The House Oversight Committee held a hearing on defending the U.S. electric grid against cyber threats on Tuesday.
Watch the hearing in the player above.
New details are emerging about a ransomware attack, tied to a Russia-based criminal syndicate, that affected roughly two dozen Texas communities two years ago.
Staff in small cities and towns struggled for days with disruptions to core government services and endured a cascade of frustrations brought on by the sophisticated cyberattack, according to thousands of page of documents reviewed by The Associated Press and interviews with people involved in the response.
Jason Whisler, the Emergency Management Coordinator in the Texas Panhandle city of Borger, first learned their computer system was hacked during his morning cup of coffee on August 16, 2019.
“It was just a scary feeling,” Whisler said. “There was always that urgency. You know, we have to check on the city and the network.”
So the city of Borger, which has fewer than 13,000 people, rushed to shut down its computers after realizing workers were frozen out of files.
Over the next several days, residents couldn’t pay water bills, the government couldn’t process payroll, police officers couldn’t retrieve certain records.
Some computer screens flashed gibberish ransom demands, and the same message even spat out of printers inside the office.
“We’ve heard of ransomware. Some people have probably experienced it,” Whisler said. “But just to see this gibberish actually automatically getting printed out of computers onto the printers… That was kind of unusual.”
Soon after the widespread hacking, Gov. Greg Abbott declared it a cyber disaster and deployed Texas National Guard cyber specialists to help hacked cities assess the damage, restore data from backed-up files and retake control of locked systems.
State officials and federal agents spent a full week burrowed inside an underground operations center, normally used for calamities like hurricanes and floods, using a map to chart the attack’s spread. All told, some 23 government entities were ultimately shaded to indicate they’d been hit.
“The entities who had backups, they were in a better position than others,” said Amanda Crawford, executive director of Texas’s Department of Information Resources.
“Then it’s a matter of visiting with and assessing those entities,” she added. “What was it that was impacted, how long would it take to rebuild? What were the costs of that? Then it becomes a business decision as well overall. But from the state standpoint, paying the ransom was not an option.”
The culprits were affiliated with REvil, the Russia-based gang that last spring extorted $11 million from meat-processor JBS and more recently carried out what’s believed to be the largest global ransomware attack on record. In the Texas case, however, communities were ultimately able to recover most of their data and rebuild their systems without anyone paying ransom.
Before the end of the fourth business day, emails show, most city hall services in Borger were restored, including water payments, vital statistics and most employee computers. The situation had stabilized, the 18-hour days were over and the city ended up with about 80 percent of its data back.
In the weeks before the 2019 ransomware attack Borger’s city manager, Garrett Spradling, said they had discussed elevating the threat level posed by cyberattacks, and were preparing to install a “brand-new server.”
“There are some things that we were already progressing to that really, I think, limited our monetary impact as well,” Spradling said. “We have added about $30,000 a year in ongoing cost for additional remote back up that we didn’t have prior. But now we have those third-party remote solutions on the police department and the dispatch center and pretty much all of our computer networks.”
Crawford is encouraging all organizations to take a more proactive approach to cyber security and to start by educating yourself and your employees through official training sessions.
“Because we’re only as strong as our weakest link,” Crawford said. “It’s all of our responsibility and it’s certainly it can happen to any of us. But the key is preparedness. Back up your data and keep it offline. In ransomware, your data is your hostage. And when you’re when you devalue that hostage, when you have a backup offline that you can come back and restore.”