Cyber Incident Victim: Dallas Police Department
Date:
May 2023
Location:
United States of America
Summary
A ransomware attack compromised servers at the Dallas Police Department, hampering its operations. The incident, attributed to the Royal threat group, disrupted the computer-assisted dispatch system, forcing 911 call takers to manually log instructions. Officers were limited to using phones and radios for response. The attackers claimed to have encrypted the city's critical data and threatened to leak sensitive information online.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 1, 2023, the City of Dallas confirmed that its systems had been compromised by a ransomware attack. The incident impacted a number of city servers, including those supporting the Dallas Police Department. The attack was claimed by a group identified as Royal. The group asserted that they had successfully encrypted critical data belonging to the city and issued a threat to release sensitive information publicly on the internet. The compromise significantly disrupted the operational capabilities of the Dallas Police Department. The department's public-facing website was among the systems affected by the incident.
The technical disruption extended to core operational systems vital for public safety response. The computer-assisted dispatch system, known as CAD, was rendered inoperable due to the attack. This system is responsible for electronically managing and directing emergency response resources to calls for service. The outage forced 911 call takers to abandon their automated systems and resort to manual, paper-based methods. They were required to physically write down the details of emergencies and other calls for service. This manual process introduced potential delays and increased the risk of human error in the dispatch workflow.
The impact on police officers in the field was immediate and severe. Responding patrol units lost access to the computerized dispatch data that would normally be transmitted to their in-vehicle terminals. Officers were unable to receive call information digitally, forcing them to rely solely on voice communications over their police radios. This reliance on radio traffic for all call information and coordination placed a strain on the communication channels and limited the amount of detail immediately available to responding personnel. The entire response protocol was degraded to a manual state, reminiscent of operations predating computerization.
Cyber security analysts provided context on the threat actor behind the attack. The group Royal was characterized as one of the most active cyber criminal groups operating at the time. Analysis indicated this group was responsible for approximately ten percent of all ransomware attacks targeting entities within the United States. Their operations included a previous attack on the Lake Dallas Independent School District which had occurred the prior month. The incident in Dallas was noted as being part of a larger trend, with twenty-nine cyber attacks reported against local governments in the United States within the first four months of the year.
The potential consequences of such attacks on public safety organizations were highlighted by security experts. In one cited historical instance following a ransomware attack on a different police department, the criminals involved had threatened to publicly release sensitive information pertaining to police informants. The threat included disseminating this information directly to the criminal organizations on which the individuals were informing. This example underscored the severe secondary risks that extend beyond operational disruption and into the realm of endangering human lives and compromising ongoing law enforcement investigations.
The initial attack vector was assessed by cybersecurity experts who reviewed the incident. While not confirmed by the city, these experts believed the breach likely began with a phishing email. This type of attack involves a malicious email designed to appear legitimate, often impersonating a trusted sender or institution. The email typically contains either a deceptive link or a malicious attachment. The prevailing theory is that an unsuspecting city employee opened such an email and interacted with its content. This interaction could have involved clicking a link that led to a credential-harvesting website or opening an attachment that executed malicious code on the employee's computer.
The execution of the phishing email's payload provided the attackers with an initial foothold within the city's network environment. This access point allowed the hackers to harvest user credentials and other information from the compromised workstation, which was then used to facilitate lateral movement across the network. The attackers proceeded to identify and target critical servers for encryption. The deployment of the ransomware payload resulted in the widespread encryption of data on the compromised servers, rendering the systems and the information they contained inaccessible to city personnel. The attackers then left a ransom note, which was obtained by news media, containing their demands and threats to leak stolen data. The city's operational response involved implementing manual workarounds for critical services like police dispatch while forensic investigation and recovery efforts began.