Cyber Incident Victim: City of Lowell
Date:
Apr 2023
Location:
United States of America
Summary
The City of Lowell experienced a cyber incident attributed to the Play ransomware group. The attack disrupted the city's network, servers, and phone systems, though emergency services remained operational. The threat actors claimed to have stolen sensitive data including personal information, financial documents, and government files, threatening to release it. Recovery efforts led to widespread system outages and significant public service delays as the city worked to restore access and investigate the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the morning of Monday, April 24, 2023, the City of Lowell's Management Information Systems (MIS) Department detected a network disruption impacting a variety of city systems. The initial detection occurred around 2 a.m. when system alarms were triggered, prompting immediate action from the MIS staff. Upon observing suspicious activity, the department made the decisive choice to shut down the affected systems to prevent further intrusion. As the day progressed, the MIS team determined the best course of action was to segment and isolate compromised systems to aid in troubleshooting and to protect the city's broader technology and data assets. This containment effort resulted in servers, networks, phones, and other systems throughout the city becoming inaccessible. A critical exception was the city's emergency services infrastructure; the 911 system, fire, and emergency phones were confirmed to be unaffected and remained operational at 100 percent capacity.
By the end of that Monday, the MIS department concluded that the City of Lowell had been subject to a cyber-related incident, which likely began in the early morning hours. The city officially announced the incident and stated that, at that time, there was no reason to believe any of the city's data had been compromised. The city manager's office and MIS began coordinating with multiple state and federal law enforcement agencies, who initiated an investigation and assisted with a forensic assessment of the breach. Out of an abundance of caution, the city decided to keep all affected systems offline while working diligently to secure and restore services safely. This proactive containment and investigation strategy was described as following industry best practices.
The immediate impact on city operations was significant. Most non-emergency telephone services across city buildings were rendered inoperable, with calls to general departmental numbers going directly to voicemail. This included the phone line for the city clerk's office, which residents needed to use to register to speak at upcoming city council meetings. Departmental email systems were also disrupted, though they were slowly coming back online as system access was gradually restored. The Pollard Memorial Library publicly announced that its phones were down. Despite these disruptions, City Hall itself remained open for business, and the city's online payment portal, Invoice Cloud, continued to accept payments for real estate, personal property, motor vehicle excise, water utility, vital records, burial permits, and cemetery lot purchases. However, the city cautioned that these payments might not be immediately reflected in customer accounts due to the systems being offline.
On Tuesday, April 25, the Play ransomware group publicly took credit for the attack. The cybercrime group claimed to have successfully exfiltrated an undisclosed amount of data from the city's systems. Their claims specified that the stolen data included personal information, passports, government IDs, financial documents, budgets, and various departmental files. The group announced its intention to release the stolen data on May 10 if their demands were not met. This public claim by the threat actors stood in contrast to the city's initial official statements, which maintained that no data was believed to be compromised. The Play group had recently drawn significant attention for a devastating attack on the City of Oakland, where they had published hundreds of gigabytes of sensitive government data.
The city's response and recovery efforts continued throughout the week. The primary focus of the MIS team was on rebuilding the system to ensure its stability and integrity. Restoration of services was prioritized, with telephone service at City Hall successfully being restored by Thursday, April 27. Work continued to restore phone access at other city buildings and offices outside of City Hall, such as the Lowell Senior Center. The Lowell Fire Prevention Bureau and HAZMAT Division were confirmed to be accessible to the public for questions related to fire prevention and permitting needs. The city's official communications, disseminated through its website and social media channels, consistently informed the public to expect delays when interacting with the city government throughout the recovery process. The city manager acknowledged the extensive efforts of the MIS team, who were working tirelessly to resolve the issue. The incident was noted as being unprecedented for the city, representing a significant cybersecurity event that required a coordinated response from local officials and federal investigators. The attack on Lowell was part of a broader pattern of ransomware groups targeting municipal governments across the United States, ranging from large cities to small towns.