The Port of San Diego was a victim of a ransomware attack, the agency announced Thursday.
The agency is partnering with the FBI and the Department of Homeland Security to investigate the matter, Port CEO Randa Coniglio said in a statement released Thursday.
Hackers breached the Port’s information technology systems on Tuesday and demanded payment in Bitcoin, the agency said, though the amount was not disclosed.
Ransomware works by encrypting a user's data and holding the decryption key until the ransom is paid. Once that happens, a typical recourse is to reformat and restore the system from backups, SDSU cyber warfare and cyber terrorism expert Steven Andrés said.
“When the NotPetya ransomware attacked Maersk shipping company, the company recovered by reformatting and restoring over 4,000 servers and 45,000 desktops from the backups,” he said.
It was unknown how the ransomware got onto the Port’s computer, but Andrés said it could happen a number of ways, such as someone opening an infected email attachment, clicking on a malicious web link, or plugging in a USB thumb drive that’s been infected.
Another way is a direct hack of a computer that's connected to the Internet, ESET senior security researcher Stephen Cobb said.
"So every company is using computers out on the internet, and if there's a bad actor, I can find one of those, guess the password, break into it," he said. "I can then use that as my platform to carry out an attack on the organization."
When the Port began having problems, a team of industry experts from local, state and federal levels was called in to minimize the impact of the breach and to restore the affected systems, Coniglio said.
She said the breach’s effect is only administrative and not operational.
“The Port remains open, public safety operations are ongoing, and ships and boats continue to access the Bay without impacts from the cybersecurity incident,” Coniglio said.
One of the systems compromised included the San Diego Harbor Police Department, but the agency has switched to a backup system, she said.
While only the some of the information technology systems were affected by the breach, the Port shut down other systems in “an abundance of caution,” Coniglio said.
Documents previously posted on the agency’s website have been taken down to scan for any bugs. Park permits, public records requests and business services are also temporarily affected by the breach, the Port said.
The Port has not revealed which systems were compromised in the breach citing security concerns but did say that priority has been placed on restoring public safety-related systems.
The Port was the latest public agency to be hit with ransomware. In March, the city of Atlanta was crippled for several days with ransomware. Hackers demanded $52,000.
It took the city more than a week to restored the system from backups at a cost of more than $2 million.
"Ransomware is an interesting attack in that the criminals are more interested in getting money for giving you the encryption key than looking at the data," Cobb said.