It’s been called the “biggest reboot” in Lowell’s history, but a lot more is at stake in the recent cybersecurity breach of the city’s information technology systems.
Three weeks ago, officials discovered computer systems were under attack in a “cyber-related event.” The city didn’t publicly disclose details, but the response amounted to a complete shutdown of much of Lowell’s technology.
Phones were disconnected. Computers were removed from city offices and wiped clean. Staff began conducting business on laptops that had been shipped to Lowell during the pandemic, but never opened.
And now cybersecurity experts say the group that has claimed responsibility for the disruption in Lowell, one of Massachusetts’ largest cities, has published sensitive information purportedly seized from the city with a threat to release more data unless a ransom is paid.
“This is a well-known group who usually does carry through with threats,” Brett Callow, a threat analyst for the anti-malware company Emsisoft, said Saturday in a phone interview. “I have no particular reason to doubt their claims. These are criminal enterprises.”
On Thursday, Callow tweeted that an organization calling itself “Play” had published five gigabytes of data it says it seized from Lowell. The group, believed to be based in Russia, hasn’t specified how much data it has. The data, the group said, includes “private and personal confidential information.”
City officials said they discovered the breach on April 24.
Perpetrators launch ransomware attacks by locking administrators out of systems or seizing sensitive data and threatening to expose it unless a ransom is paid. The schemes are launched by duping users into sharing their credentials or allowing access to systems by malicious links.
#Play has released 5 GB of what it claims is the unspecified volume of data stolen from the City of Lowell. #ransomware pic.twitter.com/7eKYFqNjMR— Brett Callow (@BrettCallow) May 11, 2023
Allan Liska, a ransomware researcher at Somerville-based cybersecurity firm Recorded Future, said he’s looked at the data purportedly stolen from Lowell, and said it “looks like other legitimate data that has been stolen from cities before.”
The perpetrators, he said, are likely Russian speakers who don’t have the English fluency to fabricate the data, which was published on the “dark web,” a part of the Internet that’s inaccessible to standard browsers and search services.
“It’s unlikely that it’s faked,” Liska said Saturday.
The City of Lowell has said little publicly about the claims from Play.
City Councilor Wayne Jenness, who works in information technology by trade, said Saturday that the city was trying to determine whether the data published by Play is authentic.
He said he was “waiting to see if the data was real.”
On Thursda, City Manager Thomas A. Golden Jr. told the Lowell Sun that the city was working with state and federal law enforcement officials. He didn’t respond Saturday to messages from the Globe.
Mayor Sokhary Chau, who has been traveling in Cambodia, also didn’t respond to an e-mail.
Play hasn’t publicly disclosed how much money it is seeking from the City of Lowell, Liska said.
Callow said he advises against paying ransoms.
“These criminals can’t be trusted to do what they say they’ll do,” he said.
On Tuesday, Mirán Fernandez, Lowell’s chief information officer, appeared before the City Council and provided some details about efforts to recover from the attack.
During his remarks, Fernandez said the city experienced a “cyber-related event,” but declined to provide details, citing ongoing investigations. The city has said its emergency 911 service was never affected.
The breach, he said, was reported to state and federal authorities and he told councilors the city has spoken to FBI representatives in Boston, San Antonio, and San Francisco.
On Saturday, a spokeswoman for the FBI’s Boston office declined to comment. In a statement, US Representative Lori Trahan, who represents Lowell, praised the city for notifying cybersecurity experts at the FBI.
After detecting the breach, Fernandez said the city began wiping its computer systems and rebuilding them with new security measures, including multifactor authentication. Jenness said some of Lowell’s systems already used multifactor authentication, but now the feature is being deployed more widely.
Fernandez told councilors that city employees will be required to participate in cybersecurity training or lose access to their computers.
The process of taking computer systems offline has slowed the city’s ability to perform some services, he said. But the city processed payroll without interruption and telephone services were restored at City Hall and other locations, according to a May 5 update on Lowell’s website.
“This was the biggest reboot in the city’s history. We had to unplug, turn everything off,” Fernandez said.
Some services remain inaccessible from some locations. The city’s geographic information systems remain offline to users outside City Hall, Fernandez said. Some city departments also must go to City Hall to perform tasks that they previously performed from offsite locations, Jenness said.
Fernandez said he is not aware of the city losing any data saved to its network, but data saved to desktop computers was removed during the recovery process.
“Because of the nature of how we had to collect all the devices and had to assume that everything was just questionable, we basically had to wipe all the machines and anyone who had data on their desktops did lose it,” Fernandez said during the City Council meeting.
He didn’t respond Saturday to an e-mail from the Globe.
During the council meeting, Fernandez said 37 government organizations had “cyber events” during the previous week.
Earlier this month, officials in San Bernardino County, Calif., announced they paid $1.1 million to a hacker who had infiltrated a computer system used by the county sheriff. County officials discovered the breach in early April and have said they paid the ransom to regain access to the network.
Also this month, a ransomware attack crippled systems in Dallas, including the computer-assisted dispatch for 911. On Saturday, the city’s website said Dallas was “experiencing a service outage.”
In Massachusetts, Bristol Community College was knocked offline by ransomware late last year. In January, similar attacks hit the public schools of Nantucket and Swansea. Northern Essex Community College was victimized in March. In April, Vantage Travel, the Boston-based international travel company, said it took a hit; so did Point32Health, the parent company for Tufts Health Plan and Harvard Pilgrim Health Care.
Liska said there “isn’t a lot of rhyme or reason” to the way ransomware groups pick their targets. The attackers, he said, seek to generate publicity by demanding ransoms from high-profile victims.
“It helps them gain notoriety,” he said. “This is the ransomware version of clout on Instagram.”
Laura Crimaldi can be reached at email@example.com. Follow her on Twitter @lauracrimaldi.