In 2017, Newark’s computer system was hijacked by a group of hackers from halfway across the world, shutting down municipal services. Officials were given just seven days to come up with $30,000 in Bitcoin or they could kiss the city’s encrypted computer files goodbye.
They paid the ransom.
Cybercrime continues to explode nationwide, according to the Federal Bureau of Investigation’s most recent internet crime report. Last year, federal authorities received more than 350,000 complaints involving internet-based fraud, an increase of 16.7 percent over the previous year. Victim losses across the country in 2018 related to cybercrime totaled $2.71 billion.
In New Jersey, more than 8,400 victims across the state — including businesses, individuals, and government agencies — reported overall cybercrime losses last year of $79.7 million, making the state ninth in the nation for such high-tech theft, the FBI reported.
While much of that involved scams against individuals, businesses and Fortune 500 companies, the masters of the dark web have also been targeting your local tax collector’s office. Dozens of municipal government agencies in New Jersey have been victimized by hackers over the past two years, but have been reluctant to make those attacks public, officials say.
John Cohen, a senior expert on global threats for the Argonne National Laboratory and a professor at the Georgetown University Security Studies Program, said local governments remain easy targets for cyber criminals.
“Their systems remain vulnerable due insufficient security and local governments continue to pay the criminals,” Cohen said. “Until localities change their practices in the regard, they will continue to be targeted.”
In New Jersey, the state’s Office of Homeland Security and Preparedness said it has been tracking the threat of ransomware since 2015 and officials said municipal governments have long been in the mix.
“Many cyber-threat actors are just looking for low-risk targets and something they can monetize,” said Jared Maples, who heads the state agency. “The availability of hacking tools and the increasing number of unsecured internet-connected devices reduces the need for extensive technical skills to carry out successful cyberattacks.”
Officials at the Municipal Excess Liability Joint Insurance Fund, which helps insure public entities across the state, said they have seen a 540% increase in cyber attacks on local government agencies since 2013. About 80 events have been reported over that time, but officials with the fund said they were aware of 50 others that were never formally reported.
“Nobody wants to acknowledge they’ve been victimized,” said Marc Pfeiffer, assistant director of the Bloustein Local Government Research Center at Rutgers University, of the radio silence. Nobody is going to call a press conference to announce someone made off with taxpayer funds, he said.
Maples, meanwhile, believes that what is happening is only going to get worse.
“Cyberspace is a complex, diverse, and fluid security environment with real, persistent, and evolving threats,” he said. “The impacts of cyberattacks will increase as we enter into an era of autonomous systems, artificial intelligence, smart cities, hyper-connectivity, and the convergence of cyber-physical systems and devices.”
Morphing Schemes
While many of the high profile cybercrime cases that have come to light in recent years have involved ransomware, where malicious software delivered by a link that should never have been clicked is used to corrupt and encrypt computer files, that is only one of many weapons commonly employed. According to the FBI, the attack tactic most gaining favor these days is known as Business Email Compromise, or BEC, which targets those who use wire transfers.The BEC scam works by compromising the email of corporate executives — and sometimes of municipal officials involved in finance — and seeks to redirect wire transfers meant for suppliers or financial institutions to fraudulent accounts both here and abroad.
Earlier this year, Lawrence Espaillat, 41, of Clifton pleaded guilty in connection with a BEC scheme to steal more than $1 million from corporate victims and individuals. Authorities said Espaillat and others incorporated sham businesses and created email addresses, which mimicked but differed slightly from legitimate email addresses of supervisory employees at various companies. Emails from those sham accounts were then used to send what appeared to be requests for payment of legitimate invoices or debts owed by the victims.
Last year in New Jersey, according to state municipal finance officials, at least one unnamed municipality was sent wiring instructions by such a compromised email to change its bond anticipation note payments from what appeared to be one reputable banking institution to another. They sent $40,000 to the other account, which was fraudulent.
In August 2018, the FBI said received a complaint filed on behalf of another New Jersey town that fell victim of another BEC scam, transferring more than $1 million into the fraudulent account. Michael Doyle, an FBI supervisory special agent in New Jersey, would not identify the town, but said the money was recovered through a “financial fraud kill chain” that moves to quickly freeze funds and recall a wire transfer if they are alerted without delay.
Noting the explosion in BEC complaints nationally, Doyle said the nature of cybercrime is changing. More than $1.2 billion in losses were attributed last year to just on compromised business email scams.
“It dwarfs everything else,” the FBI agent said — far more than the $362 million lost to victims in confidence or romance fraud.
Yet while ransomware complaints do not top the list of cybercrime complaints, Doyle suspects what happened in Newark may be happening more than is being reported to authorities. How the money is taken has also morphed, he added, with the use of “money mules” in the United States who act — sometimes unwittingly — as a go-between, so that suspicions are not raised by having money directly wired overseas.
“It used to be jumping out of the country immediately,” Doyle said. Now, potential victims might think it suspicious to be told to send money to an account in Hong Kong. These days, money may be wired through a series of destination points before in lands in somebody’s pocket.
Last November, two Iranian men were indicted in connection with an international wave of ransomware attacks that shut down Newark’s computer systems, and led to the city’s payment of $30,000 to regain control of the city’s electronic files. Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri where charged with running what officials called “an extreme form of 21st century digital blackmail.”
Both men remain at large.
Doyle said cybercrime is still far more likely to target big companies than town hall. Usually municipalities don’t have that kind of money. There’s no revenue stream.
Still, the problem for local government is growing, officials here say.
David N. Grubb, executive director of the Municipal Excess Liability Joint Insurance Fund in Parsippany, said the impact is not insignificant.
“When a municipality gets hit by one of these things, can’t quantify the disruption that occurs. There are things that can’t happen when you are trying to get the system up and running. There is a reputational cost,” he said. It can get residents quite upset.“
A spokeswoman for Newark said the city has made numerous changes and improvements to defend against similar attacks, including improvements to infrastructure, training as well as following professional recommendations that identified security gaps.
“While no amount of preparation protects any organization 100%, the city is in a much better position to thwart similar events,” said the spokeswoman, Crystal Rosa.
At the same time, she said the city is constantly being being targeted.
“Measures put in place, actions following the prior ransomware event, have identified attempts and been successful to date from any in-depth intrusion,” she said.
With three dozen or more New Jersey municipalities the victims of successful hacker attacks in just the last two years, Pfeiffer said local officials are paying more attention, and like Newark, said that the electronic systems of every municipality in the state are under attack daily. Most municipalities now have cyber insurance, he added.
But technology requires management, and that requires time and money.
“There are two things you cannot be without in managing technology,” he said. “You have to have somebody you trust advising you on technology. And you have to have a sound backup plan.”
©2019 NJ Advance Media Group, Edison, N.J. Distributed by Tribune Content Agency, LLC.