Hackers allegedly used stolen login credentials to breach the City of Dallas’ computer system and steal more than a terabyte of sensitive employee data, the equivalent of 800,000 files.
The alleged ransomware attack began on April 7, 2023. It was carried out by a group known as Royal Ransomware, which previously claimed responsibility for the attack.
An After-Action Report published by the City suggested that the attack was orchestrated using stolen login credentials.
“Using the City service account credentials, Royal performed reconnaissance activities in the City’s IT infrastructure during the period of April 7, 2023, through May 4, 2023,” the report reads. “During this time, Royal performed data exfiltration and ransomware delivery preparation activities. The data exfiltration activities performed during the surveillance period resulted in data leakages totaling an estimated 1.169 TB at a time prior to May 03, 2023.”
According to the report, Royal Ransomware left a file entitled “README” on City systems in which they told the City they were responsible for the attack.
“Using its previously deployed beacons, Royal began moving through the city’s network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools,” the report said.
City staff briefed the Dallas City Council on the After-Action Report on Wednesday, as reported by The Dallas Express, but declined to answer many of the council members’ questions in a public setting, saying they would be better suited for a closed executive session.
However, both Chief Information Officer Bill Zielinski and Chief Information Security Officer Brian Gardner confirmed that hackers used “stolen credentials.”
“That’s actually one of the strengths that these attack groups have is that they’re very sophisticated,” said Zielinski. “Once they get into the system, they’re very good at avoiding that detection.”
Council Member Paul Ridley asked staff how hackers obtained the credentials used to access City systems, but Zielinski said that question would have to be answered during a closed session.
Council Member Cara Mendelsohn asked how far back the files that hackers stole go, but Zielinski also recommended that the topic not be discussed in an open session.
As previously reported by The Dallas Express, hackers allegedly stole the personal information of more than 26,000 people, including children. City staff initially claimed no sensitive information was stolen during the attack but later flipped the script and admitted such information was stolen.
However, City Manager T.C. Broadnax maintains the City did a “great job” responding to the purported ransomware attack. He claims that the City’s overall response was successful but admits its messaging was poor.
The alleged attack has cost the City millions of taxpayer dollars, as previously reported by The Dallas Express.
