This Monday, the City of Santa Fe lost $324,000 to a cybersecurity breach when attempting to electronically pay GM Emulsion—one of the city’s construction contractors—for their recent work on the Santa Fe Regional Airport.
According to City Manager Mark Scott, the city has now determined how the hacker breached their security, but says he will not share the details of how because he wants to “make sure that we have secured everything so that it can't happen again” first.
“We're taking steps to secure the process so that it can't repeat itself. But I don't want to tell what we're doing, because I might be giving somebody an answer as to how to do it,” Scott explains.
Scott also confirmed that the city has adequate funds within its cash flow to ensure GM Emulsion receives its payment. He also added that no one’s personal information was exposed during this security breach, as nothing penetrated “any part of our systems that hold that kind of information.”
“At this point, there's no guarantee we do, but we're hoping we get the money back,” Scott says. “If this were to turn out to be some sophisticated ring, [where] the minute they got the money, they took off with it—that would be a problem. But we don't know the circumstances. The investigators are all working on it.”
Santa Fe Police Department Chief Paul Joye confirmed to SFR that SFPD is investigating the case, and that the incident has also been reported to the FBI and the Office of the State Auditor.
Augustine Ortiz, a senior cybersecurity researcher with Attack Research, tells SFR that if the hackers have “done any due diligence,” they have likely routed the funds through multiple networks and used VPNS, making tracing difficult for law enforcement.
“For this particular case, they routed it to a real bank account number, from what I've gathered …when you think about a lot of hackers, most of them use Bitcoin or some type of cryptocurrency, because that's nearly impossible to get back,” Ortiz says. “As far as using real bank accounts, they can either pull the money out pretty quickly, they might have somebody else for ransom to pull the money out and send it over cryptocurrency to them, they might just have a scapegoat who goes in and does it—or someone's brave enough to do it and skip the country really quickly.”
Ortiz tells SFR that probes for attacks like these are not only common, but also largely automated as attacks on public institutions “tend to be more successful” on the hackers’ end.
“They're chasing the money,” Ortiz explains. “With public institutions, it's a lot of money, maybe not a lot of oversight or there's a lot of speedy subcontractors involved, or there's a lot of moving pieces involved, like universities, things like that where there's multiple departments….they tend to be softer targets.”
Attack Research, the cybersecurity consulting firm in White Rock that Ortiz works for, specializes in identifying weak points in an organization’s cybersecurity, primarily through “red teaming,” or simulations of these online attacks where the team determines what kind of damage can currently be done to the organization that hired them.
Ortiza says the team he works with has been hired to simulate attacks for public K-12 schools, universities, the federal government and several private institutions ranging from credit unions to airlines and Fortune 500 companies.
“Typically, we're pretty successful in taking over the whole network, or, at minimum, stealing user data or being in a position to maybe present a ransom,” Ortiz says, although he also notes that the majority of organizations nowadays are much more secure than in the 1990s or early 2000s, where hackers could “nearly walk right through the door.”
Scott notes that on the city’s end, where his office, the Finance Department and the IT Department are working on solutions to the security breach, cybersecurity work is a “nonstop process.”
“Unfortunately, the people who do these kinds of things get more and more sophisticated, and when you put processes and security software in place to prevent it, they then come up with another way around it,” Scott says.
Scott continued, “I want people to know that we're very concerned about making sure that we take care of their money, and we are going to try to close any loopholes that we had.”