The apparent ransomware attack that infiltrated and shut down the time-keeping services for employees at the Board of Water Supply and Emergency Medical Services, part of a nationwide offensive on public and private networks, could take weeks to fix.
No demands have been made but the network intrusions and disruptions are among at least three cyberattacks on Hawaii government systems in the past week.
On Thursday online services for TheBus, TheHandi- Van, TheBus app and its Holo card system were shut down by hackers and remain offline, and Oahu Transit Services’ employees do not have access to email.
The state’s Office of Enterprise Technology Services told the Honolulu Star-Advertiser that departments are migrating away from the Kronos Workforce software and officials are trying to find out if any departments still use it.
“All Executive State Departments who migrated onto the modern Time and Leave platform no longer use Kronos. We are assessing whether they have continued to use it after they completed migration,” said Vincent Hoang, the state’s chief information security officer, in a statement to the Star-Advertiser. “We’re constantly responding to cyber security threats such as malware and phishing but fortunately there has been no impact on operations.”
Last week, a cyberattack struck Oahu Transit Services’ systems, disabling the agency’s online services for TheBus, TheHandi-Van, TheBus app and its Holo card system. OTS is still working on getting those services back online. The FBI, Honolulu police, the U.S. Secret Service and other agencies are investigating.
The FBI is aware of the cyberattacks at BWS and EMS but declined further comment.
BWS advised its employees Monday to check their credit reports and look out for unusual or unauthorized activity. The board was notified Sunday evening of a cybersecurity attack disrupting Kronos Private Cloud services, which provides BWS’ timekeeping system. All access to its Kronos Workforce system was immediately cut off, according to a news release.
BWS officials said their customers are not affected by the incident.
Ultimate Kronos Group, Kronos’ parent company, became aware of the issue Saturday and began to “investigate and mitigate” it, according to a message the company sent to its customers and posted on its website, Bloomberg News reported.
New York City’s Metropolitan Transportation Authority was unable Monday to access Kronos services, according to Bloomberg News. The city of Cleveland, Kum & Go convenience stores, and MGM Resorts International are among Kronos’ government and private clients.
“While not much else is known about the attack, this disruption of services comes at an unfortunate time for BWS employees as they get ready for the holidays,” said Tracy Burgo, BWS spokeswoman, in a news release.
EMS officials also shut down its Kronos Workforce system after learning of the ransomware attack. City officials said employees’ work hours are being tracked manually.
“No employee, customer, or patient information has been compromised at this time,” Tim Sakahara, communications director for Mayor Rick Blangiardi, told the Star-Advertiser.
In 2020 the FBI’s Internet Crime Complaint Center received 2,474 ransomware reports that accounted for over $29.1 million in losses. Ransomware is a type of malware that encrypts data on a computer and locks out the user, according to the FBI.
Last year’s loss estimate does not account for lost business, time, wages, files or equipment, or what a company or government has to pay to secure their network, according to the FBI.
Hackers hold the data hostage until a ransom payment or other arrangement is agreed to by the victim in exchange for access to their system and data, according to the Justice Department.
On Monday, TheBus and TheHandi-Van websites, along with real-time GPS vehicle information websites HEA for TheBus and EVA for TheHandi-Van, remained offline. Mobile applications Transit and DaBus are reporting scheduled data instead, but not real-time locations, Jon Nouchi, deputy director of the city Department of Transportation Services, told the Star-Advertiser.
Holo cards are not working, but riders are encouraged to show them to the driver and tap them as usual.
“OTS has restored the most critical operations networks to enable TheBus and TheHandi-Van to operate regularly. We are meticulously rebuilding and re-configuring all servers and user desktops to ensure no traces of the attack remain before bringing networks back online,” Nouchi said. “Pending reasonable security checks and acceptable security assurances on the OTS network, we will restore the HOLO card system and work towards a full restoration of all regular network services with an emphasis on security, risk, and caution. At this time, we do not believe any personal or financial information was compromised. We apologize for any inconvenience to our passengers.”
Ransomware attacks on transportation systems around the world have increased substantially recently. Since June 2020 to June 2021, the transportation sector, both public and private, experienced a 186% increase in ransomware attacks, according to Check Point Research.
There have been at least a half-dozen ransomware attacks and network intrusions affecting online scheduling applications for bus, train and paratransit services across the country this year, including New York City; Santa Clara, Calif.; San Jose, Calif; and Ann Arbor, Mich.
Hacking teams affiliated with Russian, Chinese and Iranian intelligence agencies attack government and private network systems in the U.S. to disrupt, shut down, steal, or evaluate operations, according to law enforcement officials.
“Although an increasing number of countries and non-state actors have these capabilities, we remain most concerned about Russia, China, Iran, and North Korea,” according to an April threat assessment made public by the Office of the Director of National Intelligence. “Many skilled foreign cybercriminals targeting the United States maintain mutually beneficial relationships with these and other countries that offer them safe haven or benefit from their activity.”
Ryan Ozawa, a Hawaii technologist, told the Star-Advertiser that municipal governments and other relatively small agencies are low-hanging fruit for hackers. The majority of ransomware attacks since 1997 gain access to systems when an employee clicks on an email, website or link using their work computer, unwittingly letting the malware into the network. Sometimes ransomware attacks are executed to make systems vulnerable to create a staging ground for the next step, he said.
“It’s awful if the Russians are doing this or the Chinese are doing this and eventually build up to shutting down our water systems and electrical grid and suddenly we are living in this post-apocalyptic nightmare,” Ozawa told the Star-Advertiser. “A lot of times it could be someone who is bored with the skills and the tools.”