They still don’t know where it came from. But when it hit, the Alaskan borough of Matanuska-Susitna was knocked for six. Malware rapidly spread across the borough’s computer networks, disrupting a bewildering array of services. Hundreds of employees found themselves locked out of their work stations. Staff at local libraries received urgent phone calls telling them to quickly turn off all the public PCs. The animal shelter lost access to data on medications required by its furry residents.
It didn’t stop there. An online booking system for swimming lessons went down, leaving people to queue up in person. One borough office had to switch to electronic typewriters temporarily. And Helen Munoz, an 87-year-old woman who has been campaigning for a better sewer system in the area, got an unexpected response to one of her regular calls to local administrators. “Our computers are down,” she was told. She threw her hands up in disgust.
“The cyber-attack, God help us, just about stopped everything, you know,” Munoz says. “In fact, the borough still isn’t squared away with their computers.”
Matanuska-Susitna, known as Mat-Su, is still trying to recover from what happened, months after the attack began in July 2018. When the first signs of malware popped up, no-one expected the turmoil that followed. IT staff initially worked up to 20 hours a day, tasked with digitally scrubbing clean 150 servers.
You might also like:
- The cyber-attack that crippled a nation
- A new front in cyber-warfare
- The tiny code that can stop a warship
Mat-Su, a largely rural borough stretching across an area the size of West Virginia or Latvia, is home to just 100,000 people. It seems a strange target for a cyber-attack.
This is the story of what happened.
The cyber-attack crippled many of the borough's activities (Credit: Getty Images)
On the morning of 23 July 2018, employees at the borough offices of Matanuska-Susitna in the tiny town of Palmer arrived for work as usual. Within a few hours, an anti-virus programme flagged unusual activity on some of their PCs.
The borough’s IT director, Eric Wyatt, told his team to take a closer look. They found some malicious files, so they followed standard procedure: get staff to change their passwords and, meanwhile, prepare an automated programme to clear out any suspicious software.
But when they launched this defence mechanism, there was an unintended response.
The scale of these cyber-attacks was certainly new to Wyatt
Wyatt watched as the network lit up. It looked like a larger or second stage attack had been triggered. Perhaps someone was monitoring the IT department’s defensive moves, or it was an automatic response by the malware. Either way, it had begun spreading further and, in some cases, it locked down more employees’ files and demanded ransom payments.
This form of malware is known as ‘ransomware’ – an increasingly common, and dangerous, threat to computer systems. In recent years, ransomware outbreaks around the world have temporarily shut hospitals, halted production at factories, skewered operations at major ports and sent hundreds of offices into chaos. Some estimates put the annual total cost of ransomware events at several billion dollars.
The scale of these cyber-attacks was certainly new to Wyatt, who started his IT career in the US Air Force before working for defence and government contractors.
Malware ransom attacks are thought to have cost companies several billion dollars (Credit: Getty Images)
“I have over 35 years in this business and have dealt with this kind of thing during that time,” he says. “This was certainly larger than anything I had seen, more sophisticated.”
When he realised the incident was going to cause significant headaches, he went to see borough manager John Moosey.
Moosey listened as Wyatt explained what he knew about the situation. Moosey and Wyatt were soon on the phone to the FBI – and their insurer – explaining that they seemed to be the target of a large cyber-attack.
Almost all of the borough’s office phones had to be taken offline. As IT experts were drafted in to help with the recovery, printers and computers were gathered up in droves – more than 700 devices in total had to be checked and scrubbed. “All data is considered suspect,” read one update published a short time later.
They wanted the library to disconnect every computer and printer - not just switch them off, but unplug them too
“It really hammered us extremely hard,” says Moosey.
In the borough’s purchasing department, staff faced filling out forms with pen and ink while their computers sat idle. Then they had a bright idea. In the cupboard were a couple of old electronic typewriters. They dusted them off and used them, a move that made international headlines.
As systems were taken offline, and staff switched to mobile phones and temporary webmail services, many functions of the borough were forced to slow down. Computer programs had been designed to help process everything from data on construction sites to credit card payments at the local landfill – but now they were all out of action.
The borough's purchasing department were forced to dust off their old typewriters because all computers were impounded (Credit: Getty Images)
“The virus was amazingly terrible,” says Peggy Oberg, a librarian at the Big Lake Public Library in south central Mat-Su.
In the space of one week, Big Lake library welcomes between 1,200 and 1,500 people through its doors. Many of them rely on internet and computer services there.
Oberg remembers the call she got from the IT department. They wanted the library to disconnect every computer and printer – not just switch them off, but unplug them. Staff were also asked to turn off the public wi-fi.
In 20 years, Oberg had never had a call like it.
Staff at a number of the borough’s libraries were also unable to place books on hold, search for new items patrons requested, or communicate through the usual channels with other colleagues around Mat-Su. For a few weeks, they were partially cut off.
I don’t mind technology, but when I can’t get a sewer system built I get very uptight – Helen Munoz
Oberg spent two months worrying that the data for library groups and services would be lost forever.
“I was kind of sick thinking about them possibly not being able to recover that,” she says. Thankfully, she later found that the files had in fact been restored, nine weeks after she’d last had access to them.
Mat-Su’s local animal shelter takes in between 200 and 300 stray or unaccounted-for animals every month – from stray domestic pets to livestock found on open roads. Staff computers at the shelter were taken away. Without records of medications and previous cases, employees didn’t know how much to charge people who came to collect pets or missing cattle. The website with photos of animals up for adoption also couldn’t be updated.
The borough's animal shelter could not keep track of which animals had been vaccinated (Credit: Getty Images)
Helen Munoz is an 87-year-old resident of Palmer. She moved to Mat-Su in the 1970s with her husband, whose family ran a septic tank and sewerage business. Lately, she has made it her mission to force an improvement of Mat-Su’s own sewage system. She has a place on a committee overseeing the development of a new waste-water treatment plant.
Munoz was frustrated by the way the hampered communications affected the borough. “I don’t mind technology, but when I can’t get a sewer system built,” she tells me, “I get very uptight.”
Others were equally worried. As one local resident put it in a comment to a Facebook update about the cyber-attack: “It's pretty amazing how this can effect [sic] our day-to-day.
“So far it's changed the way I had to pay for the dump, the email proof of my dog getting his rabies vaccine hasn't shown up, and when I pay my taxes it looks like that's going to be different too.”
Shortly after the attack began, investigators found evidence that the malware had been on the borough’s systems since May
Meanwhile, Mat-Su estate agents, who regularly sign in to an online system for local land registry data, found themselves locked out. Even the system for signing up children for swimming lessons went down.
“Everyone had to stand in line, it was all done the old-fashioned way,” says Nancy Driscoll Stroup, a local lawyer and critic of the borough.
The incident has so far cost Mat-Su more than $2m (£1.59m).
Shortly after the attack began, investigators found evidence that the malware had been on the borough’s systems since May. This raises Stroup’s curiosity – she notes that a borough delegation visited China on a trade mission that month. While no-one has made any official link to the Chinese, there have been allegations of Chinese involvement in other recent hacking episodes.
Libraries were unable to search for books, nor place any on hold for patrons (Credit: Getty Images)
As they combed through the digital wreckage, Wyatt and his colleagues realised that the malware had deposited data, in files named with a specific number, on victim computers. After investigating, they realised this number, 210, identified Mat-Su as the 210th victim of this particular version of the malware; the other 209 victims are still unknown.
They also gleaned some clues now about how the attack started. Wyatt has some hints it was a targeted phishing attack, in which an organisation working with the borough was compromised in a separate attack. Wyatt says he has evidence that this allowed someone to send a carefully composed malicious email, containing the first batch of malware, to a Mat-Su employee.
By cloaking an attack within a seemingly innocuous message, malware creators increase the chances that someone clicks on a link or downloads the attachment that spreads the malware to their computer. From there, it can attack other computers on the same network.
The only people to blame are the people who write these viruses – Eric Wyatt
Wyatt doesn’t blame anyone for being tricked, though. “The only people to blame are the people who write these viruses,” he says.
Over the ensuing 10 weeks, a dedicated team gradually brought the majority of Mat-Su borough’s affected services back online.
In August 2018, Wyatt appeared in a YouTube video published by the borough explaining the extent of the recovery operation. IT contractor Kurtis Bunker was also filmed saying he thought the FBI had been “pleasantly surprised” at how Mat-Su’s staff responded to the attack.
Not all members of the public were understanding. “Who or why would anyone ‘hack’ a little rinky dink town?” scoffed one Facebook user. But many were supportive. And various organisations that have links or business relationships with the borough were also part of a larger effort to make sure the cyber-attack didn’t spread any further.
Investigations revealed some of the team had visited China, where other cyber-attacks are thought to have originated from (Credit: Getty Images)
Mat-Su may not have been attacked for any other reason besides the malware creators belief that they could collect ransom payments. The FBI’s advice was clear, though, says Wyatt: don’t pay up.
William Walton, a supervisory special agent at the FBI investigating what happened in Mat-Su, says the kind of attack Mat-Su experienced can have serious consequences. Being a smaller community, Mat-Su has less of a safety net to rely on, he points out.
“In terms of its infrastructure, it doesn’t perhaps have the same redundancy as a major metropolitan area so we would absolutely consider that as a critical infrastructure event,” says Walton.
We may never know who attacked Mat-Su, or why. But such incidents are unsettlingly common. As communities and businesses rely on computers for even the most basic tasks, the potential for a cyber-criminal to cause havoc has only increased.
Now, a handful of small towns in Alaska, scattered across the borough of Mat-Su, know that only too well.
If you liked this story, sign up for the weekly bbc.com features newsletter, called “If You Only Read 6 Things This Week”. A handpicked selection of stories from BBC Future, Culture, Capital, and Travel, delivered to your inbox every Friday.