Ferries ran on schedule Wednesday and Thursday despite the debilitating ransomware attack.
Jeanna Shepard

Ransomware Attack Cripples SSA IT Systems

Noah Asimow
[Print options: w comments, w/o]
[Related stories side scroll]
MLA
Author Last Name, First Name. “Title of Article.” Title of Newspaper, Day Month Year, URL.

The Steamship Authority was hit with a debilitating ransomware attack early Wednesday that reverberated across operations, crashing the website, halting vehicle reservations and crippling internal communication systems.

Information at a Glance for Travelers

The Steamship Authority was hit with a debilitating ransomware attack early Wednesday morning that reverberated across operations for the lifeline to the Islands, crashing the website, halting vehicle reservations and crippling internal communication systems.

By Thursday morning — more than 24 hours after the cyber attack — SSA staff were still scrambling to assess the impacts, with all website, reservation, email and other communication systems down and no immediate timeline for recovery.

An early Friday morning update on the SSA’s temporary website said impacts would continue for the third consecutive day. In a second update that went out midday Friday, SSA spokesman Sean Driscoll said that the boatline had established a new, temporary website with fare, schedule and parking information. 

"At this point we are unable to release any further details," Mr. Driscoll wrote in the most recent update.

Steamship Authority officials and a Coast Guard spokesman confirmed that local, state and federal law enforcement agencies, including the Federal Bureau of Investigation, had been briefed on the attack. The FBI was taking the lead on the investigation, according to Coast Guard spokesman Amanda Wyrick, who spoke to the Gazette by phone Wednesday. Boats were running on schedule Wednesday and Thursday, with minor delays, but little else was normal with the SSA’s landside operations. Customers were asked to use cash at ticket terminals, with only limited credit card processing available. Manual, hand-written carbon copy receipts were being provided to vehicle passengers with prior reservations, which are being honored.

All other customers without a vehicle reservation are required to travel standby until further notice, according to SSA communications director Sean Driscoll. With the website down, vehicle reservations cannot be scheduled either online or over the phone. Cancellation fees are being waived.

“We can’t make or change reservations,” Mr. Driscoll said. “Anyone who wants to travel without a reservation will have to do so on standby.”

In a brief phone interview Thursday, Mr. Driscoll said after the cyber attack crippled online services, the SSA instituted storm protocols already in place in the event of a loss of power and communications, quickly transitioning to manual operations.

“We have procedures in place in case we lose communications,” Mr. Driscoll said. “We treated this as a hurricane, just a different variety.”

On Thursday the SSA was still in the throes of the fiber-optic storm.

Mr. Driscoll said he could share few internal details about the cyber attack and that the response was ongoing. He confirmed that it was a ransomware attack that occurred sometime early Wednesday morning, but could not provide further information regarding the extent or origin of the attack. No timeline was available for how long the website and reservation systems would be down.

“I’m not going to put any dates out there right now. There’s still too much happening,” Mr. Driscoll said.

Mr. Driscoll said the response was being handled at the executive level by general manager Bob Davis, as well as Curt Van Riper, who runs the SSA information technology department, and other employees involved with scheduling and ticketing. He said the SSA had brought in consultants, as well as law enforcement, to assist in the response. Attorneys and insurance personnel were also involved, he said.

“We’re working with our internal IT team. We have third party vendors that we’re working with, as well as teams from law enforcement,” Mr. Driscoll said. “So there are multiple teams inside and outside the building that are working on this.”

Despite the widespread system problems, Mr. Driscoll said no customer credit card information had been compromised, because that information is not stored on the website, nor are vehicle identification numbers.

The boat line website went down early Wednesday morning, displaying various temporary home pages and error messages throughout the day.

A 9:30 a.m. statement from Mr. Driscoll confirmed the ransomware attack and said boat line operations could be disrupted and delayed, indicating that the SSA email server was down with further updates expected.

Attacks from ransomware — a form of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid — have become increasingly common across the country, with separate attacks disrupting everything from university operations, to the meat industry to gas pipelines throughout the American South. Victims have had to pay a monetary ransom to regain control of their data.

On Thursday, national news outlets reported that the Biden administration had issued a rare open memo to business leaders across the country urging protection against ransomware attacks, saying that the threats were serious and increasing across all sectors.

The wide-ranging fallout from the SSA attack became clearer as Wednesday progressed, with Mr. Driscoll releasing a flurry of short press updates and posting various information to social media. Regional and national news outlets picked up the story.

The Coast Guard emphasized that the attack did not affect vessel safety or the safety of travelers.

Boats ran mostly on schedule, but the ticketing system was changed over to paper, with cash preferred for monetary transactions.

The broader extent of the attack still remains largely unclear.

Reached by phone Thursday, Vineyard SSA governor Jim Malkin declined to comment because of the sensitivity of the issue, but said that board members had been individually briefed on the situation.

At boat line terminals there was relative calm, with ferry attendants checking customers onto boats manually and accepting paper tickets from drivers.

“We had a major cyber attack and we didn’t cancel a single boat yesterday,” Mr. Driscoll said Thursday. “I feel great about that.”

 

Comments

Submitted by Anonymous (not verified) on Wed, 06/02/2021 - 10:26

Permalink

Tragically Amused MV

Well, I just looked, and it turns out the Steamship Authority's "IT Technicians" are so (and I'm looking for a polite way to say this) incompetent, that they actually host their own DNS servers, using their own domain name. And so all of their DNS is now offline. Without DNS, nothing under the entire Steamshipauthority.com domain can even be talked to. This is such a amateur mistake I can barely even believe it. This problem is compounded because, since the nameservers are part of their (apparently) easily compromised security perimeter, more industrious hackers could have simply started redirecting traffic wherever they wanted, i.e. to a fake payment gateway to capture user cc data. Who knows how long that would have taken them to notice, at which point the hackers could then have moved onto this next stage of the ransomware attack. Who knows.. maybe they did.

So, first bit of free modern enterprise IT expert consulting charity for the SSA - go, right now, and move your name servers to a real DNS provider, and be very careful reviewing the existing records as you port them over to make sure it hasn't already been hijacked.

I mean, just wow...

RW VH

Seems regardless of someones wall of protection, few are immune. Major utilities, police departments, major corporation(Sony) have all been hit, and paid the ransom. While the SSA could be more secure, it would only slow the perpetrators.

RealIT VH

Perhaps. But this argument is not valid to me as it implies matter what you do you’re hacked. That’s simply not true and all the attacks you mention had well known vulnerabilities that were not proactively addressed and also had poor architectural design.

RealIT VH

Agree.

This probably follows a social engineering attack with lack of network segmentation , lack of controls, lack of a healthy patching/currency discipline. SSA is not alone, for sure but the tech stack employed is from 2005ish and for sure isn’t patched up or designed to current standards.

Let’s just hope there’s an offline replica of good data.

Douglas Burke

Companies of all sizes are getting attacked. Last year it was one every 39 seconds this year it is down to 11 seconds. This was never a matter of if but when. The hackers go after the tier one storage and backup data. When you go to the Government site they will tell you that organizations require an air gap solution. This means that they have a copy of their backup data in a vault that can be rolled back based on time of attack. Many organizations are leveraging this now, so they do not have to be held captive by the ransom ware attacks.

Tragically Amused MV

Companies of all sizes get hacked. The information I posted above, however, demonstrates that the SSA's level of technical sophistication is very low. Those of us who do enterprise security for a living can infer a lot about what that suggests regarding the rest of their practices. As but one example (beyond those I mentioned above), who knows if they are using easily accessible wildcard certificates which the hackers could have stollen to start spoofing SSA services elsewhere. So, next bit of charity consulting - SSA, you should probably assume your certs have been compromised, get new ones issued, and invalidate the existing ones - presuming you know how. I guess overall, it is clear you need to hire some real professionals to come in and re-architect your infrastructure and help you establish best practices.

And, please.. for the love of god - go to Network Solutions and change the NS records to point at something other than machines on your own domain which no longer exist, before you get some more nasty surprises when someone decides to stand up new DNS on your behalf.. seriously - think about what I just wrote here and consider the implications. Remember - NS records point at dns names, not IP addresses...

Tragically Amused MV

Quick follow up to what I just posted.. I forgot that there must be glue records to resolve the IP for self hosted nameservers.. so it's not as bad as I thought in case I panicked anyone. And it does seem that they at least have name servers up and running again - so hopefully they are on their way to having this fixed.

Submitted by Anonymous (not verified) on Wed, 06/02/2021 - 14:43

Permalink

Frank Brunelle vineyard haven

When the SSA put the reservation system out to bid I was a programmer and got Cambridge Technology Partners - at the time with 19,000 employees - to bid on the project. CTP said if we bid we need to do a study first on administration and methods and policies or the system will be inadequate. The SSA refused, they submitted anyway, and as suspected it went to an amateur with connections. We needed to post a bond to insure it would work. When their vendor loaded the system it was so defective they were doing all reservations on pieces of paper for about a week to ten days. CTP was the runner-up choice and would have been terrific for operations. That being said these hackers are at all different skill levels and some can penetrate the most secure systems, but also, if it is the same company, it is what it is.

Submitted by Anonymous (not verified) on Wed, 06/02/2021 - 15:03

Permalink

Meonmv VH

Should we be concerned about personal information given to the SSA, such as credit card numbers?

Submitted by Anonymous (not verified) on Wed, 06/02/2021 - 15:49

Permalink

Mark Edgartown

Now SSA will justify increased fares to fund investments in cybersecurity...

Submitted by Anonymous (not verified) on Thu, 06/03/2021 - 05:35

Permalink

Mark Lucier Edgartown

It seems they could have chosen a better target to hack, Can't get Blood out of stone.

Bob Edgartown

Normally I would agree to that, but in this case we are all stones and we all pay. We have no choice but would like to see some financial help from the federal government. The antiquated system of this public transportation system to be funded solely by their users needs to change. I pay for plenty of public transportation systems in other parts of the state and country that I never use.

David OB

Many companies have cyber crime insurance. The article mentioned insurance people were on location. Most often it's the insurance company that pays the ransom, raising premiums on all companies.

Submitted by Anonymous (not verified) on Thu, 06/03/2021 - 10:35

Permalink

fact checker edg

Perhaps a good time to try something new.
No reservations.
First come first serve.
Run the boats 24 hours just like a 'state highway' (since this IS a legal extension of a state highway per the enabling legislation.)

Off Islander Earth

Constantly crashing? What are you talking about? Outside of the opening for summer when everyone and their brother try to book, when has it crashed? I use the ferries weekly for many years and never have problems booking or getting ticketed. I don't want to sound like I am defending the Steamship, they can definitely do some things better, but, reliability has not been an issue.

Submitted by Anonymous (not verified) on Thu, 06/03/2021 - 20:14

Permalink

BOb Oak Bluffs

I am driving up to the island from NY on Wed. June 9 with a load full of stuff. Long time ago, I booked and received confirmed SSA reservation for noon-ish ferry (WH to MV) for 1 auto plus 2 passengers on June 9--- together with a return Rez on Friday, June 11.

Reading all these comments, should I now be nervous about gaining ferry entrance on June 9, or, for that matter, on the June 11 return trip? I think not because everything has been paid and I read that boats will be traveling. My problem is that the gist of all these many comments does not inspire confidence in the technical security of SSA systems. It almost seems to portend a larger problem--safety & security of the vessel itself.

Any (serious) guidance would be appreciated, and hopefully the Gazette will dig deeper into what has happened and what is involved in remediation now and going forward. Also, for those of us who paid by credit card, understanding the security risk now in play would be a huge contribution to your readers.

Thank you.

MV Momma OB

You will be fine since you already have a reservation. The hack does not affect the safety or navigation of the Ferry. Ferries are running mostly on time. The website did not store Credit Card info, so it was not compromised.

Submitted by Anonymous (not verified) on Thu, 06/03/2021 - 20:48

Permalink

john W Tisbury

Wonder if it would be good to keep ability to do things as they were done back in the analog days, even if digital is more efficient. Cash, paper, (carbon and otherwise), writing utensils & calculators, unconnected digital business machines like we used not that long ago. These shutdowns might get worse before they get better. Of course one would have to train some personnel how to use these.

John Cape Cod

Goes to show you how insecure our wonderful Tech world is for any company or transaction to conduct everyday business. Cash is still the only form of payment that works regardless of the situation and receipts can be hand written on yes, paper.

Submitted by Anonymous (not verified) on Thu, 06/03/2021 - 21:32

Permalink

grapes V.H

7:45 a.m. 6/3/2021 update: Good morning. The Steamship Authority is continuing to work with our team internally, as well as with local, state, and federal officials externally, to address Wednesday's incident. The ticketing processes, including online and phone reservations, will continue to be affected today, Thursday, June 3, 3021. We will continue to honor existing reservations at Authority terminals, and rescheduling and cancellation fees will be waived. Scheduled trips to and from the islands continue to operate safely as scheduled, although some delays in the ticketing process may occur. At this point, customers remain unable to book or change reservations online or by phone, and the use of cash is recommended as there is limited access to credit card systems at some terminal and parking locations. We thank our customers for their patience today, and we expect to issue additional updates throughout the day. NOT

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 05:38

Permalink

Jim Cotuit

Let’s be real....

The SSA IT infrastructure has never dealt with high demand adequately

Mr Driscoll is a reporter hired to do fresh spin. That isn’t IT.

When will we insist on competence in key positions ?

When will we stop believing the balderdash ?

When will the recommendations of the management survey be effectively implemented ?

Insanity

Doing the same thing

Year in
Year out

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 07:12

Permalink

Islander Edgartown

SSA’s “every boat has run as scheduled” victory declaration is such a joke! Yes, but to the continued profound inconvenience of every passenger. So typical of SSA management — who really don’t care much for their customers.

Ransomware attacks are possible for one simple reason — the IT infrastructure has unaddressed vulnerabilities such as a failure to patch promptly. The fact that SSA — and the Board of Governors — could allow that to happen is simple managerial negligence. SSA needs a modern corporate mindset — not one stuck in the 70’s.

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 07:57

Permalink

Commuter VH

For IT persons commenting, I noted that confirmation emails from SSA for changes to my reservations started going to junk then not arriving at all in the several days preceding the report of this attack. Whilst probably irrelevant, I still find myself wondering whether this was a symptom of a hack in evolution?

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 08:59

Permalink

Martha Edgartown

Most of these comments sound as ignorant and not constructive as the "creeping off islander menace" we all fear mongered about last summer. SSA got passengers safely on and off island. Breach was not customer data (read article) and CC info is not stored by SSA. And no one is safe, Jack Dorsey of Twitter was hacked. Having a paper back up system is wise, for everyone. More to come.

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 09:07

Permalink

Duke of Earle Off Island

Very simple - if they are good (and get good expert support), they will be back up in 3-5 days (with a functioning but not perfect system).

If they are not, expect 3-5 weeks.

Wonder if they have cyber insurance?

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 09:25

Permalink

Islander Too Tisbury

It's always better to call the reservation office than to make an online reservation and keep fingers crossed.

I have found this myself, and was told this also by an SSA reservations staff member. The pages cannot refresh fast enough to show what is actually available.

So, is the online service even worth the trouble?

I also think the first come, first served idea makes a lot of sense, except perhaps for freight.

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 10:21

Permalink

Mm CT

IMHO, first come first served is a terrible idea. On weekends, especially at the beginning of the month, lines of idling cars would be backed up throughout Woods Hole, Vineyard Haven (can't even imagine 5 corners) and Oak Bluffs. Folks would have no way to get to bathrooms or to get food. Travelers with little kids, older folks, etc. would/could be severely at risk. Local folks in MV and Woods Hole would be seriously inconvenienced. Emergency vehicles would be dangerously hampered.

Meonmv Tisbury

You are correct. The reason there is no standby on popular days is because a few years ago the idling autos were backing up a long way on the Woods Hole Road, creating a safety issue, and preventing Woods Hole residents from accessing their properties. We have a responsibility to look at their side, too. MV is “on the map” now, so do your part and make a reservation. We have representative Malkin and the County Commissioners can hear complaints, as well. I hear pen and paper is back in style. Write a letter to the editor.

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 14:08

Permalink

Off Islander USA

I love all these "experts" commenting here as if they know the ins/outs of the SSA infrastructure. They all have "theories" without any actual factual information. The same people who constantly complain about the fares are now sounding off on how the SSA doesn't spend enough on IT. No amount of spending can overcome the user who opens unsafe emails or visits unsafe sites. Do any of you "experts" think the multi-billion dollar companies that have been hacked didn't spend vast sums to protect themselves? You're all 'experts" until it happens to you, and, rest assured, if you are around long enough it will.

RealIT VH

I disagree. And I work for one of those multi-billion companies with trillions in assets to protect.

One should not conflate spending money with effectiveness. Design matters, as does training and controls/good process.

While it’s somewhat true that you’ll get attacked, the real name of the game is limiting the blast radius and containing the damage.

As this has unfolded it’s apparent that the SSA has some data already recovered (or not impacted) and they are smartly using that to maintain operations while their systems are remediated. That’s the good news. The bad news is that it’s taking an excessive amount of time to recover operations which, in the modern era, should be able to be delivered via automation and dispose of the old infrastructure. That’s if you actually run on cloud or virtualized. In this case, that may not be true. It’s also possible that this is an outsourced system that was compromised and that vendor had insufficient protections/design - something that should have been handled with good tech due diligence up front.

Submitted by Anonymous (not verified) on Fri, 06/04/2021 - 16:42

Permalink

Ken Edg.

Hacking is easy. Send millions of deceptive emails and when they are opened bingo the hackers get in. It isnt rocket science. My trash is full of them. Same for your phone. Caller ID is essential. I get messages illegal scam on many calls. You have to be careful.

Submitted by Anonymous (not verified) on Sat, 06/05/2021 - 06:43

Permalink

Zephyr

So what are you supposed to do if you need to take a ferry off the island and return and don't already have a reservation from before the hack? Do you just show up at the terminal and hope you can purchase a ticket at that time for cash only? Will they honor excursion rates for islanders with a profile? Same for the return run?

Submitted by Anonymous (not verified) on Sat, 06/05/2021 - 10:48

Permalink

GODSPAL MV

DEAR SSA, THANK YOU FOR ALL THE HARD WORK YOU ALL DO EVERYDAY.ACCEPTANCE IS THE KEY!!! GOD BLESS YOU ALL.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.