• ARRL IT Security Incident - Report to Members

    From ARRL de WD1CKS@VERT/WLARB to QST on Friday, August 23, 2024 22:10:02
    08/22/2024

    Sometime in early May 2024, ARRL's systems network was compromised by threat
    actors (TAs) using information they had purchased on the dark web. The TAs
    accessed headquarters on-site systems and most cloud-based systems. They used a
    wide variety of payloads affecting everything from desktops and laptops to
    Windows-based and Linux-based servers. Despite the wide variety of target
    configurations, the TAs seemed to have a payload that would host and execute
    encryption or deletion of network-based IT assets, as well as launch demands
    for a ransom payment, for every system.

    This serious incident was an act of organized crime. The highly coordinated and
    executed attack took place during the early morning hours of May 15. That
    morning, as staff arrived, it was immediately apparent that ARRL had become the
    victim of an extensive and sophisticated ransomware attack. The FBI categorized
    the attack as "unique" as they had not seen this level of sophistication among
    the many other attacks, they have experience with. Within 3 hours a crisis
    management team had been constructed of ARRL management, an outside vendor with
    extensive resources and experience in the ransomware recovery space, attorneys
    experienced with managing the legal aspects of the attack including interfacing
    with the authorities, and our insurance carrier. The authorities were contacted
    immediately as was the ARRL President.

    The ransom demands by the TAs, in exchange for access to their decryption
    tools, were exorbitant. It was clear they didn't know, and didn't care, that
    they had attacked a small 501(c)(3) organization with limited resources. Their
    ransom demands were dramatically weakened by the fact that they did not have
    access to any compromising data. It was also clear that they believed ARRL had
    extensive insurance coverage that would cover a multi-million-dollar ransom
    payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a
    $1 million ransom. That payment, along with the cost of restoration, has been
    largely covered by our insurance policy.

    From the start of the incident, the ARRL board met weekly using a continuing
    special board meeting for full progress reports and to offer assistance. In the
    first few meetings there were significant details to cover, and the board was
    thoughtfully engaged, asked important questions, and was fully supportive of
    the team at HQ to keep the restoration efforts moving. Member updates were
    posted to a single page on the website[1] and were posted across the internet
    in many forums and groups. ARRL worked closely with professionals deeply
    experienced in ransomware matters on every post. It is important to understand
    that the TAs had ARRL under a magnifying glass while we were negotiating. Based
    on the expert advice we were being given, we could not publicly communicate
    anything informative, useful, or potentially antagonistic to the TAs during
    this time frame.

    Today, most systems have been restored or are waiting for interfaces to come
    back online to interconnect them. While we have been in restoration mode, we
    have also been working to simplify the infrastructure to the extent possible.
    We anticipate that it may take another month or two to complete restoration
    under the new infrastructure guidelines and new standards.

    Most ARRL member benefits remained operational during the attack. One that
    wasn't was Logbook of The World (LoTW), which is one of our most popular member
    benefits. LoTW data was not impacted by the attack and once the environment was
    ready to again permit public access to ARRL network-based servers, we returned
    LoTW into service. The fact that LoTW took less than 4 days to get through a
    backlog that at times exceeded over 60,000 logs was outstanding.

    The board at the ARRL Second Board Meeting in July voted to approve a new
    committee, the Information Technology Advisory Committee. This will be
    comprised of ARRL staff, board members with demonstrated experience in IT, and
    additional members from the IT industry who are currently employed as subject
    matter experts in a few areas. They will help analyze and advise on future
    steps to take with ARRL IT within the financial means available to the
    organization.

    We thank you for your patience as we navigated our way through this. The emails
    of moral support and offers of IT expertise were well received by the team.
    Although we are not entirely out of the woods yet and are still working to
    restore minor servers that serve internal needs (such as various email services
    like bulk mail and some internal reflectors), we are happy with the progress
    that has been made and for the incredible dedication of staff and consultants
    who continue to work together to bring this incident to a successful
    conclusion.

    This information was shared with ARRL Members via email on August 21, 2024.ÿ



    [1] https://www.arrl.org/news/arrl-systems-service-disruption
    Preview image


    ---
    þ Synchronet þ Whiskey Lover's Amateur Radio BBS