Cyber Incident Victim: City of Richmond
Date:
Jun 2023
Location:
Canada
Summary
The City of Richmond experienced a cybersecurity incident involving an intrusion into its email system. The breach led to the circulation of fraudulent emails that were made to appear as if they were sent from municipal officials and Gateway Theatre staff. The organization engaged cybersecurity experts to investigate, contain, and remediate the attack. There was no indication that external parties accessed the city's financial, human resources data, or other enterprise systems, and its operations were not impacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2023, the City of Richmond discovered an intrusion into its email system. The organization took immediate steps to mitigate the risk of impact and to remediate the attack. This action involved engaging a team of cybersecurity experts to contain and investigate the incident, a process conducted in accordance with industry best practices. The City became aware that following this intrusion, some fraudulent email messages were circulating. These messages claimed to be from City staff, municipal officials, and staff from the Gateway Theatre, a separate entity associated with the City.
The investigation into the incident determined there was no indication any outside party had accessed the City’s financial or human resources data. Furthermore, there was no evidence of access to any other enterprise systems or databases beyond the compromised email accounts. As a result of this contained scope, City operations were not impacted and business continued as normal. The primary consequence of the incident was the circulation of these fraudulent emails originating from the compromised accounts.
The fraudulent email messages associated with this incident often contained a fake PDF file attachment or a link to a website. The objective of these messages was an attempt to spread malware to harm the recipient's device and/or computer network. The City advised the public not to click on any attachments or links provided in those emails. These messages were designed to appear legitimate, sometimes incorporating official brands, colors, and legal disclaimers to create a false impression of authenticity. The City noted that while these messages may appear real, they can sometimes contain small inconsistencies or mistakes, such as typos in email addresses or slightly altered logos. A key indicator of fraud was a sender's email address that differed from the official business or organization it claimed to represent.
In response to the incident, the City of Richmond undertook several public communication actions. The organization placed a public warning regarding the fraudulent emails on its official website and across its social media channels. Local media outlets were also advised of the situation to help broaden the dissemination of the warning to the community. This criminal activity was formally reported to the Royal Canadian Mounted Police (RCMP) and to the Office of the Information and Privacy Commissioner for British Columbia, fulfilling its regulatory obligations.
The City’s public communications focused on educating recipients about the nature of phishing and smishing attacks. Phishing involves the use of fraudulent emails, while smishing uses fraudulent text messages. The City explained that fraudsters use these methods to trick individuals into sharing personal information, such as name, date of birth, social insurance number, or banking information. The goals of these attacks can also include convincing victims to send money or to inadvertently spread malware by interacting with the message. The public was advised to trust their instincts if a communication did not look or feel right and to disregard any such unexpected messages.
A specific instruction was provided to help the public identify legitimate communications. All official City of Richmond or Gateway Theatre communications would only come from an official @richmond.ca or @gatewaytheatre.com email address. The public was cautioned that a message claiming to be from these organizations but sent from a personal email domain like Gmail or Hotmail should be considered fraudulent. The City recommended that individuals remain vigilant about any unexpected transactions and consider monitoring their accounts and online identity as an added security measure. Recipients of suspicious messages were directed to report any activity to the Canadian Anti-Fraud Centre and to contact their local police if they became a victim of fraud.
For individuals with questions, the City established a direct point of contact. The public was instructed to email [email protected] or call 604-276-4000 during business hours of 8:15am to 5:00pm, Monday to Friday, excluding holidays. The City’s ongoing stance, stated in its public disclosure, is that like many organizations, it can be a target for cybercrime and has experienced instances of cybercrime over the past few months. The organization continues to work to prevent such attacks and protect the information and online safety of its customers and staff. The dissemination of fraudulent emails continued after the initial containment efforts, leading the City to maintain its public warnings in the interest of transparency.