A malware outbreak that downed the entire network of the highways agency serving the city of Chicago for two weeks last month was probably caused by a single employee or infected USB stick, a local TV station has reported.
The June “virus” attack eventually affected 200 PCs, disrupting the network for Cook County Department of Highway and Transportation, one of the US’s largest urban counties comprising 130 Chicago municipalities and over 5 million people.
As the malware rapidly spread through its downtown HQ, the agency's IT team was forced to pull the plug for nine working days, temporarily sending the workforce hack to calculators, fax machines, pens and paper before a neighbouring County took pity and lent them some clean PCs.
The cause of the outbreak has not been identified but officials reportedly said they were working on the theory that an external USB drive was to blame. Such drives were not currently blocked.
“It’s very weird to see how dependent we are on technology on a day-to-day basis. And to have that ripped from you is a shock to the department,” Cook County CIO Ricardo Lafosse was quoted as saying.
Although described as a virus in the usual generic language, the speed of spread guarantees that the unidentified malware had a worm component, probably introduced after the first affected machine was hit with a backdoor Trojan.
The culprit is unlikely to have been a sophisticated APT-style attacked. TV reports said that the malware had renamed some files on network shares with “inappropriate labels,” a behaviour designed to attract attention for its nuisance value.
It is rare for the exact cause of such outbreaks to be identified; indeed it is relatively rare for such outbreaks to be given publicity at all.
Notable cases in the US have focussed on consumer-facing departments, including a hospital forced in late 2011 to turn away patients after another "virus" incident.
Inevitably, questions are now being asked about the County’s defences and the length of time it took to restore network access. Five IT staff had required over 200 hours to fix the issue, the TV station said.
Small to mid-sized networks of the sort run by Cook County represent a particularly vulnerable target for malware. Such organisations run large enough networks and important services that they can easily be floored by relatively simple malware whilst lacking the staff resources or budgets to either defend themselves or clean up when an attack occurs.
IT managers are similarly-sized public sector departments the world over will shudder.