Cyber attacks against law enforcement, fire departments and other emergency services have become increasingly common and are likely to increase according to a recent intelligence assessment prepared by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The assessment, which was distributed to law enforcement in September 2015 and was obtained by Public Intelligence, reviewed a number of “cyber attacks against the [emergency services sector or ESS] between February 2012 and May 2015,” finding that “targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting.” Recent incidents involving the use of telephony-denial-of-service (TDoS) attacks, ransomware as well as the exploitation of “critical hardware and software” including call-center communications-management software, closed-circuit TV camera systems, interactive voice response systems, and emergency alert systems are detailed in the assessment.
DHS and MS-ISAC assess that the “most prominent cyber actors targeting the ESS” are “criminal hackers” who have engaged in “numerous attacks against state and local networks, particularly law enforcement, in response to perceived social and legal injustices” and are “prone to announcing attacks to increase visibility and support for their cause.” The assessment defines “criminal hackers” as “individuals or groups that commit a crime by illegally accessing or altering systems, often in furtherance of an ideological goal.” The use of the term “criminal hackers” marks a departure from previous law enforcement bulletins which have used the terms “hacktivists” or “hacker groups” to describe ideologically-motivated cyber actors. The term is also used in an FBI bulletin released in May 2015 titled “Criminal Hackers Target Police to Protest Perceived Injustices.” The assessment distinguishes between these criminal hackers and “cybercriminals” who “carry out illegal activities on computer networks, such as carding schemes, ransom and extortion, theft of personally identifiable information, and account information to facilitate fraud.”
Criminal hackers “gain support for their political agenda—or to exact retribution for perceived social or legal injustices—have shown repeated interest in targeting the ESS” as is “evidenced by the numerous attacks against state and local networks, particularly law enforcement, in response to perceived social and legal injustices.” However, DHS and MS-ISAC assess that their capabilities are not particularly sophisticated, limiting them to “low-level cyber operations, such as [denial of service or DoS] attacks, website defacements, and doxing (publishing of personally identifiable information), often attacking targets of opportunity.” These low-level operations have proliferated in recent years, particularly in response to increased political controversy surrounding police brutality and excessive use of force. The assessment also discusses several examples of these operations, often involving DoS attacks or doxing, including a series of DoS attacks conducted by the hacker collective Anonymous against the City of Madison, Wisconsin in 2014 to protest an officer-involved shooting. The attack reportedly “affected some police, fire, and medical dispatch services; as well as city government Internet and e-mail communications, and online payment services.”
Though so-called “criminal hackers” are the most prominent cyber actors in DHS and MS-ISAC’s assessment, cybercriminals working for financial gain pose a “persistent threat” and have launched attacks significantly impacting ESS operations.
- In May 2015, a Nevada county sheriff’s department and a Wisconsin police department were victims of a ransomware attack that encrypted both departments’ shared folders. MS-ISAC later determined that the intrusions occurred as a result of visits to a legitimate website which had been compromised.
- A city in Southern California and several local public-safety agencies were hit by ransomware in June 2014. The compromise affected 100 computers and 10 servers.
- A fire department in Northern California and a law enforcement agency in Southern California were infected by ransomware resulting in the compromise of one computer and one server in each location, making vital information unavailable.
- In 2013, telephony denial of service (TDoS) attacks affected approximately 600 critical government phone systems nationwide, including 200 public-safety answering points (PSAPs). After several days, the attackers reportedly requested $5,000 to cease the attacks.