Advanced Persistent Threat: Mat-Su Borough, Valdez fighting highly sophisticated cyber attack
The malware that knocked services offline in the Mat-Su Borough and City of Valdez included a
previously unknown to software and anti-virus developers and security researchers according to an update from the Mat-Su Borough Monday.
Mat-Su Borough IT Director Eric Wyatt, who has worked in IT and information and network security for 35 years, including for the U.S. military and as a Dept. of Defense contractor, described the malware as "a very insidious, very well-organized attack." It's a type of cyber attack that's categorized by security researchers as an Advanced Persistent Threat.
"It's not a kid in his mom's basement," Wyatt said in Monday's statement.
The National Institute of Standards and Technology's Computer Security Resource Center
, or APT, as a multi-vectored attack that "pursues its objectives repeatedly over an extended period of time; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives."
Wyatt says the malware is a multi-pronged, multi-vectored attack composed of not just one single virus, but with multiple different types of malware, including Trojan horse, Cryptolocker, time bomb, and dead man's switch attacks.
“It’s a new world,” Wyatt said in the release.
In the status report, Wyatt said the attack is most likely spread via email. A hyperlink to a malicious website prompts users to install an add-on, or to open an attachment with a macro. The malware also likely targets users with local administrative permissions, according to the update.
The status report, citing FBI information, shows that once the Trojan virus has been delivered, it creates access for the attacker to bring in other malicious software. The malware also exfiltrates the user's contact list - in this case, via Outlook - to send to other government or municipal addresses. Additionally, the messages appear to those who receive it as if it comes from someone they know and trust.
If the attackers are successful in gaining administrative access, all internal security settings, including event logging and auditing, are disabled, allowing the malware to spread to every server and workstation on the network. From there, attackers can defeat passwords and further compromise any other machine connected to the network.
The malware, which appears to only target Windows-based machines, is believed to have laid dormant in Borough servers since May 3rd until its discovery on July 23rd.
"During this time, data from any of our systems may have been compromised and sent outside of our network," Wyatt wrote in the status update. "We do not have evidence of this, but we must work from the assumption that this was done."
Wyatt wrote that the malware matches the patterns the FBI has observed at multiple attack sites across the country, including the attack that hobbled the
Evidence found in Mat-Su Borough computers indicates that the Borough was the 210th victim of the attack.
Mat-Su Borough Communications Director Patty Sullivan said in Monday's update that the Borough is working on rebuilding its entire network infrastructure, with servers and computers being rebuilt and restored.
A Borough phone server was rebuilt Sunday night, and phone systems were beginning to be restored Monday.
Borough backup servers were reportedly structured in a way that limited data loss.
Sullivan reiterated that credit card data is not stored on Borough systems and was never at risk of compromise as a result of this attack.
In an interview with Channel 2 on Friday, Wyatt said that the Mat-Su Borough has received an outpouring of support from other agencies, including federal, state, telecom and security organizations.
"I have been very impressed by the way the community has come together," Wyatt said. "I think as Alaskans, that's something we can be very proud of."
Matanuska-Susitna Borough computer systems were taken offline after what Borough officials described as a "computer virus that is surfacing across the nation" was discovered in the Borough network Monday.
According to a statement released by the Mat-Su Borough Wednesday evening, Borough office phones and computer systems were taken offline "to prevent further compromise," forcing Borough employees to turn to typewriters and hand-written receipts.
"There's a few typewriters from the dark ages that someone had the foresight to hang onto," Mat-Su Borough Public Affairs Director Patty Sullivan told Channel 2. "Employees pulled them from the closets and got to work on permits and things that had to be done in a day."
Sullivan says the Borough enlisted runners to deliver typed or handwritten messages between Borough buildings.
Borough IT Director Eric Wyatt met with the FBI Cyber Crimes Division Wednesday in an effort to help identify and mitigate the effects of the virus.
"We've disconnected from the internet," Wyatt said Thursday, "so we're not currently providing the services externally that we normally do, because these attacks come from the external.
"Keep in mind, we - in defending these types of things - need to be right every time," he said. "The attackers need to be right once."
According to the Borough statement, private credit card information is not stored online by the Borough, and was not compromised.
The Mat-Su Borough website remains online, while IT teams work to restore other Borough services one at a time as they are confirmed to be safe, with priority on restoring phone and email systems.
According to the release, Borough libraries in Sutton, Willow, Talkeetna, Big Lake, and Trapper Creek are checking out books manually, and only cash and checks are being accepted for purchases.
"We ask for your card, and your name, get a little piece of paper, write it down with a pencil, and write down the barcode from the back of the material," said Nancy Bertels, a librarian of 35 years for the Sutton Library. "But at some point, we would have to say, 'enough,' until we got it all input."
The Animal Care facility is open but its computer system is offline, limiting its ability to provide services.
The Collections office is handwriting receipts and is only able to accept cash or checks. Transactions posts and balances are currently unavailable.
The Purchasing office remains online, but email correspondence is currently unavailable. Any questions should be delivered in writing to the Purchasing office.