4S Ranch Allied Gardens Alpine Baja Balboa Park Bankers Hill Barrio Logan Bay Ho Bay Park Black Mountain Ranch Blossom Valley Bonita Bonsall Borrego Springs Boulevard Campo Cardiff-by-the-Sea Carlsbad Carmel Mountain Carmel Valley Chollas View Chula Vista City College City Heights Clairemont College Area Coronado CSU San Marcos Cuyamaca College Del Cerro Del Mar Descanso Downtown San Diego Eastlake East Village El Cajon Emerald Hills Encanto Encinitas Escondido Fallbrook Fletcher Hills Golden Hill Grant Hill Grantville Grossmont College Guatay Harbor Island Hillcrest Imperial Beach Imperial Valley Jacumba Jamacha-Lomita Jamul Julian Kearny Mesa Kensington La Jolla Lakeside La Mesa Lemon Grove Leucadia Liberty Station Lincoln Acres Lincoln Park Linda Vista Little Italy Logan Heights Mesa College Midway District MiraCosta College Miramar Miramar College Mira Mesa Mission Beach Mission Hills Mission Valley Mountain View Mount Hope Mount Laguna National City Nestor Normal Heights North Park Oak Park Ocean Beach Oceanside Old Town Otay Mesa Pacific Beach Pala Palomar College Palomar Mountain Paradise Hills Pauma Valley Pine Valley Point Loma Point Loma Nazarene Potrero Poway Rainbow Ramona Rancho Bernardo Rancho Penasquitos Rancho San Diego Rancho Santa Fe Rolando San Carlos San Marcos San Onofre Santa Ysabel Santee San Ysidro Scripps Ranch SDSU Serra Mesa Shelltown Shelter Island Sherman Heights Skyline Solana Beach Sorrento Valley Southcrest South Park Southwestern College Spring Valley Stockton Talmadge Temecula Tierrasanta Tijuana UCSD University City University Heights USD Valencia Park Valley Center Vista Warner Springs

What happened in ransomware attack on Port of San Diego

Iran-backed hackers demanded Bitcoin

New disclosures reveal higher stakes than previously known when the Port of San Diego fell victim in late 2018 to a major cyberattack now believed to have originated in Iran.

“This cyberattack was called 21st-century digital blackmail’ by the Department of Justice,” Tanya Castaneda, Port of San Diego’s now former public information officer says.

Among the bad scenarios posed by the cyberattack were potential threats to public safety. Port officials, quick to note that they never materialized, declined to specify what kinds of threats the cyberattack could have posed to local residents and businesses with no direct connections to the port.

The port never closed as a result of the Iranian ransonware attacks.

Yet clues lie in the distinctive nature of the facility. “Port of San Diego is an essential part of the U.S. network of ports and transportation infrastructure,” Castaneda says. “While we are a commercial port, we have the additional special designation of strategic port for the U.S. Department of Defense.”

Details about the attack were made public after a year-and-a-half FBI investigation led to a grand jury indictment naming the alleged perpetrators, purveyors of the so-called “SamSam” ransomware virus, as state-sponsored hackers operating inside the Islamic Republic of Iran.

Ransomware is defined by the Department of Homeland Security as “a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” Homeland Security offers an online primer of ransomware attack do’s and don’ts.

Cybersecurity expert Rob Belk praised Port of San Diego’s response to the attack.

U.S. Department of Justice officials say the hackers used the virus to shake down $6 million in ransom payments paid by American and Canadian entities eager to retrieve their stolen data. Ransom payers caught up in the SamSam Virus attacks included municipalities, a major university, state agencies, and private-sector organizations. The cyberattackers vexed data security teams across a 34-month period that appears to have ended with San Diego’s port authority — but not before causing $30 million in damages and losses in addition to the ransoms that were paid.

The city of Atlanta and Hollywood Presbyterian Medical Center in Los Angeles were among those hit by the virus that was alleged unleashed by Iran’s “Mabna Institute.”

Claiming an economic impact on the San Diego region of more than $8 billion, the Port of San Diego is being hailed by many in the data-security community as a stellar case study in how public-sector organizations should respond to ransomware attacks.

San Diego’s dual importance as a military and commercial port made it an inviting target for ransonware extortion.

High Marks, but not ‘Text-book Perfect’

“They did a lot of things right; they were prepared and they acted quickly,” said Robert Belk, West Region cybersecurity lead at EY (formerly Ernst & Young).

It turns out port officials were in midstream deploying upgrades to their cybersecurity systems when the attack occurred. They declined to estimate how much mitigation of damage and expense could have been achieved if those upgrades had already been completed when the attack occurred. Castaneda was unsure how much money its response to the attack cost the Port of San Diego.

“This information is being compiled so we don’t have a number yet,” says Castaneda.

Minor shortcomings aside, experts still give port officials high marks for their response to the SamSam Virus attack.

“They recognized the attack early and responded with appropriate measures — and it seems they also did a good job balancing the public’s need to know with law enforcement’s need to protect investigations,” says Belk.

A retired naval officer and board member at the San Diego Cybersecurity Center for Excellence, Belk declined to characterize the port’s response the data breach as “textbook-perfect.” That didn’t stop officials from crowing about the kudos Belk and others in the cybersecurity profession did offer.

“This was a great example of how it’s possible to strike a balance between serving the public by being open and transparent with information, and protecting the public by preserving the confidentiality of an investigation and not revealing potential areas of vulnerability in law enforcement systems,” said one.

Castaneda said she’s proud of the fact that her office issued a public statement that a “serious cybersecurity incident” had occurred, hours before a single reporter called to inquire about rumblings that the port had been or was about to be closed. Fact is, the port never closed as a result of the ransomware attack. Hackers stole mostly administrative data as opposed to information about day-to-day shipping and operations at the port, says Castaneda.

Cybersecurity wonks such as Belk also give kudos to the Port of San Diego officials for declining to pay the attackers the ransom they demanded.

“The port had followed prior FBI guidance with the implementation of strong security practices, including a backup system for electronic information, which enabled us to recover data and not pay the ransom,” Castaneda says.

She declined to say how much in ransom money the cyberattackers demanded.

“The FBI has advised us against releasing this information because [it] could theoretically be useful to hackers,” she says. “I can reveal that the attackers sought payment in Bitcoin digital currency.”

The fact that the hackers wanted to be paid in Bitcoin comes with further news of an action taken by the U.S. Department of the Treasury in response to the San Diego attack:

“Treasury took historic action to target digital currency,” Castaneda says. “For the first time, Treasury actually published the two digital currency addresses used by the attackers.”

At my request, the Port of San Diego compiled a list of facts about the ransomware attack. A condensed version:

The type of ransomware used was SamSam.

Per the FBI, the Port was the final victim in an international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. The scheme began in December 2015 and targeted more than 200 public agencies and hospitals. According to the indictment, other victims included the City of Atlanta; the City of Newark, New Jersey; the Colorado Department of Transportation; the University of Calgary, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.

The Iran-based attackers allegedly communicated over the “dark web” and attacked their victims outside normal business hours to minimize the possibility of being detected, according to the Department of Justice. [Port officials declined to say whether their attack was outside normal business hours.]

During the attack, Port of San Diego public records requests were delayed because of limited access to Port systems, but Port staff went “above and beyond to provide what we could. At one point, we were advised not to send out attachments to avoid potentially spreading the damage to external entities. A reporter requested a document... As a work-around, public information officer, Tanya Castaneda took a smartphone photo and texted it to a newspaper reporter so she could meet her deadline.”

Timeline of the attack :

September 25, 2018: The Port’s Information Technology Department gets reports about Port employees’ files locking and messages demanding Bitcoin as ransom to unlock them. All staff members are directed to turn off computers while the situation is investigated. Port notifies the Governor’s Office of Emergency Services (CAL-OES) and the San Diego County Office of Emergency Services, along with the U.S. Navy, Coast Guard, Department of Homeland Security and the FBI.

September 26: The Port issues a statement announcing that it is facing a “serious cybersecurity incident.” The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternate systems and procedures in place to minimize impacts to public safety. Port employees are at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services.

September 27: The Port continues its work with investigators on the incident and continues to keep stakeholders informed. In consultation with investigators, the Port publicly reveals that ransomware was used and that the attackers demanded Bitcoin. The Port also issues a statement to note that this is mainly an administrative issue and normal Port operations are continuing as usual. The Port remains open, public safety operations are ongoing, and ships and boats continue to have access San Diego Bay marinas.

September 28: For the first time since the attack, a cruise ship is in port. All cruise passengers are successfully checked in with no delays and no impacts to operations.

October 2: All Port operations continue normally; but the cyberattack has caused administrative challenges. Some employees are using replacement computers and alternate systems. Employees without access to a computer are encouraged to use time to complete projects that do not require the use of computers.

October 3: The Port successfully runs payroll using alternate systems.

October 4: The Port releases a statement that it remains open for business and operations are continuing. Since the incident was first reported, the Port has handled calls [a port “call” is a docking visit by a seagoing vessel and administrative actions entailed therein] from seven cruise ships and 10 cargo ships, processed biweekly payroll, and continued public safety operations as usual.

November 28: Department of Justice and the FBI hold a press conference in Washington, D.C. to announce two indictments in what is described as a 34-month international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. .

Here's something you might be interested in.
Submit a free classified
or view all

Previous article

John Ashbery: classmate to Kenneth Koch and Frank O’Hara

Poems with disjunction of syntax, a prevalence of puns, whimsy and wit
Next Article

Tasty trip to Tijuana

They have everything you’d expect, including my latest fave taco, octopus

New disclosures reveal higher stakes than previously known when the Port of San Diego fell victim in late 2018 to a major cyberattack now believed to have originated in Iran.

“This cyberattack was called 21st-century digital blackmail’ by the Department of Justice,” Tanya Castaneda, Port of San Diego’s now former public information officer says.

Among the bad scenarios posed by the cyberattack were potential threats to public safety. Port officials, quick to note that they never materialized, declined to specify what kinds of threats the cyberattack could have posed to local residents and businesses with no direct connections to the port.

The port never closed as a result of the Iranian ransonware attacks.

Yet clues lie in the distinctive nature of the facility. “Port of San Diego is an essential part of the U.S. network of ports and transportation infrastructure,” Castaneda says. “While we are a commercial port, we have the additional special designation of strategic port for the U.S. Department of Defense.”

Details about the attack were made public after a year-and-a-half FBI investigation led to a grand jury indictment naming the alleged perpetrators, purveyors of the so-called “SamSam” ransomware virus, as state-sponsored hackers operating inside the Islamic Republic of Iran.

Ransomware is defined by the Department of Homeland Security as “a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” Homeland Security offers an online primer of ransomware attack do’s and don’ts.

Cybersecurity expert Rob Belk praised Port of San Diego’s response to the attack.

U.S. Department of Justice officials say the hackers used the virus to shake down $6 million in ransom payments paid by American and Canadian entities eager to retrieve their stolen data. Ransom payers caught up in the SamSam Virus attacks included municipalities, a major university, state agencies, and private-sector organizations. The cyberattackers vexed data security teams across a 34-month period that appears to have ended with San Diego’s port authority — but not before causing $30 million in damages and losses in addition to the ransoms that were paid.

The city of Atlanta and Hollywood Presbyterian Medical Center in Los Angeles were among those hit by the virus that was alleged unleashed by Iran’s “Mabna Institute.”

Claiming an economic impact on the San Diego region of more than $8 billion, the Port of San Diego is being hailed by many in the data-security community as a stellar case study in how public-sector organizations should respond to ransomware attacks.

San Diego’s dual importance as a military and commercial port made it an inviting target for ransonware extortion.

High Marks, but not ‘Text-book Perfect’

“They did a lot of things right; they were prepared and they acted quickly,” said Robert Belk, West Region cybersecurity lead at EY (formerly Ernst & Young).

It turns out port officials were in midstream deploying upgrades to their cybersecurity systems when the attack occurred. They declined to estimate how much mitigation of damage and expense could have been achieved if those upgrades had already been completed when the attack occurred. Castaneda was unsure how much money its response to the attack cost the Port of San Diego.

“This information is being compiled so we don’t have a number yet,” says Castaneda.

Minor shortcomings aside, experts still give port officials high marks for their response to the SamSam Virus attack.

“They recognized the attack early and responded with appropriate measures — and it seems they also did a good job balancing the public’s need to know with law enforcement’s need to protect investigations,” says Belk.

A retired naval officer and board member at the San Diego Cybersecurity Center for Excellence, Belk declined to characterize the port’s response the data breach as “textbook-perfect.” That didn’t stop officials from crowing about the kudos Belk and others in the cybersecurity profession did offer.

“This was a great example of how it’s possible to strike a balance between serving the public by being open and transparent with information, and protecting the public by preserving the confidentiality of an investigation and not revealing potential areas of vulnerability in law enforcement systems,” said one.

Castaneda said she’s proud of the fact that her office issued a public statement that a “serious cybersecurity incident” had occurred, hours before a single reporter called to inquire about rumblings that the port had been or was about to be closed. Fact is, the port never closed as a result of the ransomware attack. Hackers stole mostly administrative data as opposed to information about day-to-day shipping and operations at the port, says Castaneda.

Cybersecurity wonks such as Belk also give kudos to the Port of San Diego officials for declining to pay the attackers the ransom they demanded.

“The port had followed prior FBI guidance with the implementation of strong security practices, including a backup system for electronic information, which enabled us to recover data and not pay the ransom,” Castaneda says.

She declined to say how much in ransom money the cyberattackers demanded.

“The FBI has advised us against releasing this information because [it] could theoretically be useful to hackers,” she says. “I can reveal that the attackers sought payment in Bitcoin digital currency.”

The fact that the hackers wanted to be paid in Bitcoin comes with further news of an action taken by the U.S. Department of the Treasury in response to the San Diego attack:

“Treasury took historic action to target digital currency,” Castaneda says. “For the first time, Treasury actually published the two digital currency addresses used by the attackers.”

At my request, the Port of San Diego compiled a list of facts about the ransomware attack. A condensed version:

The type of ransomware used was SamSam.

Per the FBI, the Port was the final victim in an international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. The scheme began in December 2015 and targeted more than 200 public agencies and hospitals. According to the indictment, other victims included the City of Atlanta; the City of Newark, New Jersey; the Colorado Department of Transportation; the University of Calgary, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.

The Iran-based attackers allegedly communicated over the “dark web” and attacked their victims outside normal business hours to minimize the possibility of being detected, according to the Department of Justice. [Port officials declined to say whether their attack was outside normal business hours.]

During the attack, Port of San Diego public records requests were delayed because of limited access to Port systems, but Port staff went “above and beyond to provide what we could. At one point, we were advised not to send out attachments to avoid potentially spreading the damage to external entities. A reporter requested a document... As a work-around, public information officer, Tanya Castaneda took a smartphone photo and texted it to a newspaper reporter so she could meet her deadline.”

Timeline of the attack :

September 25, 2018: The Port’s Information Technology Department gets reports about Port employees’ files locking and messages demanding Bitcoin as ransom to unlock them. All staff members are directed to turn off computers while the situation is investigated. Port notifies the Governor’s Office of Emergency Services (CAL-OES) and the San Diego County Office of Emergency Services, along with the U.S. Navy, Coast Guard, Department of Homeland Security and the FBI.

September 26: The Port issues a statement announcing that it is facing a “serious cybersecurity incident.” The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternate systems and procedures in place to minimize impacts to public safety. Port employees are at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services.

September 27: The Port continues its work with investigators on the incident and continues to keep stakeholders informed. In consultation with investigators, the Port publicly reveals that ransomware was used and that the attackers demanded Bitcoin. The Port also issues a statement to note that this is mainly an administrative issue and normal Port operations are continuing as usual. The Port remains open, public safety operations are ongoing, and ships and boats continue to have access San Diego Bay marinas.

September 28: For the first time since the attack, a cruise ship is in port. All cruise passengers are successfully checked in with no delays and no impacts to operations.

October 2: All Port operations continue normally; but the cyberattack has caused administrative challenges. Some employees are using replacement computers and alternate systems. Employees without access to a computer are encouraged to use time to complete projects that do not require the use of computers.

October 3: The Port successfully runs payroll using alternate systems.

October 4: The Port releases a statement that it remains open for business and operations are continuing. Since the incident was first reported, the Port has handled calls [a port “call” is a docking visit by a seagoing vessel and administrative actions entailed therein] from seven cruise ships and 10 cargo ships, processed biweekly payroll, and continued public safety operations as usual.

November 28: Department of Justice and the FBI hold a press conference in Washington, D.C. to announce two indictments in what is described as a 34-month international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. .

Sponsored
Here's something you might be interested in.
Submit a free classified
or view all
Previous article

Tasty trip to Tijuana

They have everything you’d expect, including my latest fave taco, octopus
Next Article

John Ashbery: classmate to Kenneth Koch and Frank O’Hara

Poems with disjunction of syntax, a prevalence of puns, whimsy and wit
Comments
1

We the public don't really know what happened, or what it cost, or how badly it disrupted operations, or much else, do we? Yeah something happened, and either it was bad, or wasn't so bad due to preventive measures. But the measures weren't in place or they were, and the immediate reaction was the correct one, or maybe it was't. Don't you feel reassured and comforted? I don't.

April 10, 2019

Sign in to comment

Sign in

Art Reviews — W.S. Di Piero's eye on exhibits Ask a Hipster — Advice you didn't know you needed Best Buys — San Diego shopping Big Screen — Movie commentary Blurt — Music's inside track Booze News — San Diego spirits City Lights — News and politics Classical Music — Immortal beauty Classifieds — Free and easy Cover Stories — Front-page features Excerpts — Literary and spiritual excerpts Famous Former Neighbors — Next-door celebs Feast! — Food & drink reviews Feature Stories — Local news & stories From the Archives — Spotlight on the past Golden Dreams — Talk of the town Here's the Deal — Chad Deal's watering holes Just Announced — The scoop on shows Letters — Our inbox [email protected] — Local movie buffs share favorites Movie Reviews — Our critics' picks and pans Musician Interviews — Up close with local artists Neighborhood News from Stringers — Hyperlocal news News Ticker — News & politics Obermeyer — San Diego politics illustrated Of Note — Concert picks Out & About — What's Happening Overheard in San Diego — Eavesdropping illustrated Poetry — The old and the new Pour Over — Grab a cup Reader Travel — Travel section built by travelers Reading — The hunt for intellectuals Roam-O-Rama — SoCal's best hiking/biking trails San Diego Beer — Inside San Diego suds SD on the QT — Almost factual news Set 'em Up Joe — Bartenders' drink recipes Sheep and Goats — Places of worship Special Issues — The best of Sports — Athletics without gush Street Style — San Diego streets have style Suit Up — Fashion tips for dudes Theater Reviews — Local productions Theater antireviews — Narrow your search Tin Fork — Silver spoon alternative Under the Radar — Matt Potter's undercover work Unforgettable — Long-ago San Diego Unreal Estate — San Diego's priciest pads Waterfront — All things ocean Your Week — Daily event picks
4S Ranch Allied Gardens Alpine Baja Balboa Park Bankers Hill Barrio Logan Bay Ho Bay Park Black Mountain Ranch Blossom Valley Bonita Bonsall Borrego Springs Boulevard Campo Cardiff-by-the-Sea Carlsbad Carmel Mountain Carmel Valley Chollas View Chula Vista City College City Heights Clairemont College Area Coronado CSU San Marcos Cuyamaca College Del Cerro Del Mar Descanso Downtown San Diego Eastlake East Village El Cajon Emerald Hills Encanto Encinitas Escondido Fallbrook Fletcher Hills Golden Hill Grant Hill Grantville Grossmont College Guatay Harbor Island Hillcrest Imperial Beach Imperial Valley Jacumba Jamacha-Lomita Jamul Julian Kearny Mesa Kensington La Jolla Lakeside La Mesa Lemon Grove Leucadia Liberty Station Lincoln Acres Lincoln Park Linda Vista Little Italy Logan Heights Mesa College Midway District MiraCosta College Miramar Miramar College Mira Mesa Mission Beach Mission Hills Mission Valley Mountain View Mount Hope Mount Laguna National City Nestor Normal Heights North Park Oak Park Ocean Beach Oceanside Old Town Otay Mesa Pacific Beach Pala Palomar College Palomar Mountain Paradise Hills Pauma Valley Pine Valley Point Loma Point Loma Nazarene Potrero Poway Rainbow Ramona Rancho Bernardo Rancho Penasquitos Rancho San Diego Rancho Santa Fe Rolando San Carlos San Marcos San Onofre Santa Ysabel Santee San Ysidro Scripps Ranch SDSU Serra Mesa Shelltown Shelter Island Sherman Heights Skyline Solana Beach Sorrento Valley Southcrest South Park Southwestern College Spring Valley Stockton Talmadge Temecula Tierrasanta Tijuana UCSD University City University Heights USD Valencia Park Valley Center Vista Warner Springs
Close