Cyber Incident Victim: Rhaonline

On or around May 4, 2023, the Raleigh Housing Authority (RHA) experienced a significant disruption to its computer systems. The incident was detected on the morning of Thursday, May 5, 2023, when multiple employees reported being unable to access their accounts, finding themselves locked out of the organization's computer network. This access denial indicated a potential compromise of system credentials or the deployment of restrictive malware. The RHA, which provides housing services to nearly 6,000 residents in the Raleigh area, immediately initiated its response protocol upon discovery of the anomalous activity. The primary business operations of the authority were forced to a complete halt as a direct result of the attack, rendering internal systems inoperable and preventing staff from performing their regular duties.

The leadership of the Raleigh Housing Authority, under CEO Ashley Lommers-Johnson, acted swiftly to engage with external authorities. The organization formally notified relevant state and federal agencies of the potential breach. This step is a standard procedure to alert government entities that may provide assistance or have regulatory oversight requirements. Concurrently, the RHA met with Emergency Management officials to coordinate the initial response and assess the immediate implications of the attack on its critical infrastructure and the population it serves. The decision was made to request specialized support to investigate the nature and scope of the incident.

A pivotal response action was the deployment and on-site arrival of the National Guard's cyber security team. This team was tasked with the forensic investigation into the attack. Their objectives included conducting a thorough analysis to identify the threat actors responsible for the intrusion, determine the specific systems that were penetrated or accessed without authorization, and assess whether any resident or employee data was exfiltrated or compromised in the breach. The presence of this specialized military unit underscores the seriousness with which the incident was treated and the potential classification of the event as an attack on a component of the public housing infrastructure.

In response to the operational shutdown, the Raleigh Housing Authority implemented contingency measures to ensure that essential services for residents were maintained despite the severe IT outage. While standard business operations such as processing applications, managing accounts, and internal communications were suspended, the agency established an alternative method for tenants to report urgent issues. Residents remained able to submit maintenance requests and work orders through a dedicated calling line, ensuring that critical health and safety-related needs could still be addressed. This measure was crucial for mitigating the immediate impact on the thousands of individuals relying on RHA services.

The investigation, led by the National Guard cyber security team, focused on determining the entry point used by the attackers, the duration of any unauthorized access prior to detection, and the total extent of systems affected. A core concern was whether the lockout of users was part of a ransomware attack wherein systems are encrypted, or if it was a different form of attack aimed at data theft or disruption. The declaration from CEO Lommers-Johnson confirmed the organization's focus was on identifying the perpetrators, understanding the full scope of the penetration, and ultimately restoring regular business operations in a secure manner. The agency also committed to taking all appropriate steps to update and provide information to any individuals who may have been affected by the attack, pending the findings of the investigation regarding personal data exposure.

The immediate consequence of the cyberattack was a complete cessation of the Raleigh Housing Authority's normal administrative functions. The inability for staff to access computer systems halted all digital workflows, creating a significant backlog of work and delaying standard administrative processes. The longer-term impacts involved the potential compromise of sensitive information belonging to both residents and employees. Such data could include personally identifiable information, financial records, tenancy agreements, and other confidential details entrusted to the housing authority. The financial and operational repercussions included the cost of the forensic investigation, the potential cost of system restoration and hardening, and the potential for regulatory penalties if data protection protocols were found to be insufficient.

The response encompassed a multi-faceted approach combining internal containment, external expert engagement, and public communication. The primary containment action was the proactive shutdown of affected systems to prevent the lateral movement of the threat actors within the network and to stop any ongoing data exfiltration. Engaging the National Guard represented a significant escalation in response resources, bringing specialized skills typically reserved for critical infrastructure incidents. The public statements from the CEO served to acknowledge the incident transparently, inform residents of the temporary service adjustments, and reassure them that the matter was being treated with the highest level of priority and seriousness by all involved parties.