The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date.
Hap Cluff, director of the information technology department for the City of Norfolk, said the incident began on Feb. 9, and that the city has been working ever since to rebuild 784 PCs and laptops that were hit (the city manages roughly 4,500 systems total).
“We don’t believe it came in from the Internet. We don’t know how it got into our system,” Cluff said. “We speculate it could have been a ‘time bomb’ waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.”
Cluff said the malicious software appears to have been designed to trash vital operating files in the Windows\System32 folder on the infected machines. Cluff said a healthy, functioning System32 directory weighs in at around 1.5GB, but the computers infected with this as-yet-unidentified malware had their System32 folders chopped down to around a third of that size, rendering them unbootable. Cluff added that city employees are urged to store their data on file servers, which were largely untouched by the attack, but he said employees who ignored that advice and stored important documents on affected desktop computers may have lost those files.
IT specialists for the city found that the system serving as the distribution point for the malware within the city’s network was a print server that handles printing jobs for Norfolk City Hall. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server.
“Obviously, our first reaction was to shut it down and restore services, and at least initially we weren’t concerned about capturing [the malware] or setting it aside,” Cluff said.
Cluff said the city is treating the incident as a crime, and that it has notified the FBI. “We will be quarantining several PCs from various locations and tracking their chain of custody to assist in any forensics analysis,” he said.
Only those PCs that happen to have been “shut down” between 4:30 p.m. and 5:30 p.m. Tuesday, Feb. 9 were impacted by the attack, Cluff added. That’s in part because of the data destruction, but also because the malware also modified the “boot.ini” file, an essential file that tells the computer the location of the Windows operating system.
“This was the amount of time it took our network and security engineers from discovery to containment,” he said. “So all those employees who were being ‘green’….we now know who they are.’”