D.C. police computers breached by hacker, department says

The Metropolitan Police Department appears to be the latest victim of a computer hacking group that is threatening to leak sensitive information unless the agency pays a ransom.

Screenshots on the dark web posted by the ransomware group Babuk Locker appear to show stolen MPD data on informants, gangs and officer discipline, according to documents obtained by The Washington Times.

The group claims to have downloaded more than 250 gigabytes of internal data that it will leak to gangs “to drain the informants” if the MPD does not contact them within three days.

An MPD spokesperson said Tuesday that the department is “aware of unauthorized access on our server.”

“While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” the spokesperson said in an email. “There is no further information available to provide at this time.”

The FBI did not immediately respond to an email request for comment about the investigation.

Babuk’s posts have since been deleted, but cybersecurity expert Scott White says the hackers could be seeking a hefty payout.

“I suspect in this case, being it’s the D.C. Police Service and the information — if it’s true that they have involving confidential informants and so on — I suspect they’re probably asking a considerable amount of money for the release of the information back [to MPD],” Mr. White, an associate professor of cybersecurity at George Washington University, told The Times.

Babuk emerged in early January as the first new ransomware threat of the year, according to an alert published by The New Jersey Cybersecurity and Communications Integration Cell. Since then, the digital extortionists have claimed responsibility for several hits on organizations around the world.

Most recently, the group claims to have orchestrated cyberattacks within the last two months on the NBA’s Houston Rockets and U.S. military contractor PDI Group.

“The way that ransomware tends to be working is that those engaging in it, understand, and they view it as a client,” Mr. Scott said. “They see how much the organization would be willing to pay, and they are requesting monies appropriate for the release of that information.”

Some organizations are willing to pay, while others are not, he said.

“Most ransomware that has occurred, we are not cognizant of it because companies, hospitals and all different [types of organizations] are just paying it off — they see it as a cost of doing business,” Mr. Scott said.

Government agencies, health care organizations and schools nationwide have been heavily targeted since the coronavirus pandemic forced many operations to shift online last year.

The Baltimore County Public School system has reported several technical issues since November, including a data breach that released more than 2,500 employees’ personal information.

A national report released in March by the nonprofit K-12 Cybersecurity Resource Center stated that the 408 publicly disclosed school cyber incidents in 2020 was “record-breaking.”

“[M]any of these incidents were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud,” the report states.

Meanwhile, MPD is the third police department nationwide to be infiltrated by hackers in the last six weeks, and 29 U.S. government agencies have reported online attacks since the beginning of the year, according to The New York Times.

Mr. Scott said prosecuting the cybercriminals can be difficult due to where the groups are located.

“Most of these threats are coming from countries [including] Iran, North Korea, China and Russia, and we have no extradition agreements with these countries,” the cybersecurity expert said.

Most of those countries, he said, also have “agreements” with organized crime groups, which adds another roadblock.

The security company McAfee suggests the best way to prevent a data breach is to invest in “defense-in-depth cybersecurity strategy, security awareness training, and human-based threat hunting to help detect and block these attacks.”