A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

SFMTA denies claim that computer system attack has been ongoing

The malicious software that disabled more than 2,000 Muni computer systems may have spread for two weeks, though the agency denies the attack has lasted that long.

SEE RELATED: Muni guarantees customer data not at risk as hacker sends new threat

Eric Psalmond, a local software engineer who studies IT security, told the San Francisco Examiner he saw the “You Hacked” message on a computer screen in a station agent’s booth at the Civic Center station on Nov. 13.

“I’m a software developer,” Psalmond said. “I recognized it immediately for being a crypto attack.”

SEE RELATED: Alleged Muni ‘hacker’ demands $73,000 ransom, some computers in stations restored

San Francisco transit officials, however, said Muni computer systems were compromised late Friday after a San Francisco Municipal Transportation Agency employee apparently downloaded “ransomware,” a form of malware that allows an attacker to lock up a victim’s computers and demand a ransom to release them for use.

SEE RELATED: ‘You Hacked’ appears at Muni stations as fare payment system crashes

SFMTA spokesperson Paul Rose said it was “not true” that the malware attack ramped up for weeks, and said the attack only started late Friday and lasted until early Sunday.

The alleged attacker who took over Muni’s computer systems has demanded $73,000 in ransom for stolen city data.

But digital security professionals who spoke with the Examiner on background said a two-week ramp-up period prior to ransomware deployment is “very possible.”

“Once the attacker has a foothold in the environment, they will perform reconnaissance to understand the layout victim’s systems,” said Jason Rebholz, director of professional services at the cyber attack response firm The Crypsis Group.

That “reconnaissance” may allow an attacker to deploy that ransomware broadly throughout a computer network, according to Rebholz.

Meanwhile, FBI spokesperson Prentice Danner said the FBI “is aware of the intrusion and in contact with Muni officials.”

Rose said the SFMTA is also in communication with the Department of Homeland Security.

Earlier this year, the FBI released a statement saying ransomware-style attacks have been on the rise.

“Personal information of Muni customers were not compromised as part of this incident,” Rose said Monday.

“We’ve never considered paying the ransom,” Rose added, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”

The entire message across Muni computers on Friday and through the weekend read, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

Lisa Walton, SFMTA’s chief technology officer, wrote an email to all of the agency’s nearly 6,000 employees late Sunday night regarding the attack.

When employees arrive at their workstations and their laptop or desktop is powered off, she wrote, if “you do not see a label that indicates ‘CLEAN’ DO NOT turn it on” until clearance is given.

Walton wrote that a “dedicated group” of staff worked over the weekend to ensure security of the SFMTA’s computer network.

Despite Rose’s guarantee of customer safeguards, the alleged malware attacker — known only by a common ransomware pseudonym, “Andy Saolis” — issued a new threat to Muni through various news agencies, claiming customer data was compromised on Monday.

“But if ugly hacker’s attack to Operational Railways System’s, what happen to You?” the alleged attacker wrote. “Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World!”

The alleged attacker wrote they gained access through a Windows 2000 PC server at the SFMTA, including “all payment kiosk and internal automation and Email,” and threatened to release 30 gigabytes worth of contracts, employee data, customer data and more.

The SFMTA’s deadline to pay the ransom is Friday, according to the alleged attacker, though previously the deadline was Monday.

The computer takeover is not an attempt to gain control of computer-run train operations, according to the alleged attacker.

The alleged attacker sent the Examiner and other news outlets a list of about 2,000 computers — out of the SFMTA’s estimated 8,000 computer systems — that they now control, which may give some indication of the data that the attackers have at their fingertips.

Among them were a computer belonging to Kate Toran, head of SFMTA taxi services; Muni “CCTVS,” which may stand for Closed Circuit TV (a surveillance system); Muni HR-DMV; and a computer named “DATSERVICES.”

Another computer, MUNIFLYNN, may contain data from Muni’s Flynn Division, which is a bus yard.

Rose said he had not seen the list of computers.

“Our firewalls were never penetrated,” Rose said reiterating that the SFMTA would not pay the ransom.Transit

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at www.sfexaminer.com/join/

Just Posted

Mayor London Breed announces The City’s return to the red tier for COVID-19 precautions at Pier 39 on Tuesday, March 2, 2021. (Kevin N. Hume/S.F. Examiner)
San Francisco enters red COVID tier, indoor dining to resume

Museums and gyms can reopen with capacity limits

Cities including San Francisco, Oakland and Berkeley are calling for large grocery and drug store chains to pay employees hazard pay for working during the COVID-19 pandemic. (Shutterstock)
SF proposes $5 hazard pay law for grocery, drug store workers

San Francisco may soon join the growing number of cities requiring large… Continue reading

The deYoung Museum will reopen to the public March 6 with an exhibition of works by Alexander Calder and Pablo Picasso. (Courtesy Fine Arts Museums of San Francisco)
de Young Museum to reopen with ‘Calder-Picasso’

With COVID-19 restrictions lifting, The City’s museums and cultural institutions are reopening.… Continue reading

Hikers walk along a closed stretch of Twin Peaks Boulevard on Friday, Jan. 22, 2021. (Kevin N. Hume/S.F. Examiner)
SFMTA board to vote on future of Twin Peaks Boulevard

The proposal would keep Burnett Avenue gate closed to vehicles, open Portola Drive

Kindergarten teacher Jennifer Klein collects crayons from students in the classroom at Lupine Hill Elementary School on Monday, Nov. 9, 2020 in Calabasas, California. (Al Seib/Los Angeles Times/TNS)
Newsom, legislators strike deal to reopen California schools

Taryn Luna and John Myers Los Angeles Times Gov. Gavin Newsom and… Continue reading

Most Read