Cyber Incident Victim: Town of Arlington
Date:
Sep 2023
Location:
United States of America
Summary
The Town of Arlington suffered a $445,945.73 loss due to a business email compromise attack involving phishing, spoofing, and social engineering. Threat actors compromised employee accounts, monitored communications with a known vendor, and impersonated the vendor to redirect four electronic payments intended for an ongoing high school construction project. The attackers manipulated email accounts to conceal fraudulent activity, with the theft discovered after the vendor reported unpaid invoices. While the bank recovered $3,308, the majority of funds remained unrecovered, prompting insurance claims and collaboration with law enforcement. Forensic investigations revealed unsuccessful attempts to divert an additional $5 million and confirmed no network infiltration or compromise of sensitive data. Mandatory cybersecurity training was implemented following the incident, and project funds were replenished to avoid delays in the school construction.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Town of Arlington experienced a significant cyber incident resulting in a financial loss of $445,945.73 through wire fraud, as disclosed by Town Manager Jim Feeney in a community memo. The attack, identified as a business email compromise (BEC), involved threat actors employing phishing, spoofing, social engineering, and compromised email accounts to redirect payments intended for a vendor working on the Arlington High School Building Project. The fraud occurred between September 2023 and January 2024, with perpetrators monitoring compromised employee email accounts and impersonating the vendor to request a change in payment method from checks to electronic funds transfers (EFT). Four monthly payments were diverted before the vendor reported non-payment in February 2024, prompting immediate action by town officials. The town’s bank recovered $3,308, and a claim was filed with the town’s insurer to offset additional losses. Feeney clarified that the stolen funds were drawn exclusively from the Arlington High School Building Project’s allocated budget, which operates separately from the town’s annual operating budget, ensuring no impact on the project’s completion. No sensitive or resident data was compromised during the incident.
The attack timeline began in September 2023 when town employees received legitimate emails from a known vendor regarding payment processing issues, unaware that threat actors had already compromised employee accounts and were monitoring communications. Attackers impersonated the vendor using a spoofed email domain, fabricated and deleted emails to conceal their activity, and created inbox rules to manage and hide incoming messages. After establishing the fraudulent EFT payment method, four payments were diverted between September 2023 and January 2024. Upon discovering the fraud in February 2024, Arlington officials alerted law enforcement and their banking institution, initiated a digital forensics investigation, retained a breach coach, and implemented network security measures. The investigation revealed threat actor activity within the town’s Microsoft environment from September 12, 2023, to January 30, 2024, and identified additional unsuccessful attempts to intercept approximately $5 million in wire payments during the same period. The town’s IT department enhanced network security, and mandatory cybersecurity training was instituted for all employees. On June 4, 2024, the Arlington High School Building Committee authorized payment to the vendor from project funds, with any recouped fraud losses to be returned to the project budget. Feeney emphasized ongoing efforts to recover the stolen funds and strengthen cybersecurity defenses through collaboration with law enforcement and consultants.