Government silence on hack adds to uncertainty
A week after a cyberattack targeting government IT systems was made public, much remains offline and little has been disclosed beyond frequent updates about what’s not working.
The Government continues to ignore a litany of questions sent to it — some routine — and deflect others with the catch-all response that national security prevents it from commenting.
It has been a one-two punch to the island. Critical public services are unavailable and personal data may have been lost while the official silence on the matter has only served to shake confidence and increase uncertainty.
A picture of what happened is slowly beginning to emerge.
Conversations with whistle-blowing insiders, vendors, outside experts and individuals and institutions affected by the outage and a paper trail of public disclosures in recent years suggest an IT system that may not be meeting industry standards.
The picture is incomplete, and much cannot be confirmed, but comments from people with some knowledge of the state of IT in Bermuda and IT in general agree that the Government may not have been adhering to basic information-security guidelines.
One IT specialist who has done work for the government describes a network that was poorly protected and a management structure that was unprepared should an attack happen. The specialist insists that another intrusion occurred in recent years.
An IT contractor who has had work-related contact with the government said that staffing at the highest levels has been weak and that salaries for information security specialists are low by industry standards.
Another person familiar with the workings of government technology departments also noted a lack of investment in experienced technology professionals.
Anecdotes, all unconfirmed, suggest that officials at the highest levels were warned about potential problems.
One person said that signs of an impending cyberattack were detected by the private sector in recent weeks and that a warning was sent to the Government before the incident being disclosed.
Statements from the Government in recent years suggest weak infrastructure and an on-again-off-again approach to the problem.
They are also replete with big promises that if followed through may have prevented the recent attack.
According to Bermuda’s 2018-2022 Cybersecurity Strategy: “Bermuda does not have a formal framework for monitoring cyberthreats and for preventing, detecting and mitigating against cyberattacks.”
In June this year, Minister of National Security Michael Weeks said that a cybersecurity unit would be formed.
He added: “In March, the UK Office delivered their report and recommendations and the Premier and I reviewed these with Her Excellency, the Governor.
“I am pleased to report that most of the findings and recommendations from the report are already addressed in our National Cybersecurity Strategy and Government Cybersecurity Programme.”
Mr Weeks added: “The areas not already addressed will be considered when we update the cybersecurity programme and strategy during the current fiscal year.”
A number of simple steps can greatly reduce the odds of a successful attack, and these have been outlined by the British Government.
The list includes such basics as robust back-up, firewalls, strong password policies — including additional authentication for sensitive information — the updating of software and operating systems, access control and proper configuration.
The Government has not responded to questions about defences in place before the attack and whether it was implementing the basics of network protection.
When it comes to cyberattacks, Bermuda is in good company. Local governments and scores of companies have been hit in recent years by attacks.
Many ransomware attacks, in which data are encrypted and a fee must be paid to the attackers to get the data unfrozen and then restored, have been reported.
In May, Dallas was hit by a ransomware attack that resulted in the loss of more than a terabyte of data and cost the city $8.6 million in vendor fees to fight and recover from the attack.
In August, Clorox was hit by an attack that forced it to manually process orders and knocked about $3 billion off the market capitalisation of the US company.
In early 2022, Costa Rica was hit by a ransomware attack in which $10 million was first demanded, and then $20 million, according to press reports.
Reports are just now emerging of a possible ransomware attack on Sony, the Japanese company that was hit a major attack by North Korea in 2014.
During a press conference last Thursday, David Burt said that Government IT systems had been compromised, that it appeared that no information had been taken and suggested that the attack may have been staged from Russian soil.
The Premier then left for the United States.
Over the weekend, the Government did not answer any questions related to the attack and declined to confirm Mr Burt’s whereabouts, would not say why the Premier was in the US and would not confirm when he would return to Bermuda.
During a Monday press conference, Mr Burt said that the appointments he had in the US had to be kept because they were with key people in the country, took months to schedule and were related to the future of Bermuda.
He continued to avoid providing details about the attack, even declining to confirm whether it was ransomware.
In a ransomware attack, a hacker gains access to a computer network and then plants code that encrypts the system. They may also steal data in the process.
The owner of the network is contacted and a ransom is demanded, often in bitcoin. If the ransom is paid, a key is then transferred to the victim to unlock the system.
If the ransom is not paid, the malicious actor can withhold releasing the key, keeping the system locked. They may also leak the stolen data or use it for fraud.
Ransomware is usually planted via email, when an employee of a company clicks a link that infects the network.
Remote desktop protocols are also a popular way into networks, as they are especially vulnerable if not properly configured.
Work-at-home arrangements have made it easier to find exploits as personal devices are not always as secure of those that are managed by a company, institution or government.
Criminal enterprises operating via the dark web are often behind ransomware attacks, though state actors are sometimes involved, especially North Korea.
The business is getting to the point where ransomware-as-a-service products are now available, essentially franchising the expertise to smaller groups that don’t have the technical knowledge to develop their own ransomware.
The Government has been issuing regular releases about what remains functioning and offering alternate contact details for offices that are open and without phones or access to work e-mail.
The Post Office is partly up and running. Ongoing work permit applications are not advancing. The Boats & Moorings database is offline.
Confusion remains as some services are only partly available, and what exactly can be done is not always clear.
One HR manager said she is struggling to get updates on work-permit applications submitted to immigration.
Courts are open but recording systems are not working.
The state of systems at the Bermuda Monetary Authority is unknown, as it has not replied to e-mails and calls asking for an update and has not sent out any statements about the condition of its network.
In the absence of information, rumours are spreading fast and speculation is rife about the attack and the state of the Government, especially concerning exfiltration of sensitive data, the time it will take to fully restore systems, the amount of the ransom and the damage the outage could do to Bermuda’s international image.
Potential reputational damage is high on the list of concerns expressed.
Bloomberg published a report Monday focusing on Mr Burt’s initial mention of Russia and the citing of national security in declining to answer questions on the attack.
• Additional reporting by Fiona McWhirter, Gareth Finighan and Sam Strangeways