Hijacked: Cyber attacks are costing Quad-City taxpayers
Local schools, cities and counties are being swindled, and the FBI says the problem is only getting worse.
DAVENPORT, Iowa (KWQC) - Quad-Cities schools, cities and counties have all recently fallen victim to cyberattacks – online ransoms and scams that have cost nearly $1 million in taxpayer money and jeopardized the personal information of thousands of Quad-Citians.
Rock Island County lost $115,000. LeClaire, more than $220,000. Moline paid about $420,000 to scammers. And Davenport public schools fell victim to an extortion scam that lost the personal information of 6,000 people.
And those are just the cases made public.
While large corporations have resources to protect against attacks, many local governments do not – leaving public money and data exposed to sophisticated cybercriminals.
Today, federal investigators say cyber criminals are savvier than ever, employing complex tactics aimed especially at soft targets like schools and local governments.
The Omaha field office of the FBI investigates cybercrimes in the Quad-Cities. Eugene Kowel is the special agent in charge.
“The cyber threat that we’re seeing today is more pervasive, it’s more dangerous, it targets a wider variety of victims than we’ve ever seen before. And that includes our schools, and it includes our municipal governments,” he said.
“Something that cybercriminals look at is, Where is there a wide attack surface and where are there multiple points of vulnerability? And often they find that with our city and town and state governments.”
The attacks in the Quad-Cities are part of a global cybercrime wave expected to cost a whopping $10 trillion by 2025, according to Cybersecurity Ventures, a research firm. For perspective, that’s “exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.”
The criminal element
This latest generation of criminals is proving difficult to catch. They are often organized and state-sponsored, meaning they’re operating with the blessing of American adversaries.
“Many of these attacks do emanate from overseas,” Kowel said. “For the FBI, we focus on two main threats: the cyber criminal actors, an organized criminal element attacking businesses and communities in our country; and we also see nation-state adversaries, whether it’s China, Russia, Iran, North Korea.
“And sometimes we see a blend – criminal groups working on behalf of nation-states or supported by or condoned by nation-states.”
Regardless, they’re all after the same thing.
“These criminal groups will go after any victim they can where they think they have a high chance of making money,” Kowel said. “They’re going after the money.”
Data extortion has become so pervasive, there’s even a black marketplace for stolen information, where hacker groups sell and trade ransomed data.
“Now, we’re seeing the ability of criminals to rent ransomware as a service, to rent it from other criminals, and get instructions and even customer service from other criminal groups, to launch their own attacks,” Kowel said.
Cybersecurity industry leaders say the same. Sophos, a British-based security software firm released the results of a global survey on cyberattacks in 2022 that said:
“Two-thirds of organizations were hit by ransomware in the last year, up from 37% in 2020. This is a 78% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale.”
The Davenport Community School District cyberattack was a case of extortion.
This fall, a criminal group called Karakurt stole the personal information of more than 6,000 people and held it for ransom.
In statements from a spokesperson and in letters to parents, the district first insisted it hadn’t been the victim of data theft – instead blaming computer network outages as a server issue – only to reveal later that the personal information of students and teachers had been thieved.
Karakurt posted its ransom note online:
“In this release we will show you 845 GB of their data which include a giant massive array of student’s personal information and much more others.”
The group was still threatening to release the district’s data as of November, but it isn’t clear if a ransom was ever paid. The district has declined reporters’ requests to comment, and the FBI does not discuss specific cases.
The Cybersecurity & Infrastructure Security Agency, or CISA, is a division of Homeland Security tasked with safeguarding American cyber targets. Its main mission is to analyze the latest threats and provide resources to thwart future attacks.
“We’re all about, as soon as it’s practical, finding out if there is an attack, what happened, what promulgated this attack, and how we take that information, analyze it and share it broadly to keep that from happening again,” said Phil Kirk, CISA’s regional director.
Cybercriminals are casting wide nets, and federal officials say nearly all types of cyber crimes are on the rise.
“It’s a little bit of everything, frankly,” Kirk said. “Right now we are seeing a lot of ransomware attacks and attempts. But certainly, phishing is one of the most simple things a cyber actor, a bad actor, a criminal can do.”
That was the case in Moline, where a phishing scheme netted some $420,000 from the city in 2020. Insurance covered all but $20,000.
Since then, the city has implemented systems to block malicious activity, said David Rowatt, the city’s IT director.
“We also are constantly monitoring our email security to make sure we are blocking as many spam and malicious emails as possible,” he said. “We know it is not possible to completely filter out all of those emails, so we routinely are training staff and sending out reminders of what to look for in phishing and malicious emails. Their tactics are always changing, so it is important to keep employees aware of what to look for.”
Those methods can help prevent future attacks. But what about when an attack happens?
Insurance is sometimes the safety net for cities and schools.
Many regional cities, like Moline, already have cyber insurance. The Clinton County Supervisors last week considered a proposal to buy a policy.
“We have penciled in funding for the annual premiums into our early draft of the Clinton County FY24 budget. We are still early in our budget process so it is far from finalized,” Supervisor Dan Srp said. “At this point, I can say that all three Clinton County Supervisors agreed there is enough merit to the request to make an effort to fund it.”
It’ll likely be expensive. Industry prices are soaring as cases increase and insurance companies have to pay out more claims.
“I can tell you this, the cost (for insurance) is going up because we continue to see claims filed,” said Alan Kemp, the executive director of the Iowa League of Municipalities.
To even gain basic coverage, municipalities are having to show insurers they’ve taken basic network protection steps, such as requiring two-factor authentications and making regular software updates.
“The insurers are saying, sure, we’ll insure you, but you have to take these (preventative) actions, Kemp said. That’s leading many communities in Iowa to step up their basic protocols.”
And that’s a good thing, experts say. The more cities and schools step up preventative measures, the less likely they are to fall victim to cyberattacks.
In the dark
Just how many Quad-Cities communities have been hit by cyberattacks?
Other than the ones made public – Moline, Davenport, Muscatine, LeClaire, Rock Island County, to name a few – it’s hard to say because local governments aren’t always under legal obligations to alert the public.
Most cybercrime goes unreported, according to the FBI.
That’s become an issue locally, where Iowa’s Freedom of Information Council has criticized governments for covering up cybercrimes. The group argues that governments must be transparent when they lose public funds or use tax dollars to pay insurance claims or ransoms.
“It is common sense that administrators would be expected to make public … basic information that the taxpaying public is interested in,” said Randy Evans, the council’s executive director. “That would include the amount of ransom that was sought or that was paid in response to an intrusion by cybercriminals, as well as an accounting of how much a school district or community college paid to clean up its computer networks after a cyberattack.”
Cities and schools often don’t buy that argument.
“It’s become an issue,” said Alan Kemp, the executive director of the Iowa League of Municipalities. “How much do you let the public know? What’s the balance of protecting against something that would cost them even more money?”
Some elected leaders worry about being revictimized if word gets out the locality is vulnerable.
“Unless it’s a really big issue, a lot of them don’t want to mention it because they don’t want to become targets,” Kemp said.
Outwitting the criminals
Often, it doesn’t become a big issue until it’s too late.
Federal officials say top municipal leaders have to do a better job making cyber security a priority.
“Change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.” CISA reported last week.
“Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution,” according to the report, which gave special attention to schools. Nearly 30% of K–12 schools have reported being victims of cyber incidents.
Basic prevention steps are the best defense against cyber attacks, experts say.
CISA, the Homeland Security cyber agency, is a clearinghouse for training and preventative resources, free to any group that needs help. It encourages schools and local governments to work with the agency to develop cybersecurity plans and incident-response strategies.
“The key piece is training,” said Kirk, CISA’s regional director. “To give your team a basic understanding of and a basic knowledge of what ransomware is, and what malware is, what does it look like?”
Copyright 2023 KWQC. All rights reserved.