Cleveland cyberattack forces city officials to cut network access

Hackers infiltrated the government networks of the City of Cleveland, Ohio, forcing officials to cut off public access to City Hall on Wednesday. Security teams had already shut down IT systems during Monday's attack in an attempt to contain the damage.

In an update on the social media platform X on Tuesday evening, Cleveland officials said that security teams first became aware of “abnormalities” in the city’s IT environment on Monday.

After taking “precautionary actions to contain those abnormalities” which involved cutting off access to city systems, the City said it has been busy “investigating the nature and scope of the incident.”

The update also made sure to inform the City’s more than 360,000 residents that all emergency services, including 911 call centers, police and fire departments, as well as EMS services are all operating normally.

Cleveland is Ohio’s second largest city after Columbus, the state capital.

According to the latest update, Cleveland’s City Hall and ErieView Plaza, shuttered in the wake of the attack, will reopen on Wednesday at 11:00 a.m. CT – but only to employees.

By late Wednesday, the city decided to close down City Hall to non-employees, at least for the rest of the week, and has advised residents to postpone City Hall business until IT systems are fully operational.

As for the possibility of threat actors having gained unauthorized access to sensitive data, officials have confirmed that “certain City data” was unaffected, including

  • Taxpayer information held by the CCA.
  • Customer information held by Public Utilities.

"Cyberattacks on cities across the United States have been an escalating issue, exemplified by the recent incident that forced Cleveland City Hall to shut down yesterday,” said Paul Laudanski, Director of Security Research at cybersecurity solutions firm Onapsis.

“While it is good that police, fire, and emergency medical services are still functioning in Cleveland, cyber incidents like this have the potential to disrupt public services,” Laundanski pointed out.

Luckily, other government services said to have escaped major disruptions include Cleveland’s Department of Public Utilities (water and power), Municipal courts, Trash collection, Recreation department, and Port control at the Hopkins and Burke Lakefront Airports, as well as the 311 resident information line.

The city says it collaborating with several key partners who provide expert knowledge and deep experience in this work, and will continue to post updates on social media.

So far, no cybercriminal group has claimed the attack. Cybernews has reached out to Cleveland's Mayor Justin Bibb's office and will follow the story.

Municipalities are prime targets

Among Western nations, smaller and midsize cities with populations below the million mark have been a steady target for ransomware groups over the past few years.

Laundanski explained that “State and local governments are prime targets for cybercriminals due to their outdated security systems and shortage of skilled cybersecurity professionals.”

“The insufficient allocation of resources towards cybersecurity heightens the vulnerabilities of these organizations,” he said.

Full restoration of IT networks for these compromised municipalities can often take weeks, if not months, with some government officials choosing to pay the ransom demand – although not a practice supported by the FBI.

Previous attacks include the two California cities of Modesto and Oakland last February, the City of Dallas, Texas, in May, and the City of Leicester, England, in March.

Cybernews headlines Modesto Oakland
Police in the California city of Modesto were forced to fall back on "old school policing" with handheld radios, and pen and paper during patrols during a February cyberattack carried out by the Snatch ransomware gang.

All the attacks mentioned were eventually claimed by active ransomware gangs within weeks of them taking place., including the Snatch cybercriminal gang, the Play cartel, the Royal gang (now known as BlackSuit), and the INC Ransom group, respectively.

All the ransomware outfits boasted of having exfiltrated troves of sensitive data during the attacks, eventually leaking the alleged caches onto the dark web when negations for ransom demands eventually failed.

Laundanski said the Cleveland attack further highlights the persistent vulnerabilities in municipal cybersecurity, and underscores the need for robust defensive measures.

“Addressing this challenge requires a multi-faceted approach beginning with having the right skilled professionals, and fostering a strong culture of cybersecurity awareness,” he said.

Proactive measures to improve cyber resiliency suggested by Laundanski, include “enhancing detection capabilities, as well as partnering with MS-ISAC to help with security assessments and plan of action.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is part of the non-profit Center for Internet Security (CIS), and is backed by the US Cybersecurity and Infrastructure Security Agency (CISA).