What happened in ransomware attack on Port of San Diego

New disclosures reveal higher stakes than previously known when the Port of San Diego fell victim in late 2018 to a major cyberattack now believed to have originated in Iran.

“This cyberattack was called 21st-century digital blackmail’ by the Department of Justice,” Tanya Castaneda, Port of San Diego’s now former public information officer says.

Among the bad scenarios posed by the cyberattack were potential threats to public safety. Port officials, quick to note that they never materialized, declined to specify what kinds of threats the cyberattack could have posed to local residents and businesses with no direct connections to the port.

Yet clues lie in the distinctive nature of the facility. “Port of San Diego is an essential part of the U.S. network of ports and transportation infrastructure,” Castaneda says. “While we are a commercial port, we have the additional special designation of strategic port for the U.S. Department of Defense.”

Details about the attack were made public after a year-and-a-half FBI investigation led to a grand jury indictment naming the alleged perpetrators, purveyors of the so-called “SamSam” ransomware virus, as state-sponsored hackers operating inside the Islamic Republic of Iran.

Ransomware is defined by the Department of Homeland Security as “a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” Homeland Security offers an online primer of ransomware attack do’s and don’ts.

U.S. Department of Justice officials say the hackers used the virus to shake down $6 million in ransom payments paid by American and Canadian entities eager to retrieve their stolen data. Ransom payers caught up in the SamSam Virus attacks included municipalities, a major university, state agencies, and private-sector organizations. The cyberattackers vexed data security teams across a 34-month period that appears to have ended with San Diego’s port authority — but not before causing $30 million in damages and losses in addition to the ransoms that were paid.

The city of Atlanta and Hollywood Presbyterian Medical Center in Los Angeles were among those hit by the virus that was alleged unleashed by Iran’s “Mabna Institute.”

Claiming an economic impact on the San Diego region of more than $8 billion, the Port of San Diego is being hailed by many in the data-security community as a stellar case study in how public-sector organizations should respond to ransomware attacks.

High Marks, but not ‘Text-book Perfect’

“They did a lot of things right; they were prepared and they acted quickly,” said Robert Belk, West Region cybersecurity lead at EY (formerly Ernst & Young).

It turns out port officials were in midstream deploying upgrades to their cybersecurity systems when the attack occurred. They declined to estimate how much mitigation of damage and expense could have been achieved if those upgrades had already been completed when the attack occurred. Castaneda was unsure how much money its response to the attack cost the Port of San Diego.

“This information is being compiled so we don’t have a number yet,” says Castaneda.

Minor shortcomings aside, experts still give port officials high marks for their response to the SamSam Virus attack.

“They recognized the attack early and responded with appropriate measures — and it seems they also did a good job balancing the public’s need to know with law enforcement’s need to protect investigations,” says Belk.

A retired naval officer and board member at the San Diego Cybersecurity Center for Excellence, Belk declined to characterize the port’s response the data breach as “textbook-perfect.” That didn’t stop officials from crowing about the kudos Belk and others in the cybersecurity profession did offer.

“This was a great example of how it’s possible to strike a balance between serving the public by being open and transparent with information, and protecting the public by preserving the confidentiality of an investigation and not revealing potential areas of vulnerability in law enforcement systems,” said one.

Castaneda said she’s proud of the fact that her office issued a public statement that a “serious cybersecurity incident” had occurred, hours before a single reporter called to inquire about rumblings that the port had been or was about to be closed. Fact is, the port never closed as a result of the ransomware attack. Hackers stole mostly administrative data as opposed to information about day-to-day shipping and operations at the port, says Castaneda.

Cybersecurity wonks such as Belk also give kudos to the Port of San Diego officials for declining to pay the attackers the ransom they demanded.

“The port had followed prior FBI guidance with the implementation of strong security practices, including a backup system for electronic information, which enabled us to recover data and not pay the ransom,” Castaneda says.

She declined to say how much in ransom money the cyberattackers demanded.

“The FBI has advised us against releasing this information because [it] could theoretically be useful to hackers,” she says. “I can reveal that the attackers sought payment in Bitcoin digital currency.”

The fact that the hackers wanted to be paid in Bitcoin comes with further news of an action taken by the U.S. Department of the Treasury in response to the San Diego attack:

“Treasury took historic action to target digital currency,” Castaneda says. “For the first time, Treasury actually published the two digital currency addresses used by the attackers.”

At my request, the Port of San Diego compiled a list of facts about the ransomware attack. A condensed version:

The type of ransomware used was SamSam.

Per the FBI, the Port was the final victim in an international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. The scheme began in December 2015 and targeted more than 200 public agencies and hospitals. According to the indictment, other victims included the City of Atlanta; the City of Newark, New Jersey; the Colorado Department of Transportation; the University of Calgary, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.

The Iran-based attackers allegedly communicated over the “dark web” and attacked their victims outside normal business hours to minimize the possibility of being detected, according to the Department of Justice. [Port officials declined to say whether their attack was outside normal business hours.]

During the attack, Port of San Diego public records requests were delayed because of limited access to Port systems, but Port staff went “above and beyond to provide what we could. At one point, we were advised not to send out attachments to avoid potentially spreading the damage to external entities. A reporter requested a document... As a work-around, public information officer, Tanya Castaneda took a smartphone photo and texted it to a newspaper reporter so she could meet her deadline.”

Timeline of the attack :

September 25, 2018: The Port’s Information Technology Department gets reports about Port employees’ files locking and messages demanding Bitcoin as ransom to unlock them. All staff members are directed to turn off computers while the situation is investigated. Port notifies the Governor’s Office of Emergency Services (CAL-OES) and the San Diego County Office of Emergency Services, along with the U.S. Navy, Coast Guard, Department of Homeland Security and the FBI.

September 26: The Port issues a statement announcing that it is facing a “serious cybersecurity incident.” The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternate systems and procedures in place to minimize impacts to public safety. Port employees are at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services.

September 27: The Port continues its work with investigators on the incident and continues to keep stakeholders informed. In consultation with investigators, the Port publicly reveals that ransomware was used and that the attackers demanded Bitcoin. The Port also issues a statement to note that this is mainly an administrative issue and normal Port operations are continuing as usual. The Port remains open, public safety operations are ongoing, and ships and boats continue to have access San Diego Bay marinas.

September 28: For the first time since the attack, a cruise ship is in port. All cruise passengers are successfully checked in with no delays and no impacts to operations.

October 2: All Port operations continue normally; but the cyberattack has caused administrative challenges. Some employees are using replacement computers and alternate systems. Employees without access to a computer are encouraged to use time to complete projects that do not require the use of computers.

October 3: The Port successfully runs payroll using alternate systems.

October 4: The Port releases a statement that it remains open for business and operations are continuing. Since the incident was first reported, the Port has handled calls [a port “call” is a docking visit by a seagoing vessel and administrative actions entailed therein] from seven cruise ships and 10 cargo ships, processed biweekly payroll, and continued public safety operations as usual.

November 28: Department of Justice and the FBI hold a press conference in Washington, D.C. to announce two indictments in what is described as a 34-month international computer hacking and extortion scheme involving the deployment of sophisticated ransomware. .