The start of this news story reads like a typical vaguely futuristic plot from a movie that isn’t hard to imagine coming to a theater near you.
First, a hacker breaks into the fare system of the San Francisco Municipal Railway on Friday. Unable to immediately regain control of the system, railway officials allow free rides until further notice. Then the hacker demands a ransom to stop the attack, but officials release a statement on Sunday saying the situation is “contained,” and things are soon mostly back to normal.
The lasting effect on the transit system is likely minimal. Neither trains nor buses were affected by the hack, and the perpetrator wasn’t able to steal any customer information, according to the San Francisco Municipal Transportation Agency. But it’s not hard to see how this could be the beginning of a larger series of attacks on public infrastructure.
“With any of these attacks, the level of effectiveness will really dictate that we’ll see more of them,” Justin Fier, the director of cyber intelligence and analysis at Darktrace, a cybersecurity firm, told Mashable. “Thankfully it was minimal and it didn’t affect actual trains, but my hope is that it doesn’t continue to adapt and hit more sophisticated pieces of our infrastructure.”
The level of effectiveness depends on how you look at the hack.
According to the hacker, the malware found a home in the MUNI transit fare system by something of an accident.
“Our software working completely automatically and we don’t have targeted attack to anywhere,” the hacker, who used the email account firstname.lastname@example.org, told The Verge via email over the weekend. “SFMTA network was Very Open and 2000 Server/PC infected by software.”
If we believe the person behind that email account (which also appeared on hacked fare machines in San Francisco), then the malware was likely self-reproducing, and was sent out to email account after email account until someone downloaded an infected attachment.
The person behind the email account said they were asking for 100 bitcoin, worth around $73,000, when they were contacted by The San Francisco Examiner. They claimed they hadn’t been contacted by any transit officials at the time of that article, and the person behind that email account has not responded to Mashable at the time of this writing.
Though the attacker’s conversations with journalists make the digital assault seem random, Fier believes it was fairly targeted. Fier believes institutions are more likely to pay a ransom rather than individuals. Other victims of “ransomware” attacks, including schools and hospitals, need to be open and operational in order to provide their services and make money. It seems reasonable to conclude that a hacker looking for money is aware of that, and will tailor his or her targets accordingly, rather than send a self-replicating malware in hopes that it finds a target with enough money to potentially provide a sizable ransom.
MUNI’s Sunday statement made no mention of paying any kind of ransom requested by the hacker, but the hacker may have gotten what he wanted regardless.
“Of course the money would have been nice, but I’m sure they will be just as happy with the level of exposure they got,” Fier said. “It will show them how media in particular will react to it, and they might attempt again based on those reactions.”