Cyber Incident Victim: North Kingstown
Date:
Apr 2023
Location:
United States of America
Summary
North Kingstown was targeted by a ransomware attack that first became evident when police and fire dispatch systems failed. A cryptic note demanded a ransom, though no payment was made. The town's immediate response included disconnecting computers and switching to cloud backups, preventing data loss but leaving operations at approximately 80% capacity. While initial assessments suggested no financial or personal data was stolen, a third-party investigation was launched to confirm this. The attack is believed to have exploited a firewall failure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident began in the early hours of Saturday, April 22, 2023, when the municipal computer systems of North Kingstown, Rhode Island, were targeted in a cyberattack. The first indication of a problem occurred at approximately 4:00 a.m. when the fire and police dispatch systems suddenly ceased functioning. This disruption served as the initial alert that prompted an immediate response from the town's personnel. Town Manager Ralph Mollis confirmed that the town learned of the cyberattack early that Saturday morning through the discovery of a cryptic note left by the threat actors. The note stated, “We have attacked your system, we’ve compromised you, we have your data, please reach out to us and we will discuss a ransom,” identifying the event as a ransomware attack.
Upon discovery of the note and the system malfunctions, the town immediately initiated its established cyber incident response protocol. The initial response actions were focused on containment and isolation to prevent the further spread of the attack. The local Information Technology team disconnected computers from the network to segregate affected systems. The town also switched over to its cloud-based systems as part of its contingency plan. Town Manager Mollis stated that these actions were executed as rapidly as possible, a decision he believed placed the town in a better position for recovery than it otherwise would have been. External notifications were made promptly; the Rhode Island State Police were contacted, and the company providing the town's cybersecurity insurance policy was also alerted.
The investigation into the scope and impact of the attack commenced immediately. While backup systems were successfully deployed and prevented a total loss of data, the overall operational capacity of the town's municipal systems was significantly reduced. By the following Monday, email services and several other critical parts of the system had been restored and were back online. However, as of Friday, April 28th, certain technologies remained offline and unavailable. The physical damage to hardware was also confirmed, with some town computers being described as completely fried and rendered inoperable. This hardware damage forced certain employees to conduct their work using laptops as substitutes for their primary workstations.
The town administration believed some of its local drives may have been specifically targeted during the attack. This included drives that potentially stored employee data. However, resident and financial data was stored in an entirely different, cloud-based part of the town's system architecture. This separation led town officials to express a degree of confidence that the most sensitive information had not been accessed, though they stopped short of providing a absolute guarantee. Mollis initially stated that no data was stolen but later clarified that it was too preliminary to state that for certain. He noted, “It appears that no financial or personal data has been compromised, but no, that can’t be guaranteed at this point.” The town committed to making any future discovery of compromised data public immediately.
To conduct a formal forensic investigation, the town hired a third-party cybersecurity company at a cost of $15,000. This cost was covered by the town's cybersecurity insurance policy. The mandate for this external investigation was to run over a 72-hour period and was tasked with uncovering the precise details of the attack. Key objectives included determining whether any town, employee, or resident data had been exfiltrated or stolen by the attackers and to analyze the root cause of the breach. The investigation was also expected to reveal what specifically had prompted the attack. Preliminary indications from the town pointed to a potential failure of the municipal firewall, a system designed specifically to keep such threats out. Mollis stated, “The firewall should’ve prevented this attack and so we’re looking into that right now.”
A press release was issued by the town earlier in the week following the attack to communicate with residents. The town's perspective on its transparency was that while the press release did not explicitly state that data security was not 100% guaranteed, it also did not claim that officials were completely certain no data was compromised. At no point did the town make a ransom payment to the attackers. The primary consequence was a prolonged period of operational disruption, with the town estimating it was still operating at about 80% capacity days after the initial incident. The full extent of what was lost was still being analyzed during the recovery process. The town's response also included a decision to expedite planned security upgrades to its IT infrastructure to prevent a recurrence of such an attack. Mollis emphasized that the town was ramping up its security measures and was focused on continuing to move forward while doing its best to protect its digital environment.