For those who use LoTW or are just curious here is an update on what I presume is a “randsomware” attack on ARRL 3+ weeks ago.
Rough time for ARRL team in CT.
On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate.
This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs.
ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation.
Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services.
We will continue to update members as advised and to the extent we are able.
Hi Paul,
This has been a warning to all those who run even non-commercial websites and online servers that they can be the target for attacks and that network security is a critical matter to consider and address.
73 Ed.
My question would be “Why did it take them 3 weeks to tell anyone?” Looking at their web site at arrl.org they have been calling it a “Systems Service Disruption” as if it was the same level as a power outage.
I was talking to Paul about this yesterday and we summised this maybe the problem. Colin, you and I have both worked at the sharp end of software development and we know that you have to be ever vigilant against these attacks and no matter how good you think you are, you can still be caught out. We also know that the best action is to announce the attack ASAP. Sure people will have a snigger “uh oh the ARRL’s been caught hohoho” and then we get on thinking how will this affect me? Anything I need to do NOW? However, the PR people and marketing people who don’t understand tech will ALWAYS try and cover up because they want to save face. It’s a bit like car recalls. Who would you rather buy a car from, the one with plenty of vehicle recalls to fix possible problems or the ones who never have recalls because I can guarantee the they don’t have recalls because they don’t have faults.
You’d like to think a reasonably tech company like the ARRL would not get caught and it will probably turn out that it was a member of staff who got caught out with a spam mail etc. We have continuous phishing tests where I work, a $6B tech compnay with about 19000 staff. Despite the training we get in recognising dodgy looking emails etc. somebody gets caught every month by the tests.
In Connecticut there are laws that such attacks need to be announced within a certain period and if secure personal information is involved the FBI have to get involved. So the earlier announcements made were conformant with the legal requirements I believe and now they are able to give more information, however, we will never know exactly what happened as that would be information for other prospective hackers.
The motive is money - the hacker will ask for a ransom to tell the affected company what has been done so that they can fix it quickly (and patch the security hole to stop it from being used again). From what the ARRL said in this case there was no valuable data stolen.
73 Ed.
A common issue John is that the rogues breach your system and embed “stuff” in your files but don’t do anything else. Then you backup your files and sometime later they strike. Now you are well snookered because you are not sure whether any backups you have are “safe”. In addition you have to restore all the desktops and laptops staff use from known clean backups. And in today’s world there are going to be plenty of virtual machines running. (e.g right now I have 3 Windows VMs, 6 Linux VMs managed by IT for my USB and Ethernet work plus another 4 Windows and * Linux VMs that are used for “dirty” work). So not only do you have to verify the VM host is clean but then you have to verify every single VM.
We had a ransomware attack at work a couple of years ago. It was due to a vulnerability in the Microsoft Exchange server. It was some time between the exploit and the attack. I don’t believe we lost any data or paid any ransom. The biggest cost was the time we were unable to do any billable work. We were upfront with our customers and I think our reputation actually increased due to the way we dealt with it.
We’ve not been (that I know of, subject to a ransomware attack) but we have had a couple of virus outbreaks that have spread across the network. Those were fun days … :-o
Where? The only detailed info is on the ARRL website dated yesterday and they are still calling it “disruption” in the heading rather than admitting it was an attack.
Maybe members were told privately earlier, but that doesn’t help the thousands of LotW users that are not members.
It could be a bit more complex than that. If you read all the bulletins the Federal Bureau of Investigation was notified immediately. The breach was determined to be “unique” and an investigaion was started immediately. Perhaps the FBI was calling the shots as they chased down leads. You don’t always want the perpetrator to know the extent of the damage. No-one really knows, outside of ARRL folks, at this point and that could be the goal. The fix is, obviously, not an easy one.
@M0VAZ I’d be interested to see if it was targeted or opportunistic John.
These are always “sophisticated” attacks. No-one wants to admit their security controls failed. Hopefully ARRL have good backups, incident mitigations etc and can rebuild things quickly enough - good luck to the IT teams working on restoring service.
For most organisations these days, it is generally a ‘when’ not ‘if’ this will happen…
I shared with Andy a story from when a startup I was at, was being acquired by RSA whose physical token system had been recently compromised by a nation state and how they were amazingly transparent about what had happened.
I’m long retired out of the cyber security space and toward the end realized it’s a dirty, depressing and messy space to be in. Everything seems to be stacked against the good guys.
At the end of the day the ARRL isn’t a super tech savvy organization, nor should it really be one as its main goal is to promote and protect amateur radio in the US. Hopefully it has outsourced much of the heavy lifting around securing what is important.
I feel for them…not much fun to deal with it especially as much is quite alien to them.
