July 12, 2023 By Jonathan Reed 4 min read

Ransomware groups have attacked at least 34 local governments in the U.S. this year so far. Nearly 60% of these incidents involved stolen data during the attacks. One of the latest victims was Dallas, a city of almost 1.3 million people and the ninth-most populated city in the country. The ransomware attack against Dallas shut down multiple critical systems, including websites for the police department and city hall.

What can we learn about the Dallas cyberattack and similar incidents involving other cities? How can communities be better prepared against today’s cyber threats?

How did the Dallas ransomware attack happen?

On May 3, according to the City of Dallas website, security monitoring tools notified the city’s SOC that a ransomware attack had been launched within the city environment. The attack compromised city servers for key functional areas, including the Dallas Police Department, 311 Customer Service, Dallas City Courts, Dallas Water Utilities, Code Compliance Services, Dallas Animal Services, the City Secretary’s Office and Development Services.

Here is a printout of the ransomware note sent to the city by the cyber group Royal:

Despite the widespread impact, the city of Dallas stated that “key public safety functions continue as usual despite technical difficulties.” As they had prepared for and practiced in advance, Dallas 911 operators answered and dispatched calls utilizing backup procedures and the city’s public safety radio system.

On May 8, Dallas officials posted an extensive FAQ about the breach. One of the questions was about how the breach occurred. This was the official answer:

“The City cannot comment on specific details which risk impeding the investigation or exposing vulnerabilities that can be exploited by an attacker. The most common Ransomware attacks are initiated by exploiting vulnerabilities in software such as weak or default credentials and social engineering (e.g., phishing) which tricks users into divulging confidential or personal information that may be used for fraudulent purposes.”

How did Dallas recover from the ransomware attack?

Dallas received help from a third-party security vendor to block and quarantine city devices to prevent or contain the spread of the virus. Devices were also cleaned before being brought back into service. Meanwhile, the city restored departmental web pages with the use of backups.

We can look at other cities to understand further how ransomware attacks and subsequent recovery efforts unfold. For example, in 2019, New Orleans noticed unusual actions or access to privileged accounts before city services were shut down. Security teams worked to sanitize as much of its data as they could. Fortunately, New Orleans had clean backups and rebuilt its environment on clean PCs. The attack ended up costing the city over $5 million.

By comparison, Baltimore’s budget office estimated a ransomware attack in 2019 cost the city at least $18.2 million. The costs included a combination of lost or delayed revenue and direct costs to restore systems. Neither New Orleans nor Baltimore paid any ransom.

Dallas officials did not confirm whether the city paid a ransom or not. However, they did acknowledge an alleged Royal group post threatening to release city data. The city’s last comment on the matter stated there was no evidence or indication of a data leak.

Definitive Guide to Ransomware

The smart city double edge

Smart cities promise to create safer, more efficient and more resilient communities through technological innovation and data-driven decision-making. But the trade-off is a higher potential risk. New vulnerabilities, if exploited, could impact national security, economic security, public health and safety and critical infrastructure operations. For these reasons, in April, CISA published its Cybersecurity Best Practices for Smart Cities report.

As per the report, OT systems face increasing threats across the globe. Plus, OT systems and smart city infrastructure are intimately intertwined. This expands the attack surface and increases the potential impact of compromise.

The CISA report goes on to warn that:

“Successful cyberattacks against smart cities could lead to disruption of infrastructure services, significant financial losses, exposure of citizens’ private data, erosion of citizens’ trust in the smart systems themselves and physical impacts to infrastructure that could cause physical harm or loss of life. Communities implementing smart city technologies should account for these associated risks as part of their overall risk management approach.”

How cities can prevent cyberattacks

CISA strongly recommends well-developed strategic foresight and proactive risk management when integrating new smart city technologies. Looking forward, city decision-makers should confirm that newly connected infrastructure features are secure by design. Looking back, communities should pay close attention to any legacy infrastructure that may require redesign to securely deploy smart city systems.

The CISA report recommends the following solutions for secure smart city development:

  • Principle of least privilege: As defined by NIST, the principle of least privilege is “the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” Immediate privilege update is critical with any change in administrative roles or adding new users. Also, a tiered model of administrative access based on job requirements is essential.
  • Multifactor authentication (MFA): City IT leaders should explicitly require MFA for all privileged actions and any sensitive data access. CISA states that Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols. This means organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios. Fail open refers to when MFA fails to operate as intended and defaults to granting access rather than denying it. Re-enrollment scenarios occur when a user is allowed to re-enroll or reset their MFA settings after initial enrollment, which can introduce a security risk if not properly managed.
  • Zero Trust Architecture: As per CISA, zero trust requires authentication and authorization for each new connection with a layered, defense-in-depth approach to security. Zero trust also allows for greater visibility into network activity, analytic trend identification, automated issue resolution and more efficient network security governance.

Get smart with city cybersecurity

The Dallas breach wasn’t the first city cyberattack, and it won’t be the last. However, by implementing best practices, city leaders can thwart most intruders and minimize the damage in the event of a breach.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today