Cyber-War: The Big Hack of NYC

A scenario that could happen based on what already has.

 

On December 4, 2017, at a little before nine in the morning, an executive at Goldman Sachs was swiping through the day’s market report in the backseat of a hired SUV heading south on the West Side Highway when his car suddenly swerved to the left, throwing him against the window and pinning a sedan and its driver against the concrete median. A taxi ran into the SUV’s rear fender and spun into the next lane, forcing a school-bus driver to slam on his brakes. Within minutes, nothing was moving from the Intrepid to the Whitney. When the Goldman exec came to, his driver swore that the crash hadn’t been his fault: The car had done it.1

Moments later, on the George Washington Bridge, an SUV veered in front of an 18-wheeler, causing it to jackknife across all four lanes and block traffic heading into the city. The crashes were not a coincidence. Within minutes, there were pileups on 51st Street, the southbound BQE, as far north as the Merritt Parkway, and inside the Midtown Tunnel. By nine, Canal Street was paralyzed, as was the corner of 23rd and Broadway, and every tentacle of what used to be called the Triborough Bridge. At the center of each accident was an SUV of the same make and model, but as the calls came in to the city’s 911 centers in the Bronx and Brooklyn, the operators simply chalked them up to Monday-morning road rage. No one had yet realized that New York City had just been hit by a cyberattack — or that, with the city’s water system, mass transportation, banks, emergency services, and pretty much everything else now wired together in the name of technological progress, the worst was yet to come.2

THE REAL HACKS

The fictional account imagined here is based on dozens of conversations with cybersecurity experts, hackers, government officials, and more. An attack of such scope is unlikely, but each component is inspired by events that can, and in most cases have, happened.

  1. In 2015, carmakers began paying greater attention to the fact that some new vehicles, now connected to the internet, had become ashackable as laptops. In March, researchers foundhackers were able to access the ignition on Audi, BMW, Ford, Honda, Hyundai, Kia, Lexus, Mazda, Mitsubishi, Nissan, Range Rover, Subaru, Toyota, and Volkswagen cars.

2. Homeland Securityrecently estimated that one major cyberattack — the NSA chief has said it’s a matter of “when, not if” — could cost $50 billion and cause 2,500 fatalities.

A third-year resident in the emergency room at Columbia University Medical Center in Washington Heights walked through the hospital as a television was airing images from the accident on the George Washington Bridge; that meant several crash victims would soon be heading her way. When she got to her computer, she tried logging into the network to check on the patients who were already there, but she was greeted with an error message that read WE’RE NOT LOOKING FOR BITCOIN THIS TIME.

Columbia, like major institutions across the country, had spent the past few years fighting so-called ransomware attacks, in which hackers locked a hospital or city hall or police department out of its own network until a ransom was paid.3 Hospital security teams had gotten wise to the problem, but every network’s defenses had the same vulnerability: the people who used it.4 For weeks, a group of hackers had been sending LinkedIn messages to employees at Columbia pretending to be recruiters from Mount Sinai. When an employee opened an attachment featuring the recruiting pitch — as ten of them did — and enabled the macros as prompted onscreen — four of them did — they unknowingly unleashed malware onto their computer and gave the hackers a beachhead. After months of lurking5, the hackers blocked Columbia’s doctors and nurses from accessing their network, including patient files. Doctors couldn’t access prescription records telling them which patients were scheduled to take which drugs when and resorted to improvised paper-record keeping6, which many of the younger doctors had never done before. In nearly every corridor, they were consulting with one another in a panic, asking how much of their own expertise was really stored in the cloud and had just disappeared.

3. In February, a hospital in L.A. paid 40 bitcoins, or about $17,000, to get back into its system. Russian hackers have even set up English-language call centers to explain to victims how to acquire and send bitcoins.

4. Hackers recently sent Pennsylvania drivers fake traffic tickets with malware, using GPS data so the tickets seemed to be from red-light cameras on their route home.

5. The average data breach is only identified five months later; hackers were allegedly inside a Ukrainian utility network for six months before shutting off electricity.

6. In March, a D.C.-area hospital system was hacked and forced to keep paper records. They got so overwhelmed they turned away cancer patients with radiation appointments.

The crowd in the waiting room swelled and grew more tense as nurses ran by patients, unable to give updates on when they might be seen. Various procedures were taking longer than they should have — one man was kept on a powerful antibiotic for several hours, with serious side effects, before a delayed lab result came back reporting that he should go off the medication — and the staff was having trouble keeping track of patients. A little before noon, a man walked into the hospital looking for his wife, whom he had dropped off early that morning for a simple surgical procedure. A few minutes later, the nurse told him that it appeared his wife had been discharged.

Most New Yorkers were proceeding with their day unaware. But the city’s head of cybersecurity7 had begun to connect the dots: Six hospitals had already informed him that their systems had been shut down, and the city had sent out warnings to all the others. One Police Plaza had just reported that it, too, was locked out of the programs it used to dispatch officers and emergency personnel8, which made responding to the traffic accidents around the city that much harder.

7. New York’s first head of cybersecurity started the job earlier this year.

8. In April, Newark’s policewere locked out of their computer system for three days.

After a few phone calls to friends in the private sector, the cybersecurity chief got more nervous. At the beginning of 2017, one friend told him, she had been called to investigate a mysterious occurrence at a water-treatment plant: The valves that controlled the amount of chlorine released into the water had been opening and closing with unexplained irregularity9. An alarm had gone off, so none of the tainted water had reached consumers, and the company’s CEO brushed off the consultant’s request to make the news public so others could prepare for similar attacks.

9. Investigators recently reported a similar incident at an undisclosed water company.

At MetroTech, New York’s cybersecurity chief pulled out the Office of Emergency Management’s 42-page booklet on how the city should react to a cyberattack — a copy of which he had printed out and stashed in his desk drawer in case his department’s own network was compromised — and was flipping from page to page when he got a call from a reporter.

At 12:30 p.m., the Times published a story reporting that “government officials” believed that the city was being hit with a wave of cyberattacks that appeared to be ongoing. A tipster claimed the hackers had caused at least a dozen car crashes and debilitated multiple hospitals and agencies — with more to come. If they could crash a car, could they crash a subway? The Times report included a line from a nurse at New York–Presbyterian who said that the initial message announcing that the network was blocked had included a link to a web page that was displaying a timer ticking down to 1 p.m. and text that read MORE PATIENTS WILL BE ARRIVING SOON.

The group of 10 European black-hat hackers11 who launched the attack against New York had spent much of the previous decade breaking into American corporate networks — credit-card companies, hospitals, big-box retailers — mostly for profit,12and sometimes just because they could. When those attacks became routine, the group moved into more politically inclined hacks, both against13 and on behalf14 of various governments,rigging elections15 and fomenting dissent. In the summer of 2016, the hackers received an anonymous offer of $100 million to perform a cyberattack that would debilitate a major American city. The group’s members weren’t much interested in death and destruction per se, so they declined their funder’s request for a“Cyber 9/11.”16 But to self-identified anarchists with a reflexively nihilistic will to power, the proposition had some appeal. Causing disruption was something that had been on their minds recently, as their conversations veered toward the problems with global capitalism, the rise of technocentrism, bitcoin, and the hubris required to nominate a man like Donald Trump. Their animus got more personal when American authorities arrested a well-respected white-hat hacker who had broken into an insulin pump in order to show the dangers of connecting devices17 without proper security. The black hats were on the opposite end of the ideological spectrum but had more empathy for their fellow hacker than they did for the American people, who, they felt, deserved a comeuppance — or at least a very loud “Fuck you.” The plan was to show how much of modern life in a city like New York could be disrupted by purely digital means. The hackers would get paid, but they also hoped their attack would dent America’s complacent faith in order and in the technology and political authority that undergirded it. As a bonus, their services would be in even greater demand.

10. Hackers are often identified by the malware they use: One group is known as Sandworm, because references to the sci-fi series ‘Dune,’ which features giant desert worms, were embedded in its code.

11. The hacker world divides into white hats, who are the good guys, and black hats, who are out to cause havoc or for personal gain.

12. According to the FBI, those hit by cyberattacks have paid more than $200 million in ransoms so far this year, compared with just $25 million in all of 2015.

13. Earlier this year, Congress was the target of a string of ransomware attacks.

14. An Italian company called Hacking Team has been criticized for offering hacking services to dozens of countries, many with poor human-rights records.

15. Andrés Sepúlveda, a Colombian hacker, recently told Bloomberg that he had helped rig elections in nine different Latin American countries, including by installing malware on campaign routers to spy on digital and phone communications.

16. Last year, a researcher claimed he had hacked into a plane’s seat-back entertainment system and could then access the cockpit controls on a Boeing jet flying from Denver to Chicago. Boeing has said this is impossible.

17. In 2014, a company tracking medical devices at more than 60 hospitals found malware in every hospital. Last year, another researcher was able to manipulate several drug-infusion pumps so he could, potentially, deliver a fatal dosage of medication.

No one had pulled off an attack of this magnitude, but it was possible to piece together a plan from various hacks that had been executed before, which, taken together, were a sort of open-source blueprint available to anyone with an interest in remote-control terrorism (and the time and manpower it required). This group was small, relatively speaking, and benign, relatively speaking. ISIS, for instance, might have a more pronounced bloodlust but not (yet) the technical capabilities; Chinese or Russian hacking operations would have many more resources and a much more sophisticated strategy that could bring even more targets, like nuclear-power plants,18 into play.

18. It took several years for hackers allegedly working for the U.S. and Israel to develop Stuxnet, a computer worm that disabled an Iranian nuclear reactor in 2010.

These hackers decided to start with cars. The team’s members found a particular automaker’s flagship SUV especially hackable,19 bought one to test their work (to help fund the operation, they had pulled from the millions they had made in several attacks against financial institutions, including a recent hack of theCentral Bank of Bolivia20), and, within a month, could shut off the ignition, turn off the brakes, and cause the steering wheel to jerk to the left.

19. In 2015, for an article in Wired, two hackers in St. Louis took control of a Jeep traveling 75 mph, sprayed wiper fluid so the driver couldn’t see, then cut the transmission.

20. In February, hackers stole the credentials of several employees in the Bangladeshi Central Bankusing malware that tracked keystrokes as the employees entered passwords and were then able to transfer $81 million into private accounts. (They might have stolen more had they not misspelled the word “foundation” in one of the transfers, triggering an alarm.) The underlying system of financial transactions, known as SWIFT, has since come under scrutiny after similar attempted attacks at other banks.

Read the Remainder at NY Mag

Advertisements

One thought on “Cyber-War: The Big Hack of NYC

Comments are closed.