Kevin Gunn, the city’s chief technology officer, said hackers gained access to a municipal website that facilitates maintenance work orders for the city’s transportation, public works, parks and recreation and property management departments. He said the data did not come from the city’s “public-facing intranet website.”
Gunn said in a briefing that officials have found “no indication that there has been sensitive information” released. Officials attributed the attack to a threat actor group, known as SiegedSec.
The hack comes almost two months after the city of Dallas was targeted in a ransomware attack.
Here’s what we know:
How did the city officials find out about the attack?
According to Gunn, officials were informed about 4 p.m. Friday by a state agency — the Texas Department of Information Resources — about a post from a group that claimed to have gained access to the city’s data.
Gunn said the post provided links to copies of the data, and the city confirmed the information originated from their computer systems.
The group’s statement was posted on the Telegram messaging app and also shared on Twitter.
What was targeted?
Officials said hackers gained access to a city website that facilitates maintenance orders for several city departments.
Gunn said hackers downloaded file attachments to work orders within the system:
“And those attachments include things like photographs, spreadsheets, invoices for work performed, emails between staff, PDF documents and other related materials for work orders.”
He said the information is not sensitive in nature and “by and large” what officials would release in a public records request.
As of Saturday, officials said they do not believe any other systems were accessed or any other evidence of sensitive data, such as social security numbers, credit card or banking information was accessed or released.
Gunn said officials are reviewing the volume of information to sure they understand the scope and depth of the attack on the website.
How did hackers gain access to the city website?
According to Gunn, it appears the threat actors have stolen login information to gain access to the website.
Officials do not know how they did so.
Some of the possible methods include: credential stuffing (testing databases or lists of stolen credentials), phishing (sending a phony link or attachment), password spraying (testing common passwords), keylogging (recording the strokes a person types on their keyboard) or brute force (a trial-and-error approach to crack passwords).
The best protection against a person stealing login credentials is multifactor authentication, said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.
Callow said using MFA is the single biggest thing any organization can do to reduce the likelihood of these attacks.
“If you don’t have two-factor authentication on these things or multifactor authentication, that’s all I need is that username and password,” Jess Parnell, vice president of security operations with Virginia-based cybersecurity company Centripetal Networks, said in May. “It’s unfortunate, but I only have to be right one out of like thousands of user accounts and they’re in.”
Officials did not say whether its users used two-factor or multifactor authentication on its website. Once they became aware of the attack, Gunn said the IT department isolated the system and removed it from the external intranet. He added that officials have forced all of its users to reset their passwords.
Who is SiegedSec and what did they say in their post?
SiegedSec labels itself as a ”hacktivist” group that formed in February 2022, according to the dark-web monitoring firm DarkOwl.
According to DarkOwl, there is no indication the group uses ransomware nor has it attempted to sell data it steals. Gunn said no ransom has been demanded from the city of Fort Worth, and officials have not detected any encryption of files.
In a June 2022 post, the firm said the group appears motivated “by the sheer fun of the experience, the potential clout gained by publicly mocking organizations with insufficient information security controls.”
Last year, the group said it leaked 8 gigabytes of data from state governments in Arkansas and Kentucky in protest against the state’s efforts to enact abortion bans following the Supreme Court ruling in a case which overturned Roe v. Wade. In February, the group leaked data on Telegram that it claimed to have stolen from Australian software giant Atlassian, according to reporting from TechCrunch.
In the post to the city of Fort Worth, the group said it is targeting Texas because of the state’s stance on gender-affirming care. Earlier this month, Gov. Greg Abbott signed Senate Bill 14, banning such medical care for minors.
“Their boasting alludes to basically embarrassing the city of Fort Worth and making a political statement,” Gunn said.
Reyne Telles, the city’s chief communications officer, said in the briefing officials don’t know anything else about what their motivations may be.
“Their motivations may not be what they seem to be,” Callow said. “We really have no clue as to who these people are, or what they attempt to achieve.”
Although the group presents itself as a hacktivist operation, he said speaking generally, “it’s equally possible though that they are simply seeking to create discord.”
© 2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.