Bermuda cyberattack still affecting systems five weeks on
Public services are still not fully restored five weeks after hackers got into the Government’s IT systems.
The September 20 attack, which is being investigated by police, caused initial chaos, leaving ministers and civil servants unable to access their computers and many services offline.
Most customer services are now back up and running, but gaps remain, including the online Norwood information system for land registration.
The site, launched in 2018, removed the need for paper deeds and documents and is intended to make it harder for fraudsters to steal land.
The Gazette tried to access the electronic land registration system at norwood.gov.bm yesterday, but was met with an error message that said it took too long to respond.
An October 9 email from the Land Title Office to users of the system was shared with the newspaper.
It said the Norwood system was “currently down; as such, we are unable to identify parcel numbers, as well as registered/unregistered parcels using the Norwood map”.
The email said the Land Registrar had not yet had network services restored.
A user, who did not want to be named, asked yesterday: “Where’s the back-up version? There should be two back-up versions of the Norwood survey: one on-site and one off-site.
“Is their whole system a table that rests on one leg and when that leg gets knocked out, it’s over?”
David Burt, the Premier, said at an October 17 press conference it was hoped there would be “full system restoration” of IT systems by the end of last week.
We asked the Government for a comprehensive list of every service that is still not working, but did not receive one by press time. The online list of impacted services is here but it is not known when it was last updated.
The public have been told little about the nature of the cyberattack, including whether it involved ransomware, with Mr Burt insisting details will be revealed once inquiries are complete.
However, he did refer to its origins at last week’s press conference, telling reporters: “An initial infiltration did not happen via government systems entirely.”
Asked if the Government’s cybersecurity was reasonable and up to international standards when the breach happened, he said “ … there were some places where things could have been better but … people do not come through the front door”.
Mr Burt said he and Cabinet Office minister Vance Campbell were “informed of the vector of this particular attack” and it was “incredibly, incredibly meticulous and complex and so from that particular aspect I am comfortable with the work that has been done with cybersecurity”.
He said: “Could there have been more work done that would have helped us prevent this? Absolutely, but the fact is that the Government has made investments in cybersecurity.”
A report on cybersecurity published by the Government four years ago revealed a raft of shortcomings and a list of “strategic goals, specific objectives and actions” urgently needed to protect the country’s cyberspace.
Mr Burt said last week that improvements were planned before the cyberattack happened, adding: “But in this particular case and instance, and how this attack happened, it would have been particularly difficult to prevent.”
There was no response to a request for him to elaborate on his comments yesterday. He has said a parliamentary committee will investigate the attack, rejecting Opposition calls for a Commission of Inquiry.
A purported ransomware “ransom note” is circulating in Bermuda via a messaging system.
The image — a screenshot of an undated Notepad text file — includes the wording: “Data on your network was exfiltrated and encrypted. Modifying encrypted files will result in permanent data loss!”
The note urges the recipient to “get in touch with us ASAP to get an offer” and gives instructions for downloading a Tor browser, a network which allows users to access websites anonymously, and accessing a private user panel.
It appears to be from the ALPHV ransomware group, based on the web addresses in the text, but The Royal Gazette has been unable to confirm if it was found on the Government’s IT systems after last month’s breach.
Mr Burt was shown the note, which has been widely shared on local WhatsApp chats, at an October 17 press conference.
He said he would not comment on specifics while there was an “active and ongoing” police investigation, adding: “I would certainly encourage that no one access anything that they may have received on a WhatsApp forward. I do not think that would be a good security posture.”
He has not responded to further questions about the note.
ALPHV, also known as BlackCat, has not publicly claimed responsibility for the Bermuda attack, as it sometimes does.
This week, the group added the city of Pittsburg, Kansas, to its victim list, claiming to have access to 1TB of the municipality’s data, after a mid-September cyberattack.
Brett Callow, a threat analyst at New Zealand’s Emsisoft, said the note circulating in Bermuda was consistent with a note dropped by ALPHV ransomware.
He compared the address of ALPHV’s website on the dark web to the one on the note purported to have been left on the Government’s systems, noting it was the same.
Mr Callow emphasised he had no knowledge of the Bermuda attack.
But he said if the note was genuine it meant “whatever info the Government holds about individuals, including its employees, and other organisations, is potentially now in the hands of ALPHV and could end up being posted on that site.”
Mr Callow said it was important not to circulate the web address since the “site and others like it host extremely sensitive info, and we don’t want to make it easier than it already is for people to find them”.
Need to
Know
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
