New York City Hall
City Hall. Image: City of New York Government / Facebook

Attempted hack on NYC continues wave of cyberattacks against municipal governments

2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States.

The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident.

The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes. 

New York City’s Office of Technology and Innovation and told Recorded Future News that NYC Cyber Command “was made aware of a smishing campaign targeting NYCAPS users.” Smishing is essentially phishing via text messages instead of emails. 

“NYC Cyber Command has been advising and working with FISA-OPA and DCAS to implement enhancements to security measures,” the office  said. “City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.”

A city official reiterated that the NYCAPS website is still online and accessible to all employees through the city’s secure internal network. 

nycaps-phishing-site.png

Screenshot of the bogus NYCAPS website. Image via Bolster.AI

The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain. 

Shashi Prakash, CTO at security firm Bolster.AI, told Recorded Future News that his team saw the domain “essnyc{.}online” the day it was registered. Other researchers said the domain was registered in Lithuania. 

Prakash explained that his team’s data shows it has been live since December 9 and shared a screenshot of the page, which looks exactly like the NYCAPS website. 

“There is one additional domain cityofanaheim{.}online on the same infrastructure which does make it look like they were targeting other cities,” Prakash said. 

Keeper Security’s Teresa Rothaar said more than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, much of which is acquired through the kind of phishing and smishing attacks New York City is currently dealing with. 

To make matters worse, the New York City attackers clearly knew that multi-factor authentication is a critical layer of security and played on that concept while trying to steal credentials. 

“Often, innocent people who are not trained on phishing prevention will focus on the ‘pinstripes’ of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site,” she said.  

“Cybercriminals spend a lot of time making ‘lookalike’ sites appear authentic so that users are tricked into entering login credentials. Employees should always err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised – especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why).”

Countrywide problem

The campaign targeting New York City is one of many specifically going after city, county and state-level governments across the United States. 

Just in the last week, the cities of Birmingham, Alabama, and East Baton Rouge, Louisiana, have announced security incidents affecting public services. Jackson County in Missouri was forced to declare a state of emergency after discovering a ransomware attack last month. 

On Thursday, the Florida Department of Juvenile Justice in Tallahassee admitted to local news outlets that it was dealing with a cyberattack that forced some systems offline. 

Florida’s Hernando County similarly announced a cyberattack on Thursday, warning that while 911, police and EMS systems were still operational, several other government services would be down for an unknown amount of time. Local news outlets reported that the FBI is involved in the response to the incident. 

Rebecca Moody, head of data research at Comparitech, has been looking into ransomware attacks on U.S. government offices and said she has found 18 confirmed ransomware attacks so far this year. 

Other researchers have tracked at least 25 ransomware attacks on U.S. government offices. 

While several states have banned government organizations from paying ransoms to groups, the offices continue to be ripe targets for ransomware gangs and hackers. Washington County in Pennsylvania recently revealed that it paid a $350,000 ransom to hackers following a January ransomware attack. 

James Turgal, who spent 22 years working at the FBI, told Recorded Future News that attacks against state, local and tribal governments have accelerated over the last year. 

“From the threat actors’ point of view, these municipalities are a target-rich environment with an abundant source of victims. By my estimation, with just around 95,000 soft targets nationwide, there are 40,000 cities, towns and municipalities, approximately 50,000 special government districts nationwide, and then the additional tribal governments that round out the numbers,” he said. 

“There needs to be a sense of urgency on the part of state and local governments and municipalities to get ahead of the threat, as these local entities have the most direct impact on our citizens, and a cyber focused disruption can be potentially life-threatening when considering the health and public safety services our local governments control.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.