Hackers hit the Sacramento, CA, Regional Transit (SacRT) system this weekend, erasing data and threatening to do more harm if SacRT didn’t pay them a one bitcoin ransom.
The attack erased parts of computer programs on the agency’s servers that affect internal operations, including the ability to use computers to dispatch employees and assign buses for routes, said chief operating officer Mark Lonergan in a report in the Sacramento Bee.
Regional Transit officials said they have determined no data was stolen and are working to secure their system from further attack. Bus and rail service has not been affected.
This isn’t the first time a transportation system in California suffered an attack. Last November, the San Francisco Municipal Transportation Agency ended up asked to pay 100 bitcoins after a ransomware attack locked their computers.
The agency took down its web homepage for customer information and shut down its systems for processing credit card payments on Connect Cards until agency officials can add security to prevent hackers from getting into SacRT’s computer system in the future.
The agency’s mobile fare app, which is on a separate cloud-based system, remains fully operable, Lonergan said, including allowing users to add fare value to the app.
Agency technicians were using backed up data to refresh internal systems on Sunday and Monday, Lonergan said.
SacRT had not yet notified police of the crime Monday morning, but planned to, he said.
Hackers unveiled their presence Saturday when they “defaced” the agency’s main webpage, putting up a note saying, “I’m sorry to modify the home page, i’m good hacker, i I just want to help you fix these vulnerability. This is one of the loopholes, modify the home page …”
That message turned out to be a trap, Lonergan said. When technicians went into the SacRT system to check out the damage, it unleashed the attack Sunday morning that erased the virtual servers.
The hacker or hackers sent a Facebook message to SacRT Sunday morning demanding ransom, with the message, saying, “hello, I will always attack your website, we are hackers. we can do everything. Pay us now to stop attacking.”
The hackers asked for a bitcoin – whose worth went over $8,000 Monday. SacRT did not respond to that demand. Lonergan said the agency’s security systems had already noticed that data was being erased.
“We caught it early (Sunday) morning,” Lonergan said. “We took all our systems offline” and determined what data had been erased. “We are restoring everything now and bringing it up online.”
Lonergan said the agency was able to track how the hackers entered the system, and what the hack was doing. “That is how we know no data exited,” he said. “This was about destruction.”
The agency’s system has suffered from virus and malware attacks in the past, but had never suffered an attack that destroyed data.
Lonergan said light rail and buses continue to run on a normal schedule. The trains and buses are run under control of an operator, with minimal automation, he said.
He said technicians said it could be several days before the agency’s system is fully restored. The agency then plans to bring in an expert “to review our vulnerabilities and make this less likely to happen again,” Lonergan said.
In the San Francisco Municipal Railway (MUNI) attack last year, officials suffered a hack attack that ended up providing free rides to all passengers, with the gates remaining open one Friday until late Saturday the next day.
The hacker who compromised the system left a message asking for a ransom should the San Francisco authorities want to restore the service.
The screens at MUNI stations displayed a message reading “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681, Enter,” while machines were printing tickets with short messages such as “Out of Service” and “Metro Free.”