Late Tuesday afternoon, The Sun obtained an internal document sent to city employees by Chief Information Officer Mirán Fernandez that said, "There has been an online claim made by an online cyber criminal group ('Play') responsible for multiple high-profile cyber attacks throughout the Americas claiming the City of Lowell as one of their trophies/ victims. MIS' focus is on moving forward through this incident to securely restore operations and services."
After limited public messaging, the internal statement offered the most complete look at the evolving crisis.
In a statement, U.S. Rep. Lori Trahan said she was being kept apprised of the situation and stood ready to be of assistance.
"I'm grateful that City officials moved quickly to respond to the cyber attack affecting its network, including getting into touch immediately with FBI personnel who specialize in cyber crimes," she said. "As always, my team and I have offered to be a resource any way we can as the City continues to work through the recovery process."
Steve Zuromski is a vice president of information technology and chief operating officer at Bridgewater State University, who is also affiliated with Cyber Trust Massachusetts, a nonprofit consortium to make resources and training available to defend against cyber attacks.
He said Play is a ransomware group, which uses an invasive type of malware designed to deny access to computer systems and encrypt information until the ransomware has been paid.
"What we're seeing is that bad actors will gain a foothold into an enterprise and actually sit there and lurk for days, weeks even — I've seen it be months — before they actually deploy the ransomware payload," he said. "We don't know what happened here — time will tell with forensics — but that's why it does take long. [The city] wants to make sure that [it] is being as comprehensive with the recovery and make sure that nothing else is still lurking."
The city has restored limited services, but challenges remain for the sprawling municipal network to get back to its full up-and-running operation.
The issue was raised in Tuesday night's City Council meeting by Councilor Wayne Jenness' motion requesting an update on the cyber related incident. Prior to the council meeting, City Manager Tom Golden said by phone that, "This continues to be an active and ongoing investigation, with multiple state and federal agencies involved in assessing this cyber related event."
It is not known if a ransomware demand has been made by the group, which claims to have data from the city, according to the internal document.
"While Play has claimed online that they have data from the city, that has yet to be confirmed, identified or otherwise assessed by any of the agencies involved, including ourselves. If any was exfiltrated, it will be treated as a criminal event accordingly," Fernandez wrote.
But Zuromski said paying a ransom isn't a guarantee of the security or restoration of alleged stolen data.
"We never encourage anyone to pay the ransom because it just continues to fuel the [criminal] enterprises that are out there," he said. "We're dealing with thieves here, and you hope that they decrypt the data and that they don't exfiltrate the data. It's a risky play [to pay]. Oftentimes, too, we've seen that the decryption doesn't actually fully work, the ransom gets paid and the enterprise is still in a murky situation."
Despite the compromised network, "payroll services were prioritized, followed by treasurer/collector revenue collection services, HR/Personnel services, permitting services, and billing/invoice services, and "no data or transactions were lost," noted the city's internal document.
The city website updated residents with a list of phone services restored to almost a dozen city government sites and departments, including City Hall, police, fire, sewer and public works.
The source of the intrusion and the scope of the breach remains under investigation, but in general, data gets hacked in one of three ways, Zuromski said.
"Phishing, which is a technique of social engineering, is still the leading method for getting a foothold in an enterprise network," he said. "Vulnerability management, which is when systems, servers, networks aren't adequately [security] patched. Finally, misconfiguration, which is when systems aren't set up properly leading to potential exposures."
All three may be under review given the scale of the recovery effort. According to the internal document, all desktops are being "deep wiped and re-imaged ... with limited applications and services on them."
Data drives will be restored and all servers "are being 'deep wiped', rebuilt from scratch, and restored based on backups" from April 21, before the cyber attack. The city will restrict employee Internet access, require multifactor authentication and all antivirus tools are being replaced with a sophisticated combination of detection measures.
More importantly, all staff will be required to take regular cybersecurity training.
"Complete it in a timely manner, or your account will be shutdown," the document warned.
Restoring data is a complicated and critical process, Zuromski said, that depends on the size of the enterprise and the amount of data and logs that need to be assessed.
"It can take anywhere from a couple of days to a few weeks," he said. "It sounds like the city is moving in the right direction although it's taking longer than the residents would like it to take, but it does appear it's moving in a positive direction. I don't think it's unusual given what appears to be the size of this incident for some of those services to still be impacted."
The expertise and time required to repair the damage from the hack, as well as to secure the city's network going forward, could get pricey, said Zuromski, but the investment is vital to protect technology infrastructure against future attacks.
"Cyber incidents are occurring across all industries, across all sectors whether the organizations are heavily resourced or not," he said. "Municipalities are rich targets based off of the data they possess. Having a cyber incident response plan ready that helps serve as a guide or framework to the notification and recovery process is considered best practice now."
©2023 The Sun, Distributed by Tribune Content Agency, LLC.