The San Francisco Municipal Transportation Authority, or SF MTA, was hacked on Friday.
"You Hacked, All Data Encrypted," was the message reportedly displayed on computer screens at the authority's stations throughout the city. "Contact for Key (email@example.com)ID:681 , Enter."
Fare payment machines at underground stations were out of order, resulting in free rides on the subway and light rail system known locally as "SF Muni."
Some SF MTA employees' email systems did not work, The San Francisco Examiner reported.
The MTA locked its subway fare gates in an open position to enable free riding, according to the paper.
The agency was hit by a ransomware attack that disrupted some of its internal computer systems, including email, according to spokesperson Kristen Holland.
The attack didn't affect transit service or buses, she noted. Neither customer privacy nor transaction information were compromised, and the situation was contained.
All About the Dough
A person at the email address provided by the hacker, who identified himself as "Andy Saolis" to the Examiner, demanded 100 bitcoins -- equal to about US$73,000 -- to release data captured from the MTA.
The MTA payment system was inaccessible over the weekend, according to the Examiner, and employees were concerned that the personal data of the agency's nearly 6,000 employees was at risk.
Saolis indicated the attack was "for money, nothing else."
"Andy Saolis" is the name used by the attacker who launched a full disk encryption ransomware package that Morphus Labs discovered earlier this year and dubbed "Mamba."
The MTA's network was penetrated after an employee downloaded a torrented computer file that contained a software key code generator, Saolis reportedly said. That automatically launched an admin-level infection.
The SFMTA network was very open, he maintained.
Saolis threatened to close the email Monday if he hadn't heard from the MTA, which would lock the agency's infected computers out of its network permanently.
"It looks like the Muni scheduling and billing systems are running on the same machines as the employees' email systems," said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
"This implies that the Muni operations are exposed to external attack," he told the E-Commerce Times.
Muni "should have critical operations and management systems running in a secured environment, ideally one not exposed to outside access," Jude suggested.
The Very Real Public Threat
Penetrations of this sort "can easily escalate to life-threatening events," Jude warned. "Simply messing with route scheduling could lead to confusion or, possibly, collisions."
Mass transit and passenger rail systems, including buses, light rail and subways, are one of the seven key subsections in the United States Transportation Systems Sector.
The U.S. Department of Homeland Security, which oversees the sector jointly with the U.S. Department of Transportation, has issued a cybersecurity framework implementation guidance and a companion workbook for owners and operators in the sector to help reduce cyber risks.
Keeping Transit Systems Safe
"The threat environment warrants evaluating security controls for any organization that relies on computer systems for providing a service or running a business," said Tim Erlin, senior director of IT and security at Tripwire.
Ensuring adequate network separation "is a good first step," he told the E-Commerce Times. "Other basic best practices include monitoring for and patching vulnerabilities, validating secure configurations are in place, and watching system logs for indications of malicious activity."