Black-Friday Black-Mail: Cyberattack on SF’s MUNI Exposes Security Weaknesses in the Nation’s Critical Infrastructure

train.jpg“You Hacked. ALL data encrypted.”

That was the digital message San Francisco residents received on terminals as they tried to pay for rides on the MUNI train system on Black Friday. Computers, email and payroll systems all were held hostage by a ransom attack.

Along with committing the offense of bad grammar, the hacker had “infiltrated the computer system, threatening to release 30 GB of stolen data from San Francisco’s Municipal Railway System unless paid 100 bitcoins (about $73k),” according to BisNow.com.

MUNI opened the gates and ran the trains, then launched an investigation to track down the hacker. It didn’t take long, because the offender wasn’t very bright. (More on that in a minute.)

However, the MUNI hacker was smart enough to know this much: the transportation system is old and exposed. Curiously, he sent a grammatically challenged email to WIRED magazine, declaring in part:

“It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety ! They give Your Money and everyday Rich more ! But they don’t Pay for IT Security and using very old system’s !”

On that point, even American Public Transit Association (APTA) agrees. In a 2014 report titled Cybersecurity Considerations for Public Transit, the agency stated that the MUNI system is highly vulnerable to cyberattacks.

 “SCADA (supervisory control and data acquisition) security controls are archaic, simple and poorly designed. Furthermore, methods to exploit security vulnerabilities and gaps of specific SCADA systems are documented online by many underground hacking organizations or individuals.”

In a recent interview, Bayshore’s Chief Scientist, Francis Cianfrocca told TAG Cyber’s Ed Amoroso, “I am certainly worried about these types of large-scale cyberattack scenarios, especially to critical infrastructure components, including power, telecommunications, manufacturing, and transportation.”

And make no mistake, these types of attacks are not merely economic black-mail. In his now famous, Open Letter to the President-Elect on Cyber Security, Amoroso more emphatically posited, “I believe that recent advances in offensive capability make it inevitable that significant, large-scale cyber-attacks will be launched against our critical infrastructure during your time in office. These attacks will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens.”

According to APTA, “Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data.” The agency added: “Cyberthreats and vulnerabilities of critical components of the transportation information ecosystem not only put the transit agency and the lives of passengers at risk but may also put the agency in noncompliance with many legal requirements.”

MUNI got lucky this time. According to spokesperson Paul Rose, “no data was accessed from any of our servers. The malware used encrypted some systems mainly affecting computer workstations, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Our customer payment systems were not hacked.”

But what if the attacker hadn’t been so feckless? What if someone smarter and with worse intent had hacked into MUNI or any city’s mass transit system? Clearly, an attack could have been far more dangerous, even life-threatening—and many more systems are vulnerable.  

“MUNI is far from the only system vulnerable to cyberattacks,” reported BisNow.com. “Many cities have aging, underfunded digital infrastructures that are just enough to keep trains running ... a far cry from the high-level info security needed to prevent this kind of interference.”

APTA laid out a detailed course-correction strategy for cities mass transit systems recommending that they:

  • Design hardware with multi-tiered network security systems, including firewalls, email scanning and software updates
  • Make a greater effort to keep facilities physically and digitally secure
  • Train all employees to spot and respond to cyberattacks

Bayshore Networks was founded on the vision of protecting critical infrastructure from just these types of attacks. In his discussion with Amoroso, Protecting Industrial Control Systems from Cyber Attack, Cianfrocca went on to say, “Our approach at Bayshore Networks has been to focus on the underlying communication protocols that connect devices to the monitoring and control functions usually operated from a management center. The good news is that this approach allows us to fine-tune the policy controls required to prevent malware from causing serious consequences.”

While this hacker helped expose a real threat for today’s modern transit agencies, he also exposed his own ignorance—and received his comeuppance in the form of a hack to his system. CyberScoop reported that a security researcher traced the attacker, going by the name Andy Saolis, to a computer in Iran and doxxed him.

“A report by Brian Krebs, the Washington Post journalist turned cybersecurity blogger, says an unnamed security researcher claims to have doxxed Saolis. The hacker compromised Saolis’ apparent email, leading ultimately to the discovery of an attack-staging server equipped with different hacking tools.”

Looks like we avoided tragedy this time, but add SF Muni to the growing cacophony of wake up calls. It's time to stop taking about securing the nation's critical infrastructure and start doing.

Learn How Bayshore Secures Your Industrial Infrastructure