The FBI and Department of Homeland Security are assisting the city in its investigation of a ransomware attack that Mayor G.T. Bynum acknowledged Monday is slowing the delivery of city services, including the work of police and firefighters.
“As far as the computer system that officers rely on, as far as computer system notification that the Fire Department uses, those are down,” Bynum said. “And so both departments are having to utilize alternative methods to share information between dispatch and the field so that teams can get out there and do their work, and that slows the process, and that is why it is such a high priority for us to get those systems back up.”
Bynum made his remarks during the city’s first briefing on the hack since it was announced Saturday.
Chief Information Officer Michael Dellinger said the city is still investigating the source of the cyberattack but did not rule out the possibility that it could be associated with the malware that shut down the Colonial Pipeline last week. The FBI on Monday identified the source of that hack as a group called Darkside.
“It is very similar,” Dellinger said.
Early indications are that the first botnet — internet-connected devices infected by malware used to gain access to computer systems — reached the city’s computer system April 21 but was not detected until May 6, Dellinger said.
“Many of (those) things lie dormant and so they don’t actually do anything or enact anything,” Dellinger said. “It is when they actually start to do things that systems will detect them.”
The city received both internal and external notifications of the malware, Dellinger said, but has yet to determine exactly how it entered the city’s computer system. Approximately 60,000 emails a day come through the city’s email server, Dellinger said, and firewall attacks are common.
The largest component of the city’s computer system affected by the hack was the authentication system, which is now undergoing a thorough examination before it is brought back online.
“It is an ongoing defense posture that we have to take,” he said.
Neither Bynum nor Dellinger could say when the city’s computer system would be up and running again but stressed that the public safety systems are on the top of the priority list.
The cyberattack included a demand that the city make contact with someone, Dellinger said, “so we would assume at that point that is when the demand for money would take place.”
Instead, the city identified the compromised systems and shut them down. All city employees working out of City Hall have been instructed to keep their computers off and disconnect from the city’s network.
“It definitely was a close call,” Dellinger said. “We were notified rather early in the process and were able to halt it before it did serious damage.”
In a Facebook message posted Sunday night, the city said no customer information has been compromised by the cyberattack, but residents would see delays in network services and that Information Technology and security teams have shut down many internal systems out of “an abundance of caution,” according to a news release.
Tulsa Municipal Courts and City Hall cannot accept debit or credit card payments for services. The entitles will accept cash, checks and money orders.
Municipal Court visitors who wish to make a payment should bring their citation when possible. Late fees for payments due from May 10-14 will not be assessed and warrants for failure to pay will not be issued during this period, the release states.
New account registration for utility billing is also unavailable. Those in need may make a payment and view their account as a guest as long as they have the new account number and customer ID, as well as the name on the account exactly as it appears on the bill.
The city’s Customer Care Center, 311, will be able to take calls, but services will be limited. The line is expecting a higher call volume than normal, and the city asked that callers be patient.
Bynum said investments in cybersecurity technology made over the last few years paid off because the city had systems in place that limited the effects of malware even if it breaches the city’s outer defenses, which is what happened last week.
“We are very fortunate that we had those systems in place that allow us now to go about restoring our networks rather than being beholden to any sort of extortion,” Bynum said.
While acknowledging that the cyberattack is slowing city services, the mayor said he did not want the public to think city workers aren’t out staying busy.
“Firefighters and police officers and street crews and code inspectors, they are all still out in the field doing their jobs,” he said. “They are just not able to work as efficiently as we want them to be able to work or as speedily as we want them to be able to work because these networks are down while they are cleaned and restored.”
Tulsa police, meanwhile, are encouraging the public to use the department’s online reporting system to report nonemergencies.
The reporting system is operated by a third-party vendor not affected by the hack.