While questions persist about how much and what kind of data was compromised in the hack of some 2,000 SFMTA computers last weekend, a network security researcher says that he successfully hacked the email account of the hacker and found some interesting clues about the hacker's location and identity which we're just going to assume from here on out is male and dispense with the pronoun vagaries. Also, it appears this hacker has been primarily motivated by ransoms, many of which hacked companies have quickly paid, amounting to a sum likely in the hundreds of thousands of dollars, as Krebs On Security reports.
The message that appeared on SFMTA screens beginning on Friday, saying "You hacked!" contained an email address, [email protected], and which account Krebs's source claims to have successfully hacked into by guessing the answer to a security question and changing the account's password. The researcher, who asked to remain anonymous, found the account was linked to a backup email account [email protected], and found evidence suggesting the hacker could be based in Iran including server addresses based in Iran, and server names like "alireza," which is likely a reference to Ali Reza, a common name among Iranians and Turks, or the seventh descendant of the Islamic prophet Muhammad.
Further, scanning through emails in the account it was clear that this hacker had primarily been attacking US-based construction and manufacturing firms, typically demanding a ransom of one bitcoin ($732) per infected server, which was often quickly paid such as in the hacking of China Construction of America Inc., which also occurred last weekend, in which the company paid 24 bitcoin (about $17,500), having negotiated down from 40 bitcoin, to unlock their data. Perhaps thinking the SFMTA could afford more, the demand here was 100 bitcoin, or about $73,000 USD.
In one of the hacker's emails with journalists over the last 48 hours, he appeared to suggest that the SFMTA needed to better secure its servers, and this was meant as a lesson. Indeed it appears that he has offered advice on better securing outdated networks and some companies have even paid for this after paying him a ransom, if the email chains are to be believed.
It seems that this hacker probably does not want to dig through the data itself or start stealing the identities of Muni employees, though it remains unclear what information he may have or whether he will make good on his pledge to leak 30GB of private information, possibly including SFMTA customer info. The SFMTA tried to assure the public in a statement on Sunday that "Neither customer privacy nor transaction information were compromised."
The SFMTA says that it never considered paying the ransom, and spokesperson Paul Rose issued a statement saying, "We have an information technology team in place that can restore our systems and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running [Sunday] morning, and our information technology team anticipates having the remaining computers functional in the next two days.”
Meanwhile, there are also questions about how long the hacking attempts have been going on with the SFMTA's machines. The Examiner reports that at least one local software engineer saw the "You hacked!" message appear on one Muni station screen as early as November 13. Rose says this is "not true," and their IT team is blaming one SFMTA employee for accidentally downloading some ransomware on Friday, November 25, which is when the attack began. But local experts tell the paper that there very well could have been a two-week ramp-up period in which the hacker did some reconnaissance in the SFMTA's network, in preparation for a broad, systemwide attack.
The FBI is apparently "aware of the intrusion and in contact with Muni officials," per a statement to the Examiner.
The new deadline for the SFMTA to pay the ransom is Friday, which was moved from Monday, and the hacker continues to lob threats pertaining to customer and "kiosk" data.