The second cyberattack targeting contractor Oahu Transit Services Inc. in less than three years continued to disrupt city public transportation systems Tuesday, but officials say it is rare for the City and County of Honolulu’s separate, heavily monitored information technology operations to be breached.
OTS, the private company that manages the city’s bus and paratransit system, saw thebus.org website, HEA (also known as Honolulu Estimated Arrival), and related GPS services go down Saturday.
Travis Ota, a spokesperson with the Department of Transportation Services told the Honolulu Star-Advertiser on Tuesday that there was a “cyber breach” and that OTS is working with the “proper authorities to investigate and handle the situation.”
As of Tuesday evening OTS online services, including thebus.org website, real- time GPS data (including HEA and TheHandi-Van EVA) were still down.
Holo card readers on TheBus and TheHandi-Van were still down Tuesday. But TheBus and TheHandi-Van were transporting passengers Tuesday, and call centers were open to riders who have questions on TheBus and to make reservations for TheHandi-Van.
Skyline rail operations were not affected by the breach, and riders are required to tap their Holo cards at the fare gates, Ota said.
Roger Morton, director of the city Department of Transportation Services, told reporters Tuesday that OTS has not paid any ransom and that officials are unclear exactly what kind of cyberattack crippled the systems.
There was an indication from an “outside entity that it was a result of an outside actor that had entered the system,” he said.
“OTS cybersecurity experts jumped in to try to remedy the situation, and very quickly the phone system, which had been down Saturday morning … was restored so that regular operations from the users continued with some minor Saturday interruptions. … By Saturday afternoon everything was running normally as far as regular operations,” said Morton, who added that the Honolulu Police Department, Federal Bureau of Investigation and other law enforcement agencies were informed of the cyberattack. “What still does not operate normally is connections which require an external connection to other systems.”
The FBI is aware of the incident, and while the bureau would not “confirm or deny the existence of an investigation,” agents are “working closely with our local partners and are ready to assist as needed.”
“The FBI dedicates thousands of hours in engaging with our county, state, and federal partners, as well as building robust partnerships within the private sector,” Steven Merrill, special agent in charge of the FBI’s Honolulu Division, told the Star-Advertiser in a statement. “The FBI cannot do it alone; through these collaborations, we are able to unite efforts to protect Hawaii’s critical infrastructure.”
OTS has its online systems reviewed by federal authorities once a month to “look for vulnerabilities,” Morton said.
“They have a cybersecurity firm that helps them do this. … (On) Monday, they were scheduled to up and install the latest updated firewall,” Morton said, adding that he expects systems to be restored today while cybersecurity efforts are done with extreme caution.
The cyberattack was the second breach for OTS in three years.
On Dec. 9, 2021, hackers infiltrated online services for TheBus, TheHandi-Van, TheBus app and its Holo card system. City information technology officials speculated at the time that the attack was the work of hackers affiliated with Russia. A warning not to interfere while the hackers infiltrated OTS systems was allegedly connected to a Russian email address.
On Tuesday the FBI did not have any new information to release about the December 2021 incident.
In December 2021 the city and OTS worked with the San Francisco Municipal Transportation Agency, New York Metropolitan Transportation Authority, Santa Clara Valley (Calif.) Transportation Authority, Dallas Area Rapid Transit and Ann Arbor (Mich.) Area Transportation Authority to learn more about the system disruption.
Since 2013 no city systems have been taken down, nor have officials had to pay ransomware, according to city officials. OTS servers and the OTS network are not part of the city’s network. The Honolulu Department of Information Technology does not manage the network or servers for the private contractor OTS.
“There have been a couple of instances where employees fell for phishing emails and gave away their login ID and passwords, and these credentials were then used to access an email account to send emails masquerading as the user,” Ian Scheuring, a spokesperson for Mayor Rick Blangiardi, told the Star-Advertiser. “In 2016, a user clicked a link while checking a personal email account and compromised their workgroup, but any affected files were detected and restored that day, and no ransom was paid. Access to external email providers has been blocked on the city network since that incident occurred.”
The city has a “zero trust” policy that limits any damage that might be inflicted by a bad cyber actor, he said. Critical city systems are backed up several times a day, allowing systems “to recover quickly, without having to pay ransomware.”
“Our storage systems encrypt all files, and we encrypt all access to sensitive systems,” Scheuring said.
Phishing attempts occur every day, and there are over a million attempts every month.
“We recently detected a bot trying to get into an election website every second. We have end-user education, conduct phishing campaigns, and filter incoming emails to defend against attacks,” Scheuring said. “We also have security devices and software that look for suspicious files or attempts to gain access to our systems.”
———
Star-Advertiser photographer Cindy Ellen Russell contributed to this report.