The situation surrounding the early morning breach March 22 remains somewhat “fluid,” and three federal agencies — the Secret Service, the Department of Homeland Security and the FBI — are continuing to work with the city and incident response teams from Cisco and Microsoft, the mayor said.
That said, systems including watershed management and water quality; public safety and emergency response; human resources, payroll and procurement; 311 and the Hartsfield-Jackson Atlanta International Airport were not significantly impacted by the attack — though some processes have been altered out of caution.
Notably, an airport spokesman told The Associated Press that its Wi-Fi network had been taken down, and parts of its website temporarily disabled. During the March 23 press conference, which was livestreamed on Twitter, Chief Operating Officer Richard Cox said water meter sales are not currently being processed.
Municipal court defendants arrested by the Department of Corrections will be seen Sunday with manual tickets, the COO continued, and for the time being there will be no online ticket payments. However, Cox said, no “failure to appear” notices will be created “for cases generated during this time,” should confusion arise as a result of any service disruptions.
The Atlanta Journal-Constitution’s John Spink obtained a photograph of an informational handout given to City Hall employees arriving to work on March 23. It described the incident as a “data breach,” warned staffers not to log on to their computers and indicated Atlanta will be “implementing a new employee notification system” to alert them to “critical work-related information.”
The mayor, Cox, and acting Chief Information Officer Daphne Rackley emphasized that while many systems are operational, there were areas and details about the ongoing investigation which they would not discuss.
“We’re working on this in real time, and what that means is information changes really dynamically. We want to be very careful not to make definitive statements because there’s a chance that they may change,” Bottoms said.
Rackley echoed the mayor’s comment, pointing out that the probe is still very much active.
“Again, we’re in deep investigation and incident management mode so we don’t have any details that can be released, but as was articulated by the mayor and the COO, we feel confident that we’re doing the right things and will continue to be transparent,” Rackley said.
Asked whether the attack was ongoing or if it had been stopped, Rackley said: “We’re still in incident management mode, which means that we’re still on the look-out that other threat vector management systems aren’t being compromised. We’re looking at the perimeter, so we’re looking at the network and our customer-facing systems as well as our internal systems.”
The attack, however, has been described by media outlets including Atlanta NBC affiliate WXIA-TV as involving a ransom demand. In an interview on March 22 with Government Technology, Kennesaw State University Professor Andrew Green, who lectures on information security and assurance, said he reviewed screengrabs of information the TV station said it obtained from a “city employee,” and which called for a ransom to be paid in bitcoin.
The demand, Green said, amounted to .8 bitcoins per individual system or device, or 6 bitcoins for a mass encryption key — the latter, equating to around $50,000 based on then-current exchange rates.
Based upon his review of the information, Green said the attack could be based on a virus from the Samas or SAMSAM family, which dates at least to 2015 and, like typical ransomware, encrypts portions of a disc.
When asked whether the city will pay a ransom demand, Bottoms said: “We are continuing to work with our federal partners and other stakeholders who are advising us on how best to manage” the situation.
“This is a very fluid situation and we want to make sure that we are operating in a way that would be best for the city,” the mayor added.
As for when services may return to normal, Rackley indicated the agency is erring on the side of caution. “I can’t give you any definitive timelines, but I will tell you we’re working around the clock,” Rackley said.
Cyberattacks, Bottoms said, are a “threat to our national security” that is “happening across the world” to the public and private sector.
Asked when the city had last performed a full cyberthreat assessment, and whether the breach might highlight deficiencies that originated in the previous administration, she pointed out the necessity of repeating such metrics and the newness of the current incident.
“Even with every upgrade we do, there’s still a threat ahead of us that needs to be addressed. We’ve not done the autopsy, if you will, because right now, we have an immediate threat in front of us that we are addressing. I think we are well aware that there are system upgrades that are needed in the system,” Bottoms said.