Makstman said. “There’s no organization that has so many services and so much business technology.”
Makstman said that there has been a “tsunami” of cybercrime that has happened in the last few years, and estimates that San Francisco now faces 30% more cyberattacks than it did at the onset of Covid three years ago, and that the federal government has warned of the potential for increased attacks since the Russian invasion of Ukraine.
Makstman said the cities of San Francisco and Oakland present lucrative opportunities for cyber criminals, especially from hostile nations or actors that have it in for the United States. He says they can make a big statement by hobbling a major U.S. city with complex cyber infrastructure, without warranting a major federal response that a physical terror attack would likely cause.
“We find ourselves in this squishy middle, where we’re an attractive target,” Makstman said.
San Francisco faces hundreds of phishing attacks and attempts to access its network every day because city information such as worker emails are public, making it easy to mass-email malicious links to workers and have an unsuspecting person infect city systems with malware, according to Makstman. Malware is software that is designed to disrupt, damage or gain unauthorized access to a computer system.
“We face cyberattacks every day,” Makstman said. “If you put a computer out there, connected to the internet, within minutes, it will be compromised by a criminal organization. A lot of this stuff is automated. The cyber gangs are constantly scanning anything connected to the internet […] think of the scammers sending out phishing emails every day.”
When Makstman was asked for specifics on what the city was doing to battle cybercrime, he could not elaborate beyond saying that “technical adjustments” have been made.
“This is exactly what we wouldn’t want the bad guys to learn,” Makstman said.
Makstman said the city monitors the dark web to see if San Francisco or its vendors are being discussed by hacking groups or other bad actors to gauge the risk of an impending cyber attack.
The so-called dark web is not something you can access without a bit of technical know-how—it’s usually accessed through the Tor Browser, or Onion Router, which essentially scrambles the user's information so they cannot be tracked down easily by law enforcement or national security agencies.
“These people, they do talk to each other,” Makstman said.
The leak of Oakland city data is alarming, with city workers telling KTVU about suspicious credit card charges and others alleging they became victims of other forms of fraud after sensitive data was leaked and dumped online.
The City of Oakland released a statement after the attacks on its website encouraging anyone who was a city employee after July 2010 to contact the city; the statement was last updated on March 8. Oakland was contacted for an update on the situation.
However, much of our data may already be out there on the dark web, according to cybersecurity experts.
“If you go through last year’s breaches, every phone network has been breached,” said cybersecurity analyst Dominic Alvieri. “Right there, you probably have about 90% of the population. All the big credit reporting agencies have been breached in the past few years, that takes us up to probably 97% [of the population. …] Everybody’s data, I hate to say it, but more or less it's out there and accessible.”
Alvieri said that attacks like those experienced by Oakland are part of a rising wave of hacker groups such as Play Ransomware, which is the group that has claimed responsibility for the February attack against the city.
“It’s a fairly new group; they leak a lot of data,” said Alvieri.
Data can also be leaked from other accounts too, such as a streaming service or other subscription that collects your name, email, password and payment information according to Garrett Thompson, a counterintelligence specialist at Ohio-based cybersecurity firm, Binary Defense.
“If they happen to breach into Netflix, and you have a payment card on there, that would be a way that your payment information would be exposed,” Thompson said. “Also, if they have other info on you, they could reach out to you and extort you.”
Both Thompson and Alvieri said that the chances of private individuals facing a major attack are less likely, as attacks are often done to extort targets out of money by holding sensitive data hostage via encryption.
“With the larger groups, they tend to go after larger organizations with larger troves of data. But, as a drive-by tactic, individuals could become victims. They aren’t targeting people one-off, though,” Thompson said.
The Federal Bureau of Investigation, which works with cities to investigate cyber attacks, said the Russian invasion of Ukraine prompted them to warn companies and governments about an increased risk of cyber attacks.
“The number of complaints slightly dropped, but the potential financial loss increased dramatically. Some of this may be attributed to Russia's invasion of Ukraine,” the FBI’s San Francisco Field Office said in an email.
The FBI added that perpetrators of cybercrime can include countries, namely China, Russia, Iran and North Korea, as well as organized criminal groups, syndicates or people pursuing financial gain.
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, was contacted for comment.
Garrett Leahy can be reached at email@example.com