D.C. Police Department data is leaked in a cyberattack
By Nicole Perlroth and Julian E. Barnes
Hacked data from the Washington, D.C., Police Department started leaking onto the internet Monday, making it the third police department in the United States to be hit by cybercriminals in six weeks.
A group that emerged this year called Babuk claimed responsibility for the leak. Babuk is known for ransomware attacks, which hold victims’ data hostage until they pay a ransom, often in Bitcoin. The group also hit the Houston Rockets NBA team this month.
In their post to the dark web, Babuk’s cybercriminals claimed they had downloaded 250 gigabytes of data and threatened to leak it if their ransom demands were not met in three days. They also threatened to release information about police informants to criminal gangs, and to continue attacking “the state sector,” including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The information already released appeared to include chief’s reports, lists of arrests and lists of persons of interest.
The attack appeared to add another high-profile victim to what has become a digital plague in the United States. Since the start of the year, 26 government agencies have been hit by ransomware, and 16 of those have been the targets of a novel extortion attack in which cybercriminals do not just hold data hostage, but leak it online when victims refuse to pay.
Police computers are especially vulnerable to ransomware because many run ancient systems and software. Although Washington’s police force, called the Metropolitan Police Department, appears to be by far the largest recent victim, earlier in April, the police in the small city of Presque Isle, Maine, were hit by a separate ransomware group that leaked their data online, and in March, the police in Azusa, California, outside Los Angeles, were also hit.
The spate of attacks comes as the Biden administration is trying to step up the nation’s cyberdefenses after a series of devastating and far-ranging hackings, including by foreign adversaries, against the federal government and a range of defense contractors, companies and other institutions in the United States. An executive order, meant as something of a first step, is expected soon from the White House. But officials acknowledge that the order alone will do little to stop the attacks.
Officer Hugh Carew, a spokesperson for the Metropolitan Police, declined to answer detailed questions about the hacking Monday, but said in a statement that the police were aware of “unauthorized access on our server.”
He said the police were still working to review the unauthorized activity and to determine the full effect on their network. The department has asked the FBI to investigate the matter, but the bureau did not immediately respond to a request for comment.
The police statement did not mention ransomware. It was not clear if the cybercriminals had successfully locked down the department’s computer networks, in addition to siphoning out its data.
Ransomware dates back almost a decade, when Eastern European cybercriminals infected individual computer users in Europe with malware that encrypted their data until they paid 200 to 300 euros.
But over the past decade, cybercriminals have moved on to big targets in the United States: major corporations like Honeywell, which was the victim of a ransomware attack and data leak this month; cities like Baltimore and New Orleans; and police departments, schools and hospitals, each with increasingly urgent reasons for needing to recover data and digital access amid the coronavirus pandemic.
The pandemic coincided with the worst year on record for ransomware attacks last year, with ransom demands to victims averaging more than $100,000 and in some cases totaling tens of millions of dollars, according to the Justice Department.
Last week, the Biden administration tapped John Carlin, the acting deputy attorney general, to lead a ransomware task force of FBI agents and prosecutors from the Justice Department’s criminal and national security divisions, among others.
“Ransomware can have devastating human and financial consequences,” Carlin wrote in a staff memo dated April 20. “When criminals target critical infrastructure such as hospitals, utilities and municipal networks, their activity jeopardizes the safety and health of Americans.”
Some 27 ransomware groups are now stealing and leaking data, according to Brett Callow, a threat analyst at Emsisoft, a security company.
“The attackers are utilizing stolen data in more extreme ways,” Callow said. “In this case, they’re threatening to release informant data to gangs. In others, they have contacted customers directly asking them to pressure victims into paying, to stop their personal data from being released.”
Callow noted that when the police in Dade City, Florida, were hit by the ransomware group Avaddon in December, cybercriminals leaked department data online — including police photographs of dead bodies at crime scenes.
Beyond the release of such sensitive data, attacks on police departments can have devastating consequences on investigations. After a ransomware attack hit a police department in Stuart, Florida, in April 2019, prosecutors were forced to drop 11 narcotics cases against six drug-dealing suspects after critical evidence was destroyed.
“The situation will continue to get worse and worse until governments develop an effective strategy,” Callow said.