The Killeen City Council heard a presentation Tuesday on what it called an after-action report on the Aug. 7 “incident” in which the city of Killeen touted what officials considered a successful recovery from the cyberattack.
The ransomware attack, first reported on Aug. 8 and publicly acknowledged by the city of Killeen on the same day, impacted services related to utility collections, police records and electronic employee timekeeping.
Executive Director of Information Technology Willie Resto gave the presentation and said that the issues were resolved within 36 hours.
But, critically, the BlackSuit hackers, who claimed responsibility for the hack, gained access to the city of Killeen’s systems on July 30th and weren’t detected until Aug. 7 when an airport worker could not clock in, Resto said.
“Despite all the technology defenses that we have, human error remains a significant vulnerability,” Resto said.
He said the only financial cost the city of Killeen had to pay was approximately $34,000 for a forensic audit.
“The city was able to successfully able to reduce the fallout of the cyberattack by having a good backup solution, and skilled staff determined to keep the city infrastructure operational,” Resto said.
He said all city systems have been sanitized and restored. The only systems affected still are some credit card machines that need to be replaced.
Resto said that neither the city of Killeen nor its insurance had paid any ransom.
He went through the list of questions that the Herald had sent the day prior to the council members and answered virtually all of them. Some of them were answered during his presentation.
It was by far the most comprehensive answer the city of Killeen has given publicly on the Aug. 7 cyberattack since it happened, which has up until then flat-out refused to answer any questions without much explanation.
Resto said they only lost one day of operation data on Aug. 6, no outside IT firm was hired and that the recovery was completed by the city of Killeen’s own in-house IT department.
“We can’t confirm with certainty of how the initial attack was comprised,” Resto said. “We can speculate that it was a result of pfishing or brute force.”
He said the entrance came from a valid username and a valid password.
Resto praised his team, saying the average recovery time for a city is 24 days and they accomplished the same thing in approximately 30. He also said cyberattacks have become increasingly common, referencing a cyberattack that occurred in Richardson just Wednesday.
Resto said the City Council’s approval of backup systems is, “what saved us.”
Numerous city council members, including Michael Boyd and Joseph Solomon, requested to ask questions in closed session.
Mayor Debbie Nash-King commented that the presentation before the City Council was just a way to “control the narrative.”
However, Boyd suggested deferring the closed session discussion because Tuesday was also National Night Out, a national day that celebrates the work of police departments.
BlackSuit is a new iteration of Royal Ransomware, which was responsible for the hack on the city of Dallas, ultimately costing the city as much as $8.6 million, according to the Dallas Morning News.
On Aug. 7, the same day as the ransomware attack on the city of Killeen, the FBI and Cybersecurity and Infrastructure Security Agency released a joint statement announcing the rebranding of Royal ransomware as BlackSuit.
That same report goes into detail on the exact technical methodology used by BlackSuit with the updates clearly marked Aug. 7, such as “(Updated August 7, 2024) FBI observed BlackSuit actors using legitimate remote monitoring and management (RMM) software to maintain persistence in victim networks,” according to the CISA website.
In addition, the ransom note — which the FBI and CISA reports as new on their website, marked on Aug. 7 — is the same ransom note left for the city of Killeen.
“Your safety service did a really poor job of protecting your files against our professionals.
Extortioner named BlackSuit has attacked your system.
As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm.
Now we have all your files like: financial reports, intellectual property, accounting, law actions and complaints, personal files and so on and so forth.
We are able to solve this problem in one touch.
We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to make a deal with us.
You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation.
You can have a safety review of your systems.
All your files will be decrypted, your data will be reset, your systems will stay in safe.
Contact us through TOR browser using the link ….”
The city of Killeen requested with the Office of Attorney General to deny two Open Records requests Tuesday for emails from and to Resto citing, “confidential records related to security and/or infrastructure for computers.”
“The record that is responsive is intimately related to and reveal the City’s design, operation, and defense of its computer network,” the letter from the city of Killeen’s attorney to the AG said. “This email was sent to the City’s governing body- city council for awareness purposes only. Additionally, these records contain information directly related to network vulnerabilities, computer programs, network system and interfaces, and reveal the City’s routine efforts to prevent, deter, and investigate or mitigate a computer security incident. The release of this records would harm the City by revealing incidents related to security and computer infrastructure.”
The city of Killeen, however, was prepared to release these emails along with Resto’s other emails for the fee of approximately $6,200 just last month.
The city of Killeen has also refused to release its internal and external audits of its IT Department from 2022 and 2023, disputing its release through Open Records with the AG despite previous audits of the department publicly available on its website.
Some of those audits, including one in 2018, found “poor communication skills” with its then executive director, staff working on outdated technology and phone calls going unanswered among numerous other problems.
Resto said during his presentation that the city of Killeen has 14 open records requests which has cost staff time.
“I have to be careful what I can share because we don’t not want to give the hackers any information,” he said, citing a government code, which he said only allows him to impart information to government officials, law enforcement agencies and others.
He said the reason why he personally wasn’t willing to answer any questions from the Herald was because he was waiting for the forensic audit to be done, which was only just recently completed early last week.