In the early morning hours of July 22, the Town of Truckee’s manager, Jennifer Callaway, learned from a member of the town’s IT staff, Kimberly English, that the town’s IT system was breached and being attacked.
“The breach did not happen by clicking on a link in an email; it was a variant of malware that mines for passwords and once a password is obtained, infiltrates into the system,” Callaway told Moonshine Ink in a later email.
Staff members quickly shut down the entire IT system and activated the town’s Emergency Operations Center. Internet capabilities were gone, historic records and emails were blocked, and requests could not be fulfilled, Callaway said.
Investigators directed people involved not to comment about the attack right away. At the town council’s regular second monthly meeting on Sept. 28, Callaway gave her first public account. “You don’t realize how paralyzing this is until you go through it,” she said.
The cyberattack was an infection of malware that disables or encrypts an IT system, rendering it unusable. It’s a trend: Bad actors from overseas and within the U.S. have been launching similar attacks, often demanding money in exchange for freeing up the software or information. Such ransomware incidents multiplied by 300% last year, and the dollar amounts of demands have risen, according to the U.S. Department of Justice.
The attacks have resulted in temporary ceasing of operations for many organizations, as one did this spring when a breach similar to the Town of Truckee’s led to a precautionary shutdown of a network in one of the nation’s largest pipelines, Colonial Pipeline. The incident caused gas shortages and high gas prices across the East, according to reporting by National Public Radio. That attack happened through a leaked account password, according to Bloomberg.com. In May this year, the Metropolitan Transportation Authority of New York announced a cyberattack had exposed vulnerabilities in its system without forcing a shutdown of services, according to the New York Times.
In her 10-minute, pre-written report, Truckee town manager Callaway described how in the morning after the attack, employees plugged away despite having none of their regular work tools: no computers, internet access, or recent records.
“Town staff responded immediately and effectively by shutting down the town’s IT network completely, literally pulling cords,” she said. “This included all of our phones, access to data, and our access to all that exists behind our firewall. All of that was shut down.”
Truckee Mayor Anna Klovstad later affirmed the hard work in an email to Moonshine Ink. “It has been more difficult on staff than anyone outside the organization can really comprehend,” Klovstad said. “Just try to imagine being shut out of all your email and work files completely and you still have to do your job.”
The town’s insurance provider was contacted, Callaway said, and they assembled their response team. “The response team provided us with instructions and recommendations on how to move forward,” she said. The town notified the FBI, the California Office of Emergency Services, and other public entities that have experienced similar events.
Investigators of the town incident either do not know yet, or will not reveal, who precipitated the attack. Answering questions that stemmed from public rumors that a ransom was paid, Callaway told Moonshine Ink, “We are not at liberty to discuss that much at this point.”
As tough as the situation has been for staff members, it also shackled the work of some residents and employees. For example: builders who’d applied for permits for houses, decks, and additions found their applications stalled; people searching historical records hit blank holes; employees could not access emails of the past.
Town employees hesitated to say much about the incident in the early days of the enforcement agencies’ investigations. This impacted people needing services.
“There was zero transparency,” said Michael Douglas, a draftsperson who was already frustrated by long building department delays that had evolved during the Covid-19 pandemic as people moved to town, bought houses, and scheduled improvements.
“There is a short window for prime construction weather in Truckee,” he said. “The cyberattack happened at the worst possible time. There should have been a little bit more communication/leniency … Projects that were supposed to be under construction this year got pushed to next year.”
The town worked through the backlog and began accepting permit applications again on Aug. 23, according to Callaway.
Her report addressed the community frustration. “With an abundance of caution, as we move to the recovering and rebuilding efforts, we have not been able to be as transparent as we normally would, or we’d like to be — as transparent as our community expects and deserves,” she said. “So, we apologize for that. But I have to say that my first obligation is to make sure our town is protected, and our town assets are protected, and that’s what we’ve been focused on the last couple of months as we’ve been recovering, rebuilding, and restoring.”
The town lost access to valuable information, “[including] permits that had been submitted and those that were in the review process,” Callaway said. “In response, staff rebuilt the entire permit queue and all the permit files by working directly with applicants and our third-party plan review firms. We were only recently able to recover the data and we are now caught up with resubmittal … We are approximating about six weeks behind in that process. We’re working hard to bring on additional staff to reduce turnaround times.”
Public records were also affected. “We have several pending public records requests, many of which we cannot fill at this point,” she said. “We are still working to bring Laserfiche back, which contains the majority of the town’s historical documents. Once this is restored, which we expect to be [in] approximately three weeks, we can begin to process the requests we have.”
Some data will remain permanently out of reach, including staff emails written before the attack. “At this point it doesn’t appear we’ll be able to restore our legacy emails or emails prior to about a month ago,” Callaway said. “That particular server, which contained Microsoft exchange, was impacted with a malicious piece of malware, and it’s been recommended by our forensic investigators that we don’t turn that on at the risk of spreading that further into our system. That could change in the future, but this is what we know as of today.”
Council members approved spending a total $1.13 million to recover from the attack and upgrade the town’s IT system to meet the National Institute of Standards and Technology Cyber Security Framework. About $262,000 was for remediation and forensic investigation covered through insurance, according to a staff report, and the rest was for software rebuilding and purchase, backup solutions, networking, and other costs. Expenses not covered by insurance will come from the town’s general fund and enterprise fund (building and safety, parking, transit, and solid waste), according to the staff report. It stated the town was already in process and had allocated some funding for an IT upgrade before the attack. The town hired cybersecurity experts from the company ePlus to guide the rebuilding process.
Callaway said the town is moving forward at a good pace. “We’re now two months and a few days post breach, and while the past few months have been incredibly challenging — and I can’t stress that enough — at this point we’ve been able to build new security systems, recover our data, and restore many of our systems.”
The Department of Justice recently created a website, stopransomware.gov, to help cyberattack victims recover. “Roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300% increase from the previous year,” the site reports. “Further, there have already been multiple notable ransomware attacks in 2021, and despite making up roughly 75% of all ransomware cases, attacks on small businesses often go unnoticed. Like most cyberattacks, ransomware exploits the weakest link.”
Stopransomware.gov recommends taking the following steps to help prevent a cyberattack:
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Back up data on a regular basis. Keep it on a separate device and store it offline.
- Follow safe practices when using devices that connect to the Internet.