Incident Response: The Alaska Cyber Attack, a State of Emergency, and YouTube

Matanuska-Susitna Borough in Alaska declared a State of Emergency in July 2018. 

This was not because of some intense and devastating storm.

And it wasn't because of flooding on the Matanuska or Susitna rivers.

Instead, leaders declared a State of Emergency because of a ransomware and virus-laden cyber attack on,"The Borough's computer infrastructure, including computers/laptops, most Borough servers, networked telephones, and the email exchange...."

In fact, IT Director Eric Wyatt described what servers had been hit with as a multi-pronged cyber attack, the kind we've been hearing more about over the last year.

"We learned that one of the prongs of the attack, the Trojan horse, is called the Emotet... another component Cryptolocker what is sometimes called the ransomware portion also called Bitpaymer... other embedded component (malware) called Dridex... so the group that we are facing that has unleashed this particular attack is a very well organized group and they're using the most sophisticated tools and have done a lot of damage across the country to include us," Wyatt said. 

Social media comments proved the real-world implications of a cyber attack on government services and citizens. "It's pretty amazing how this can effect [sic] our day-to-day," writes Megan Petros.

The ransomware attack on this part of Alaska also made it difficult to adopt pets in need of their forever home. Mat-Su Animal Shelter posted, "We have been unable to keep our website current with adoptable or lost pets. If you are missing a pet, please come to the shelter to look."

Residents who needed information about the local pool during the cyber crisis were told to call the working number.

And was the ransomware and virus that took down this part of Alaska's government spreading to others before it was detected?

Local businesses wanted to know. Amie Sommer posted, "Should contractors that received documents such as excel files form MSB [the borough hit in the attack] staff be worried?"

Going behind the scenes on cyber attack incident response

Matanuska-Susitna Borough IT Director Eric Wyatt took locals, and the rest of us, on a behind the scenes tour after the cyber attack and during the incident response. Check out the collaboration he captured on his YouTube incident response video:

And earlier in the process, he shared a detailed post, several pages long, on what early phases of the cyber attack investigation had revealed. 

Cyber attack incident response communication plan

This got us thinking about something we keep hearing asked at SecureWorld cybersecurity conferences: What is your communications plan for a breach and the incident response that follows?

How much of your incident response are you willing to share?

Equifax said little until its former CEO gave a day-by-day incident response timeline in front of Congress.

Allscript's breach incident response even left its customers in the dark.

But Timehop gave a minute-by-minute account of its incident response after the service, which provides social media flashbacks, was breached.

Updates are still coming from the Matanuska-Susitna Borough, including an August 17th incident response post.

"Because of the nature of the attack, the Mat-Su Borough has had to entirely rebuild its systems."

The Alaskan city of Valdez was hit by the same virus about the same time and continues to attempt a recovery, as well. "Regular City staff email is currently unavailable due to the recent cyber attack. Primary contact method for City staff is by phone or fax."

You must have grit and determination to thrive in Alaska. Right now that's especially true for some IT teams trying to rebuild after these damaging cyber attacks.