A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

FBI announces investigation into Muni hacking

The FBI is investigating the recent hacking into Muni’s computer systems, the San Francisco Examiner has learned.

“The FBI has an open investigation” into the Muni incident, FBI spokesperson Prentice Danner told the Examiner on Tuesday.

SEE RELATED: ‘You Hacked’ appears at Muni stations as fare payment system crashes

Though the FBI said previously the agency was in communication with the San Francisco Municipal Transportation Agency, this is the first time they’ve confirmed an open investigation into the incident.

San Francisco transit officials said that Muni computer systems were compromised late Friday after an SFMTA employee apparently downloaded “ransomware,” a form of malware that allows an attacker to lock up a victim’s computers and demand a ransom to release them for use.

SEE RELATED: SFMTA denies claim that computer system attack has been ongoing

The alleged attacker who took over Muni’s computer systems has demanded 100 bitcoin, equivalent to $73,000, in ransom for stolen city data. The SFMTA has said it refuses to pay the ransom.

Also Tuesday morning, it was revealed by nationally noted cyber crime journalist Brian Krebs on his blog, KrebsOnSecurity, that the Muni hacker may have been hacked.

“Turns out, the miscreant behind this extortion attempt got hacked himself this past weekend,” Krebs wrote, “revealing details about other victims as well as tantalizing clues about his identity and location.”

The new hacker, whose email identifies them as Nick Maxxwell, also contacted the San Francisco Examiner. Maxxwell claimed to have taken over the original hacker’s email account, which was on the Russian-based email service Yandex, by guessing the account’s password reset security answer.

“I’m waiting for the fbi [sic] to reply to the info I have for them,” Maxxwell wrote. “There [sic] kind of slow it seems on getting back to me.”

The entire message across Muni computers on Friday and through the weekend read, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” Muni subway fare computers were out of service on Saturday and early Sunday before they were restored. Documents obtained by the Examiner from the alleged malware attacker show perhaps as many as 2,000 SFMTA computers were compromised.

Danner was unable to confirm whether FBI was in contact with Maxxwell. But Maxxwell presented screenshots of the Examiner’s correspondence with the original hacker as proof that they broke into the account.

Krebs, the cyber crime journalist, apparently spoke to the new hacker, and wrote in his blog they were a security researcher who wished to remain anonymous, perhaps implying Maxxwell is a pseudonym. Krebs wrote that the original hacker, known only by the common hacking pseudonym Andy Saolis, was successful in ransoming other organizations’ data and has made at least $140,000 in other such attempts.

“We’ve never considered paying the ransom,” SFMTA spokesperson Paul Rose said previously, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”CrimeTransit

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at www.sfexaminer.com/join/

Just Posted

Jill Bonny, owner of Studio Kazoku tattoo parlor in the Haight, tattoos client Lam Vo on Friday, March 5, 2021. (Kevin N. Hume/S.F. Examiner)
No one was fighting for tattoo artists, so they started advocating for themselves

Jill Bonny has been tattooing in the Bay Area since 2000. Four… Continue reading

The COVID-19 pandemic has prompted changes to The City's streets including Slow Streets closures to increase open space access and the Shared Spaces program, which allows businesses to use public right-of-ways for dining, retail and services. (Examiner illustration)
COVID is reshaping the streets of San Francisco

Walk down Page Street, which is closed to thru-traffic, and you might… Continue reading

Stanford’s Ashten Prechtel shoots a layup as three Oregon State defenders look on during a Pac-12 women’s basketball tournament semifinal game on Friday, March 5, 2021, at Michelob Ultra Arena in Las Vegas. Bryan Steffy/Pac-12 Pool Photo
No. 4 Stanford women cruise to Pac-12 Tournament title

Kiana Williams is heating up just in time to head home. The… Continue reading

At a rally in February, Monthanus Ratanapakdee, left, and Eric Lawson remember Vicha Ratanapakdee, an 84-year-old Thai man who died after he was pushed to the pavement in San Francisco. (Ekevara Kitpowsong/Examiner file photo)
The criminal justice system can’t fix what’s wrong in our community

My 87-year-old mother walks gingerly, slowly, deliberately, one step in front of… Continue reading

Superintendent Vincent Matthews said some students and families who want to return will not be able to do so at this time. “We truly wish we could reopen schools for everyone,” he said. (Kevin N. Hume/S.F. Examiner)
SFUSD sets April reopening date after reaching tentative agreement with teachers union

San Francisco Unified School District has set April 12 as its reopening… Continue reading

Most Read