Emails show Atlanta received multiple alerts about cyber threats

A series of leaked emails dating back to June appear to suggest that software from an outside vendor might have been the source of infection for a ransomware cyber attack last week that has hobbled much of the City of Atlanta's computer network.

But a security expert who reviewed the correspondence on behalf of The Atlanta Journal-Constitution and Channel 2 Action News said on Thursday that the records actually reveal that the city didn’t do enough to address multiple warnings that its network lacked sufficient security.

“There’s definitely some negligence,” said Tony UcedaVelez, CEO of Versprite, an Atlanta based security services firm assisting corporations with cyber security. “It could be that this [the emails] is an incomplete story. But for the most part, it tells me they didn’t do enough triaging of the security threat that was found a long, long, long time ago.”

Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations on Friday March 23, 2018. JOHN SPINK/JSPINK@AJC.COM

icon to expand image

The FBI, Department of Homeland Security and the Secret Service are assisting Atlanta in an ongoing investigation into a cyber attack via ransomware — which is malware that locks the victim’s computer by encryption until a ransom is paid.

The city has yet to say if it will pay the $51,000 that hackers have demanded in this case in the form of bitcoins, a virtual currency that conceals the recipient’s identity.

MORE: Atlanta court dates to be rescheduled in wake of computer hack

On Tuesday, city employees were told they could turn on their computers after having them shut down for the previous five days to prevent the ransomware from spreading. Some computers operated as if they hadn't been infected. Others contained locked files.

The city has released little information in the aftermath of the attack. In response to questions about the emails on Thursday, a city spokesperson repeated the same statement she issued a day earlier.

“Cyber security is an issue that affects many governments and leading organizations across the world,” said Anne Torres. “As challenges around cyber security continue to evolve, we must invest in our infrastructure and remain vigilant in ensuring our security measures continue to match the threats facing us.”

The emails detail discussions between employees in the Department of Atlanta Information Management, city council staff and city clerk’s office over an eight-month period about an encoder from Accela, an Atlanta firm. The encoder helps stream video of city council meetings across multiple devices.

Kim Nelson (left) with the city of Atlanta AIM (IT dept) (left) receives a flyer instructing employees not to turn on computer or logon from Atlanta police officer K. Wilkins (right) at the front doors of Atlanta City Hall.

icon to expand image

The city received its first alert that the computer housing the encoder was infected with ransomware called “Wcry” on June 15.

“Please allow AIM (Atlanta Information Management) to come up and run a scan on the PC, or they will have to disable the port so as the viruses will spread to the network,” wrote an information technology manager for the City Council the next day.

On July 17, in response to an apparent second alert about “Wcry” ransomware on the computer, the city’s director of enterprise application contacted information technology about disabling the port of the computer with the encoder.

“It appears to have been hacked,” wrote another city employee.

Two months later, an employee in the Atlanta City Clerk’s office wrote an email to Accela’s support department about another attack with the subject: “Urgent Cyber Security Incident.”

“The encoder is creating a security attack on our network,” the employee wrote. “I’m also placing a call to your support to look at this issue.”

But UcedaVelez said the most probable scenario is that the city’s network infected the encoder.

“They are putting the problem on the vendor,” UcedaVelez said. “And they are associating the malware found on the system. It’s highly unlikely … that Accela was the conduit to get this ransomware on the city’s system. It’s more likely the ransomeware got there because of poor network security, which is again square on the shoulders of the city of Atlanta.”

READ | City employees allowed to use computers after Atlanta hack

READ | Atlanta city computer network remains hobbled by cyberattack

On Feb. 10, roughly one month before last week’s ransomware attack, an outside cyber security specialist warned that a computer port operating an Accela device posed a “high risk.”

A security firm had observed outbound communications between the computer and a “blacklisted” IP address, such addresses are known to collect data about ransomware victims in advance of an attack.

“These connections could represent Command and Control traffic, attempts to propagate or a malware call back as a result of an infection,” wrote Jerrid Byrd, of the San Diego-based Security On-Demand.

Atlanta City employees have been told they can now turn on their computers, although some may be damaged. JOHN SPINK/JSPINK@AJC.COM

icon to expand image

That was an indication, UcedaVelez said, that the cyber criminals were poised to attack and already in the city’s computer network, acquiring knowledge about its inner-workings.

“The best way to monetize an attack, if you’re a cyber criminal, is to stay as long as you can on a network,” UcedaVelez said. “That way you can milk it for all it’s worth. And you can find the right time to gather enough recon, not be disruptive, sit in the corner there and collect information so that you can basically orchestrate” the attack.