Ransomware has long been an issue for American municipalities. What gave the impression to be one other typical ransomware attack hit town of Columbus, Ohio, last July. However, town's response to the hack was different, and cybersecurity and legal experts across the country are questioning the motives behind the attack.
Connor Goodwolf (real name David Leroy Ross) is an IT consultant who researches the dark web as a part of his work. “I track dark web-type crimes, criminal organizations, and things like what the CEO of Telegram was arrested for,” Goodwolf said.
When news broke that his hometown of Columbus had been hacked, Goodwolf did what he at all times does: He scoured the Internet. It didn't take long for him to search out out what the hackers had of their hands.
“It was not the largest, but one of the most serious data thefts I have ever experienced,” said Goodwolf.
In some ways, he described it as a routine break-in that exposed personally identifiable information, protected health information, social security numbers and driver's license photos. But because multiple databases were hacked, the attack was more comprehensive than others. Goodwolf said the hackers had hacked several city, police and prosecutor databases. There were arrest records and confidential details about minors and victims of domestic violence. Some of the hacked databases, he says, went back to 1999.
Goodwolf found over three terabytes of knowledge that took over eight hours to download.
“The first thing I see is the prosecutor's database, and I think, 'Holy crap,' these are victims of domestic violence. When it comes to victims of domestic violence, they are the ones we need to protect the most because they have been victimized before and now they are being victimized again by having their information exposed,” he said.
Goodwolf's first motion was to contact town and inform them of the severity of the breach, as what he saw contradicted official statements. At a press conference on August 13, Columbus Mayor Andrew Ginther said, “The personal information that the threat actor posted on the dark web was either encrypted or corrupted, rendering the majority of the data that came from the threat actor unusable.”
But what Goodwolf found didn’t support that view. “I tried several times to contact the city and several departments and was turned away,” he said.
Mandiant, a Google-owned company, and plenty of other top cybersecurity corporationsare observing a continued rise in ransomware attacks, each in frequency and severity, in addition to the rise of the Rhysida Group, the group behind the Columbus hack that gained prominence last 12 months.
The Rhysida Group claimed responsibility for the hack. Although not much is thought concerning the cyber gang, Goodwolf and other security experts say it appears to be state-sponsored and based in Eastern Europe. possibly linked to RussiaAccording to Goodwolf, these ransomware gangs are “professional companies” with staff, paid vacation, and PR people.
“Since last fall, they have increased the number of their attacks and targets,” he said.
The U.S. Government's Cybersecurity and Infrastructure Security Agency a bulletin published about Rhysida last November.
Goodwolf said that since nobody from town responded to him, he reached out to local media and provided data to reporters to make the severity of the violation known. And then he heard from town of Columbus, in the shape of a lawsuit and a restraining order stopping him from disseminating any more information.
The city defended its response in an announcement to CNBC:
“The city originally sought this injunction to prevent the dissemination of sensitive and confidential information that could potentially endanger public safety and criminal investigations, including potentially the identities of undercover agents.”
The city's temporary restraining order against Goodwolf, which was limited to 14 days, has since expired. The city now has a short lived restraining order and an agreement with Goodwolf to not release any more data.
“It should be noted that the court order does not prohibit the defendant from discussing the data theft or even describing what type of data was exposed,” town's statement continued. “It simply prohibits the individual from distributing the stolen data on the dark web. The city remains in contact with federal authorities and cybersecurity experts to respond to this cyberattack.”
Meanwhile, the mayor was forced to issue a mea culpa at a subsequent press conference, saying his original statements were based on the data available to him on the time. “It was the best information we had at the time. We obviously found that it was inaccurate information and I have to take responsibility for that.”
Recognizing that residents were at greater risk than initially thought, town is offering free credit monitoring through Experian for 2 years to anyone who has had contact with town of Columbus through an arrest or other business-related matter. Columbus can also be working with Legal Aid to find out what additional protections are needed for victims of domestic violence who could have been compromised or need assistance with civil protection orders.
To date, town has not paid the hackers a $2 million ransom.
“He is not Edward Snowden”
Those who study and work in cybersecurity law expressed surprise that Columbus filed a civil lawsuit against the researcher.
“Lawsuits against data security researchers are rare,” says Raymond Ku, a professor of law at Case Western Reserve University. In the rare cases where they do occur, it will likely be the case when the researcher allegedly disclosed how a bug was or may very well be exploited, which might then enable others to take advantage of the bug.
“He was not Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity firm Huntress, who described himself as concerned concerning the city of Columbus' response and its potential implications for future data breaches. Snowden was a government contract worker who had leaked classified information and was under criminal investigation but considered himself a whistleblower. Goodwolf, Hanslovan says, was Samaritan who independently found the stolen data.
“In this case, it seems like we have silenced someone who, to my mind, appears to be a security researcher who has done the bare minimum and confirmed that the official statements were not true. This cannot possibly be an appropriate use of the courts,” Hanslovan said, predicting that the case could be quickly overturned.
Columbus City Attorney Zach Klein said during a press conference in September that the case “is not about freedom of speech or whistleblowing. This is about downloading and disclosing stolen criminal investigation documents.”
Hanslovan worries concerning the ripple effect when cybersecurity consultants and researchers are afraid to do their work for fear of lawsuits. “The bigger story here is that we're seeing the emergence of a new script for responding to hacking attacks, where individuals are silenced, and that should not be welcomed,” he said. “Silencing any opinion, even for 14 days, could be enough to prevent anything credible from coming to light, and that scares me,” Hanslovan said. “That voice needs to be heard. As we get closer to major cybersecurity incidents, I worry that people will be more interested in bringing it to light.”
Scott Dylan, founding father of British enterprise capital firm NexaTech Ventures, also believes that town of Columbus's measures could have a chilling effect on the cybersecurity sector.
“As the field of cyber law continues to evolve, this case will likely be mentioned in future discussions about the role of researchers after data breaches,” Dylan said.
He believes that the legal framework must evolve to maintain pace with the complexity of cyberattacks and the moral dilemmas they raise, and that Columbus' approach is a mistake.
In the meantime, the legal battle for Goodwolf will proceed to tug on. Although Columbus and Goodwolf reached an agreement last week to release information, town continues to be suing him in a civil suit in search of damages that would cost as much as $25,000 or more. Goodwolf is representing himself in his talks with town, but says he has an attorney available if needed.
Some residents have filed a class-action lawsuit against town. Goodwolf says 55% of the stolen information was sold on the dark web, while 45% is accessible to anyone with the abilities.
Dylan believes that even when its actions could also be legally defensible, town is taking an enormous risk by appearing to be attempting to silence discourse fairly than encourage transparency. “That's a strategy that could backfire both in terms of public trust and future litigation,” he said.
“I hope the city recognizes the mistake of filing a civil suit and the consequences that impact more than just security,” Goodwolf said, noting that Intel is spending billions to construct chip manufacturing facilities in suburban Columbus with significant federal support. In recent years, town has positioned itself as a brand new tech hub within the Midwest's “Silicon Heartland,” and attacks on white hats and cybersecurity researchers, he said, could cause some within the tech sector to reconsider town as a location.
image credit : www.cnbc.com