Recently, the Washington D.C. Metropolitan Police Department made headlines when they announced the agency’s computer network had been hacked, with cyberattackers reportedly making off with 250 gigabytes of sensitive data, including the identity of police informants.
According to the Associated Press, a “Russian-speaking ransomware syndicate” called the Babuk group claimed responsibility for the cyberattack, threatening to release the stolen data to local criminal gangs unless Metro police paid an unspecified ransom.
The hackers posted screenshots on their website, suggesting the stolen data included intelligence reports, information on gang conflicts, jail census records, and other administrative files. The group said police had until April 28 to pay an unreported ransom or “we will start to contact gangs in order to drain the informants.”
Rather than follow through with their initial threat, on April 28, the Babuk group published the personnel files of five current and former offers. Assumingly, when Metro police failed to meet hacker’s demands.
The data breach is a devastating blow to Metro criminal intelligence. If indeed hackers have information on informants, it places the lives of those who have shared information about illegal activity in America’s capital city in grave danger. Even if the Babuk group doesn’t publish identification information, fear of police’s inability to protect sources will make it extremely difficult for them to make in-roads with informants in the future.
Just how bad the fallout from the Metro Police cyberattack remains to be seen. However, unfortunately, for nearly a decade, U.S. police agencies, large and small, have continuously had their sensitive data stolen and held for ransom.
While the financial costs, inconveniences, and immediate concerns dominate headlines, silently lurking behind these cyberattacks is a massive national security risk, representing a considerable intelligence coup by foreign adversaries.
Cyberattacks on Police Have Been Going On For Nearly a Decade
Like hospitals, schools, and major corporations, beginning in 2011, police departments and city governments across the United States have become increasing targets for cybercriminals. The primary method of cyberattacks used has been relatively straightforward, using unsophisticated spear-phishing campaigns to infect networks with malicious ransomware.
Just how many police departments have fallen victim to ransomware attacks isn’t entirely clear. According to NBC News, in 2013, hackers successfully infiltrated and seized data in departments in at least seven different states. Five police and sheriff departments in Maine alone were locked out of their records management systems by hackers demanding payment.
In most instances, a police department suddenly finds itself locked out of the records management system that houses all of the agency’s data files, including personnel records, police reports, and investigative files. Hackers then tell the department they have a set amount of time to make a payment, or the cybercriminals will permanently delete all of the records.
Conventional police logic says never negotiates with extortionists; however, the hackers are often savvy enough only to ask reasonably small ransoms. Typically, only asking for a few hundred dollars for a decryption key allowing an agency to unlock all of its files.
In 2014, after Chief Gary Bowen refused to give a dime to ransomers, the Collinsville Police Department in Alabama lost all of their records, including crime scene videos, criminal mugshots, and police reports. To avoid a similar fate, in 2015, Sheriff Todd Brackett reluctantly paid to have his department’s records freed after ransomware successfully infected Maine’s Lincoln County Sheriff’s Department. “We are cops,” Sheriff Brackett told NBC News. “We generally don’t pay ransoms.”
“Law enforcement agencies are targeted by cybercriminals for a number of reasons and the motivation behind the attacks often differ,” Senior Vice President at the Center for Internet Security, Josh Moulin, explained to The Debrief.
“Since many police departments and sheriff’s offices are part of a city or county network, sometimes they become opportunistic victims when the local government network is attacked. In other cases, law enforcement agencies are specifically targeted as part of “hacktivist” activity, where an individual or organized criminal element uses a ransomware attack to make a political statement or cause disruption due to anti-law enforcement views. Law enforcement agencies also have a large amount of highly sensitive information including investigative and arrest records, personally identifiable information, crime scene images and videos, and other data that if breached, could lead to severe consequences for the agency and victims involved.”
In light of the sensitive information they maintain, computer technology and information security tend to be a low priority for most local and state law enforcement agencies.
After a ransomware attack in 2015, one unnamed police chief told NBC News his department’s computers were running MS-DOS, an IBM operating system from the 1980s, at the time. “It’s not unheard of to see a Windows XP or Vista still in action in a law enforcement environment,” Robert Siciliano, an online safety expert for Intel Security, told NBC.
A lack of sophisticated computer systems and/or dedicated I.T. personnel is particularly prevalent in smaller police departments, whose annual budgets rarely meet more exacting needs, such as new vehicles and equipment. Yet, collectively, agencies with less than 25 sworn officers make up 75% of all police departments in the United States.
According to PurpleSec, in 2019, local and city governments were the most targeted industry by ransomware, constituting 15.4% of all reported cyberattacks in North America.
Police Departments Not Meeting The Threat of cyberattacks
Rather than recognizing the vulnerability to being victims of cyberattacks, many local and state law enforcement agencies have seemingly ignored the issue, as cyberattacks only escalate.
In 2017, the Cockrell Hill Police Department in Texas lost 2 T.B. of records after refusing to pay the $4,000 bitcoin ransom. A letter sent to the Dallas County Prosecutor’s Office said, “all bodycam video, some photos, some in-car video, and some police department surveillance video,” going back to 2009, was lost entirely. “If requests are made for said material and it has been lost, there is no chance of recovery or producing the material,” reported Mother Jones.
At least some of the data lost by Cockrell Hill Police Department involved video evidence for criminal cases that had not been prosecuted in court yet.
When told video evidence against his client had been lost in the Cockrell PD hack, criminal defense lawyer, Collin Beggs, told Mother Jones, “You want me to go back to my guy and tell him to plead to 10 years in prison and tell his momma that? And the response to why we don’t have any more evidence is Russian hackers? I can’t do that.”
The recent Washington Metro P.D. hack appears to be a concerning first in the ongoing cyber-war against American law enforcement. Instead of seizing agency records and threatening permanent deletion, which up until now has been the norm, Metro Police hackers have engaged in a “double extortion,” threatening to publish sensitive information if their demands aren’t met.
The outcome of making all of Metro P.D.’s sensitive files publicly available goes well beyond embarrassment. The leak of investigative and intelligence records will almost assuredly place the lives of confidential informants in grave jeopardy and could end up compromising countless ongoing criminal investigations.
From a broader perspective, the D.C. Metro P.D. hack calls to the forefront one of the most disturbing but overlooked aspects of these ransomware attacks on American police agencies. Bad guys, almost exclusively composed of foreign threat actors, are gobbling up massive amounts of sensitive data on police departments and U.S. citizens.
More than a costly inconvenience, these increasing cyberattacks on American police departments represent a significant national security concern.
The overlooked National Security Threat.
On April 29, the Institute for Security + Technology’s Ransomeware Task Force released their Combating Ransomware report. The task force made up of cyber experts from government, academia, and the private tech sector said cybercriminals launched nearly 2,400 ransomware attacks on U.S.-based governments, healthcare facilities, and schools in 2020. “Ransomware is a flourishing criminal industry that not only risks the personal and financial security of individuals but also threatens national security and human life,” the report said.
As is believed with the Babuk group who committed the cyberattacks on the Washington Metro P.D., most ransomware hackers operate from Russia and other parts of Eastern Europe. By working out of countries that typically refuse to cooperate with Western authorities, in the rare occasions suspects are identified, virtually none are arrested or prosecuted.
Arguably more concerning, as Security + Technology’s Ransomeware Task Force notes in their report, there are strong relationships between cybercriminal organizations and foreign adversarial nation-states.
Nations like North Korea, Iran, and Russia, have long found informal relationships with organized hackers to have reciprocal benefits.
Noted by the U.S. Department of Treasury in 2020 and 2021, both North Korea and Russia use “malicious cyber operations,” including ransomware attacks, as a way to bolster their economies and evade economic sanctions. It’s unknown just how much has been paid out to cybercriminals; however, according to Purplesec, the estimated total cost of ransomware attacks globally in 2020 topped $20 billion.
Concerningly when it comes to cyberattacks on law enforcement agencies, troves of stolen records are almost assuredly being provided to foreign intelligence services by co-opted hacker groups.
In particular, the Russian intelligence services are well known for their voracious appetite for human intelligence. Even when ransoms are paid and agencies regain control of their records, it should be assumed that every police department that has suffered a ransomware attack has also had copies of its files provided to Russia’s Intelligence services.
Contrary to the more conspicuous activities of the Kremlin’s military intelligence service, GRU, which often dominates headlines, Russia’s Federal Security Service, FSB, and Foreign Intelligence Service, SVR, tend to be methodical, strategic consumers of foreign information.
Both SVR and FSB maintain massive archives of intelligence on foreign nations and their citizens. The Russian spy agencies will sit on this information solely for the expectation it could be valuable years, sometimes decades, down the road. Obtaining massive archives of American police and investigative records offer an unparalleled opportunity for these intelligence services to gain the upper hand in “grey zone” warfare.
Through ten years of cyberattacks on law enforcement agencies, national security analysts should expect that agencies like SVR and FSB have unimaginable hordes of information on American citizens at the best, worst, or most vulnerable. All initially captured in police reports and investigative files.
Unlike open-source information, such as thoughts and opinions shared on social media, details within police records can contain private or embarrassing information many people don’t want in the open. This can include records legally prohibited from public releases, such as juvenile records or sexual assault reports.
From social engineering or “active measures” operations, collection of “Kompromat,” identifying potential spy agents or agents of opportunity, to simply gaining complete identifying information on American citizens down to their social security numbers and even fingerprints, there is a myriad of ways foreign intelligence services could exploit the information contained in police records.
The value of information foreign intelligence services can be gain from captured police records cannot be understated. Threat actors can use this stockpile of sensitive information to single-handedly bolster four out of the five primary domains of grey zone warfare – deniable attacks, information operations, use of proxy forces, and economic coercion.
Stunningly, because there exists no central database for local and state law enforcement records in the U.S., foreign nations such as Russia could potentially have access to a far more robust and cohesive system of American criminal intelligence than U.S. law enforcement has at its disposal.
“Prevention is Ideal, but Detection is a Must”
To truly appreciate the threat posed by cyberattacks on American law enforcement, departments and city governments must recognize risk extends far beyond financial losses or deletion of records.
Police leadership, cybersecurity experts, and national security analysts need to recognize that sensitive information being seized in these attacks is also very likely being siphoned off by bad actors for use in foreign malign influence operations.
“There is no such thing as 100 percent safety from cybercrime,” notes Mark Gowen, the Information Systems Security Officer for the Department of Justice’s COPS Office. “You must always be on the lookout for threats. What’s most important is an up-to-date system and a culture of cybersecurity, ensuring that all your people are well aware of the threats and what they must do to protect themselves and the department.”
“The most effective way for an agency to prevent a ransomware attack is to implement a defense-in-depth approach to cybersecurity and create a cyber security-aware culture within the organization,” said Josh Moulin. “The reality is that nearly all ransomware attacks are carried out in the same manner as most other malicious activity; getting a user to click or open something malicious. Training users to identify suspicious activity and messages along with technological controls can be very effective against these attacks.”
“With nearly 11,000 SLTT members already, the MS-ISAC provides no-cost cybersecurity products and services to SLTTs through a cooperative agreement with the Cybersecurity Infrastructure Security Agency (CISA),” said Moulin.
“Two no-cost services immediately available for SLTTs that have proven to be extremely effective against ransomware includes implementing the CIS Controls and Benchmarks to harden systems and reducing the attack surface, and implementing the Malicious Domain Blocking and Reporting (MDBR) service. MDBR blocks systems from communicating with known and suspected malicious domains, like ransomware domains. The MS-ISAC blocks tens of millions of malicious domain requests each month for our SLTT members.”
“Law enforcement agencies should look at cybersecurity like they do when dealing with criminal activity: prevention is ideal, but detection is a must,” Moulin explained. “Because an organization cannot protect what they don’t know about, law enforcement should take inventory of all systems, software, and data. Not all data is the same either, so agencies should understand what is sensitive and critical and protect that differently than non-sensitive data, determined by a risk-based analysis.”