Cyber Incident Victim: City of Franklin
Date:
Mar 2023
Location:
United States of America
Summary
The City of Franklin experienced a cyberattack by the Trigona ransomware group involving unauthorized network access and data exfiltration of approximately 428 GB, including sensitive employee information such as passwords, security question answers, and personnel details from police, SWAT, and fire departments. Attackers maintained persistence through remote access tools after initial detection and demanded a cryptocurrency ransom to delete the stolen data, though they refrained from deploying ransomware. Despite unsuccessful negotiations over payment, Trigona provided the municipality with details about network vulnerabilities exploited in the breach. The city did not publicly confirm whether affected personnel were notified or whether compromised credentials were reset. Exfiltrated data included financial records, internal communications, and law enforcement materials, posing risks of identity theft and operational exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The City of Franklin, Tennessee, experienced a cyber incident involving unauthorized network access by the Trigona ransomware group beginning on or around March 10, 2023. Attackers gained entry through Remote Desktop Protocol (RDP) and maintained persistent access for approximately one week before the city’s IT department detected and terminated the initial RDP connection. Trigona claimed they retained multiple alternative access vectors—including Anydesk, VNC, TeamViewer, and proxy infrastructure—by exploiting residual beacons undetected by city defenses. During their network presence, the group exfiltrated 428 gigabytes of data containing sensitive internal documents, personnel records, and authentication credentials. Compromised information included employee login credentials with widespread password reuse across city accounts, personal details of police and SWAT members—such as full names, residential addresses, and mobile phone numbers—SWAT callout rosters, equipment inventories, financial reports, budget projections, and internal administrative communications. Attackers also extracted security question answers from a city paralegal’s accounts, exposing personal data like her first job location and spouse’s meeting city.
The city’s IT leadership received direct warnings about the breach from DataBreaches.net on May 8, 2023, via voicemail and email, including evidence of compromised credentials and ongoing attacker access. No response was issued until May 11, when an unidentified party using a Mailfence account impersonating "Franklin TN" contacted DataBreaches to request hacker contact details. Trigona subsequently engaged a professional negotiator claiming to represent the city, but negotiations stalled over disagreements regarding ransom terms—including the city’s demand for a full data inventory and Trigona’s demand for 10 Bitcoin ($150,000 based on contemporaneous exchange rates) to delete stolen data. Contrary to typical ransomware operations, Trigona did not encrypt systems but instead provided unsolicited technical details to the city about their attack methodology to facilitate vulnerability remediation. No evidence indicated the city notified affected employees about potential exposure of their personal data, and Trigona’s leak advertisement emphasized risks of identity theft, blackmail, and operational disruption from police reports, emergency service protocols, and financial documents. The group later cited the incident as an experimental shift toward data-exfiltration-only attacks against municipalities, though negotiations ended without payment after Franklin countered with a $40,000 offer. Nonresponsive city executives failed to acknowledge follow-up inquiries from DataBreaches in June regarding employee notifications or credential resets.