City cyber attackers were 'well-funded, organized,' it will take years to recover, experts say
A team from Deloitte Canada revealed details about the breach at a general issues committee meeting Wednesday
A sophisticated criminal organization hacked into the City of Hamilton's IT systems at twice the average speed of similar ransomware attacks, locking staff out of online systems and demanding payment within 20 days, say cybersecurity experts.
A team from Deloitte Canada revealed details about the Feb. 25 breach at a general issues committee meeting Wednesday. Deloitte is one of the outside companies the city hired to help recover from the ransomware attack that continues to impact services four months later.
"Threat actors" typically take 40 days from first accessing the system to ransoming and encrypting networks and effecting the organization, said Deloitte partner Bryson Tan. The speed at which the hackers moved indicates they were "well-funded, organized and advanced."
The city moved swiftly, too, containing the incident in two days, compared to the average of 25 days, said Tan. But the damage was done.
"This is a very significant breach," Andy Potter, also a partner at Deloitte, told councillors. "There's no sugarcoating that and it will continue to have significant impacts for quite some time. This won't get solved in months. We are talking about years."
Hamilton police are investigating, said Marnie Cluckie, city manager, at a news conference Thursday. There is no indication personal information was stolen.
City won't say how the attack happened
The city has spent $5.7 million so far to recover from the attack, some of which may be covered by insurance, Cluckie said.
About 45 per cent of systems have been restored or replaced, including the general inquiry email, internet access, job postings and vendor payments.
All city employees have regained access to their payroll information, including online pay stubs and T4 slips, said Mike Zegarac, general manager of finance. The city had been paying them manually since March, and now the system is back online and any pay discrepancies will be corrected.
The City of Hamilton presented a public Cybersecurity Incident Impact Update Report at today’s General Issues Committee Meeting. The report provides an operational and cost update related to the City’s cyber incident. <br> <br>See the latest update: <a href="https://t.co/6xnQtDrgl1">https://t.co/6xnQtDrgl1</a> <a href="https://t.co/wAbLeMPGkF">pic.twitter.com/wAbLeMPGkF</a>
—@cityofhamilton
The city didn't pay the ransom and hasn't made public the amount of money demanded, but Coun. John-Paul Danko said at the committee meeting, it would've been a "throwaway cost" that wouldn't have guaranteed the encrypted data would be released.
The city expects to spend more than $33 million until 2033 to rebuild and expedite cybersecurity projects already planned for the coming years.
As for how the attackers broke into the city's systems in the first place, Hamilton's Chief Information Officer Cyrus Tehrani said he doesn't plan to reveal that anytime soon.
"That's standard protocol," he told reporters Wednesday. "It's no different than if burglars got into your house. You wouldn't put a sign on the front explaining how they got in."