Cyber Incident Victim: City of Woodstock
Date:
Sep 2019
Location:
Canada
Summary
A cyber attack disrupted municipal operations by blocking email access and most internal files, prompting containment measures to isolate the network and prevent further spread. The incident displayed characteristics of ransomware, though no explicit demand was received, and forensic efforts focused on determining the intrusion method that bypassed multiple security layers. Recovery operations prioritized restoring systems independently, with no evidence of compromised private data. Externally hosted services, including public website functions, recreation bookings, and transit card payments, remained unaffected. Concurrently, the local police experienced a separate cyber incident, taking some systems offline while maintaining emergency services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Woodstock experienced a disruptive cyber attack in September 2019 that compromised municipal operations. Initial signs of a virus infection emerged early in the week preceding September 24, but the full severity became apparent early Saturday morning when officials discovered blocked access to city email systems and nearly all operational data files. David Creery, Woodstock’s chief administrative officer, confirmed the attack exhibited characteristics of ransomware but noted no ransom demand had been received by the reporting date. The malware bypassed two layers of network security protections designed to prevent unauthorized access, though investigators had not yet determined the intrusion method or timeline. Immediate impacts included a complete halt to municipal email communications and restricted access to internal files critical for daily governance. The city prioritized containment by severing external network connections to prevent further virus propagation. External consultants were engaged to support a three-phase response strategy beginning with isolation of affected systems.
Recovery efforts progressed to an investigative stage focused on identifying entry points, extracting forensic evidence, and determining how attackers circumvented security measures. Creery emphasized the investigation aimed to establish the attack’s origin, method, and timing while confirming no evidence suggested unauthorized access or exfiltration of private resident data. Municipal services hosted externally—including public website functions for recreation program registration and transit card payments—remained operational, as did core services like garbage collection. Concurrently, the Woodstock Police Service reported a separate cyber incident forcing some systems offline during the same weekend, though emergency services remained unaffected. The city ruled out ransom negotiations as an immediate option, opting instead for independent system restoration while acknowledging future contingencies might change this stance. Recovery operations continued without confirmed contact between city officials and the attackers as of September 24.