May 14, 2023
The story of the April 24 cyberattack on the city of Lowell took an interesting twist on Friday when the Lowell Sun reported the group that claims to have mounted the attack posted a batch of data stolen from Lowell’s computers onto the “dark web” which is a part of the internet that is intentionally hidden and inaccessible through standard web browsers. It operates anonymously and is used for illegal activities like selling drugs, weapons, and stolen data. It also provides a platform for criminal services, hacking tools, and anonymous communication, often requiring special software to access.
In “Ransomware group releases 5GB of data” the Sun reported that the cybercriminal group which goes by the name Play is threatening to upload more city data to the dark web unless their terms are met. A cybersecurity expert interviewed by the Sun speculated that the “terms” were likely the payment of ransom.
Ransomware is a type of malicious software that encrypts files on a victim's computer or network, making them inaccessible. The attacker then demands a ransom payment, usually in cryptocurrency, in exchange for providing the decryption key. Ransomware attacks can cause significant disruption and financial loss for individuals and organizations.
One way to protect against ransomware is to have good backups of data so even if the ransomware hits and deprives you of access to your data, you can wipe your computers clean, install stronger security measures, and then upload your backup of the data and resume operations. While this is better than being deprived of your data entirely, it also can mean that the criminals have a copy of your data. Regarding the Lowell incident, I’ve seen no reporting that specifies what data was taken, or even that the claims of having taken it are true, but it potentially could include sensitive payroll information like employee names, dates of birth, social security numbers, and bank account numbers.
At last Tuesday’s City Council meeting, Miran Fernandez, Lowell’s MIS director, answered questions and shared some info about the April 24 cyberattack. He was careful with his answers so there’s likely more to the story than has been stated publicly, especially considering the Sun’s recent reporting, but here are some observations based on what’s been reported in the Sun and what Fernandez said at the meeting:
As soon as the intrusion was detected early on the morning of April 24, the city shut down all computer systems to halt the spread of the damage. The city immediately notified federal and state law enforcement which commenced an investigation. This analysis took the rest of that week. Finally on Friday, investigators allowed the city IT department to begin remediation efforts.
Once a cyberattack occurs on a network, every device on that network is a potential carrier of the infection which can lie dormant until the cyber criminals activate it after everyone relaxes their guard. Consequently, every device (mostly computer workstations) must be “wiped clean” which I believe means reformatted. Reformatting a computer wipes out everything stored on it. That takes care of the hidden cyberattack file, but it also destroys all the good stuff stored on the computer. The computer then must be rebuilt by reloading software and formatting everything so it can perform necessary tasks.
For many computers sitting in people’s homes, reformatting the computer can be disastrous since anything stored on the computer that is not backed up elsewhere is lost. But for a networked computer, like all of those used by the city, reformatting should not be a major problem since all work files like Word documents and Excel spreadsheets are supposed to be stored on a shared network drive. Once a clean computer is hooked up to the network, all those files would be fully accessible.
Mr. Fernandez explained that files stored on the city’s network drives are still intact and accessible. However, if an employee was not storing files on the shared network drive but did it locally on their own desktop workstation, those files would be lost when the workstation was wiped clean. So, if any data were lost in that way, it should not have been, since employees are supposed to store their work on the network drive.
Mr. Fernandez further explained that once the cyber investigators released the city from the investigatory pause, the priority was to process the city’s payroll so that employees would be paid on time. The city pays employees every two weeks and fortunately, the cyberattack occurred during a non-payment week so with some scrambling and a lot of overtime, the payroll was done on time.
The next step was to restore all normal functions. Mr. Fernandez explained that as of Tuesday night, everything was in operation although in many cases in a slower, less automated way. He used as an example the city assessor’s GIS (geographic information system) site which is heavily used by everyone in the real estate field. Fernandez explained that if someone needs assessing information, they can call the assessor’s office by phone and the assessors can look up the needed information manually. Obviously, this would be slower and more burdensome than the automated system we’ve become dependent upon, but it seems sufficient to get the job done albeit a bit slower.
But even if all data can be restored with backup drives, there is still the question of whether a copy of that data was taken by the cybercriminals. If that’s the case, as the Sun has reported, it could lead to all kinds of collateral problems for city employees, vendors, and others. I’ve not heard anyone from City Hall address that issue.
From a technical perspective, it seems the city withstood this cyberattack pretty well. Cybercrime is so prolific that entities like the city are always targets and it’s almost inevitable that an attack will ultimately get through. The measurement should be how an entity like the city responds to such an attack, not whether an attack occurred in the first place. However, Mr. Fernandez added that the city is implementing several cybersecurity measures that have been long desired but not a priority that will further enhance the city’s cybersecurity.
I do think that the city has had a messaging problem. Other than some brief notices on the city’s website, I didn’t catch any official pronouncements of any substance about this attack until Mr. Fernandez spoke to Councilors last night which was two weeks after the attack occurred. Even after that, it’s still unclear the extent of the damage, especially regarding the theft of sensitive information.
Last Sunday, the Lowell Sun’s political Column took the city to task for this messaging void. In “Public information another victim of city’s cyberattack”, the Sun wrote:
The extent of the now almost two-week old hack is still not known, as the city apparently is still scrambling to understand the breadth of the initial damage, much less manage and strategize next threats or steps. Reportedly, every single workstation in the city’s sprawling network is being wiped clean and rebooted. . .
Meanwhile, the City Council appears to be conducting business as usual, with councilors submitting 22 motions for Tuesday’s agenda, despite departments still struggling to deal with the fallout of the cyberattack. Only one motion deals with the hack. It says a lot when councilors have to petition the city for information.
Ouch!
****
A motion jointly filed by Councilors Dan Rourke, Corey Robinson, Kim Scott, and Paul Yem to “declare homelessness a public health crisis” generated a lot of discussion with remarks made by Lowell Community Health Center CEO Susan Levine; by Community Teamwork CEO Karen Frederick; by Greater Lowell Community Foundation president and CEO Jay Linnehan; and by others.
Ostensibly, the purpose of the motion was to open more avenues for assistance to the city in how it deals with unhoused people, but it also echoed the Council’s controversial handling of the “racism is a public health crisis” from a few years ago.
Councilors sound understandably frustrated, almost desperate, about this very complicated issue that defies an easy response. Karen Frederick said that in all the time that she’s been involved in CTI, which she described as “a very long time,” she’s never seen homelessness at the scale she does now.
One interesting revelation came from City Manager Tom Golden who said the city has been exploring the use of the vacant Superior Court building at 360 Gorham Street as a site to consolidate the city’s multifaceted response to homelessness. That building has been empty since March 2020 when its occupants all moved to the new Lowell Justice Center, and no one is beating down the door with a development proposal for it.
Having worked in the Superior Courthouse for 25 years, I got to know the building well. It’s spacious and has plenty of outside open space, but everyone I’ve ever spoken with who knows something about the redevelopment of older buildings has told me that it would not be feasible for a private developer to remake the building due to the cost. Consequently, its best hope for survival would be as a government-financed project where making a profit would not be as big an issue. Even with that, however, it would take a massive amount of money and time to make it suitable and safe for living quarters. Still, it’s probably an idea worth exploring.
****
The state’s Office of Campaign and Political Finance (OCPF) “Recently Organized Filers” page contains some Lowell names. These are people who have activated campaign finance committees to run for City Council in this fall’s election. Here are the Lowell-based committees formed since January:
Corey Belanger (4/8/2023)
Fru Nkimbeng (4/25/2023)
John Descoteaux (4/10/2023)
Belanger, who served on the City Council from 2014 to 2017, issued a press release announcing he was running for one of the three citywide Council seats. Besides his prior stint on the Council, he also served on the Zoning Board of Appeals and continues to be the chair of the Mayor’s Opiate Task Force. Here’s the concluding paragraph of his press release:
“Please join me in my campaign this upcoming election cycle to continue to push Lowell in a positive direction. My experience will be of great value to the issues we face today. Building partnerships, giving everyone an equal voice and my willingness to do all the hard work necessary is the hallmark of my personal, professional and political life. Over the next several months you will see me in your neighborhoods, at your door and in the community. I look forward to meeting as many of Lowell’s residents as possible to discuss our future, your ideas, what can be improved, and finally, for your support in returning me to the Lowell City Council.”
The three citywide councilors now are John Drinkwater, Rita Mercier, and Vesna Nuon. Rita and Vesna are running for reelection but Drinkwater is not. However, current Upper Highlands District Councilor Erik Gitschier has announced he will seek one of the citywide seats rather than run for reelection as a district councilor. With former Councilor Belanger jumping into that citywide race, it suddenly has become more competitive.
With Gitschier not seeking reelection in the district he now represents, John Descoteaux, the Lowell School Department’s Transportation Coordinator has entered the Upper Highlands District race. His campaign signs are popping up all over the neighborhood, the first to go up which is a good thing since no one ever talks about the candidate whose signs go up second. Many years ago, a city ordinance limited the time during which campaign signs could be erected, but the US Supreme Court ruled that bans of that type infringed on the First Amendment so candidates may put up lawn signs whenever they want.
Fru Nkimbeng, the third person to organize a campaign committee, is an IT professional who has long been active in Lowell’s African Cultural Community. I believe he is running for the Acre District seat now held by Councilor Paul Yem who is also running for reelection.
****
Don’t forget that next Saturday, May 20, 2023, is the Lowell Cemetery’s Veterans Memorial tour. Rather than a standard tour led by a single guide, this tour will have volunteer guides positioned at each of 12 graves from 10am to noon. Tour-goers will receive an annotated map when they arrive and may then proceed at their own pace to the various graves. Tour-goers may enter the cemetery at either the Knapp Ave or Lawrence Street gates.
I did a blog post this week with the names of the veterans whose graves are on this year’s tour, and added the stories of several veterans who are not, so please check that out.