Cleveland, Ohio, is currently grappling with a significant cyberattack that has disrupted essential city services, forcing the closure of public offices and facilities at Erieview and City Hall. This cyber incident has placed the city, a critical hub for healthcare, manufacturing, finance, logistics, education, and technology, on high alert.
The disruption was first revealed when city officials announced that public services had been reduced to essential operations. The city's authorities have been working with third-party experts to investigate the incident, which has led to the temporary closure of City Hall and Erieview for a second consecutive day.
Despite the severity of the attack, initial findings from the investigation have confirmed that taxpayer information held by the Cleveland Airport Authority (CAA) and customer information from public utility services were not accessed by the hackers. Essential services such as emergency response (911, police, fire), public works, utilities, healthcare (EMS), and airport operations at Cleveland Hopkins and Burke Lakefront have remained unaffected.
City officials have promised to provide timely updates as the investigation progresses.
Concerned citizens are encouraged to call 311 for more information. As of now, no ransomware groups have claimed responsibility for the attack, and the exact nature of the breach remains unclear.
Mayor Justin Bibb referred to the incident as a breach, while Kim Roy Wilson, the city's IT commissioner, reported detecting abnormal activity within the city's IT environment. "It's essential to withhold details at this point so as not to risk hampering the ongoing investigation," Wilson stated. She also urged citizens needing critical documents or services from affected departments to remain patient.
Ilia Sotnikov, Security Strategist and VP of User Experience at Netwrix, provided expert commentary on the incident. "According to city officials, the incident was declared when they spotted abnormal activity on their network on Saturday. They immediately followed the pre-existing incident response plans (IRP). We don't know the scope of the impact yet, but we can already say that the city has done a lot of right things to minimize the damage," Sotnikov said.
Sotnikov highlighted several key measures that Cleveland implemented effectively:
Monitoring and Threat Detection:Â Early detection and quick action were crucial in catching the attack before it could access sensitive data or disrupt critical operations. Tools such as Identity Threat Detection and Response (ITDR), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) played vital roles. These tools help detect threats related to identity and access controls, monitor suspicious activities on devices, and identify indicators of compromise across the organization's environment.
Network Segmentation:Â By isolating higher-risk services, Cleveland was able to prevent the attack from disrupting emergency services like fire and police departments, airports, and utilities, even though City Hall and other systems were shut down.
Quick Containment Actions:Â The decision to shut down services over the weekend was a cautious move, allowing the response team to assess system and data integrity without distractions. This step-by-step approach enables the city to restore services as each system receives clearance from the investigation team.
"This case is a good example of how a properly configured security architecture with necessary controls in place and IRP prepared in advance helps avoid tough consequences," Sotnikov concluded.
As Cleveland navigates this cyberattack, the incident underscores the importance of robust cybersecurity measures and rapid response strategies in safeguarding city infrastructure and services.