Kansas City’s official website is back after it was down all week. Was it a cyber attack?

Noelle Alviz-Gransee
·6 min read

The Kansas City government website is back online Thursday, officials said, after what they’re calling a computer outage. The municipal court was closed until Wednesday, due to the same issue. While officials haven’t publicly called the incident a cyber attack, cyber security breaches are on the rise locally and nationally, and experts say that trend is likely to continue.

City officials first noticed there was an issue Saturday morning. As a result, hearings and trials had to be continued to later dates. People could not post bond. The court’s email service was also down, along with other city officials’ emails.

Kansas City spokesperson Sherae Honeycutt said as of May 6 and until the website is fully functioning, a grace period is in place for anyone having difficulty making payments through the city’s systems. Cases filed before Nov. 6, 2023 will not be able to make payments through the Missouri Casenet system. Bonds can be posted at designated police stations.

Honeycutt said while most city departments have continued to operate as usual, KC Water’s payment services are still unavailable. Residents must pay with cash or check at 4800 E 63rd Street until the website is fully back up.

This week’s incident marks the latest in a string of recent cyber disruptions to Kansas City government and surrounding municipalities — illustrating an escalating pattern of cyber threats.

On Jan. 25, A ransomware attack impacted the Kansas City Area Transportation Authority, which is when bad actors seize control of computer systems and demand a ransom before they relinquish control. Regional call centers and KCATA landlines couldn’t receive calls because of the attack.

On April 2, Jackson County’s assessment, collections and record of deeds offices were closed due to a ransomware attack.

A few weeks later, Kansas City Scout operators had an outage after a cyber attack that prompted officials to shut down the traffic information system for the metro as a protective measure. The Play Ransomware group claimed responsibility for the cyber attack Tuesday, according to Jack Danahy, vice president of strategy and innovation at Nuharbor Security. Official confirmation on who did the attack is not yet known. Officials say the KC Scout cameras and message boards could be down for months.

Last year, a cyber attack also shuttered online access to Kansas courts for months. It was found to have been orchestrated by affiliates of a Russian-based ransomware group.

During the pandemic, the Independence City Council voted to spend $4 million to beef up the city’s cybersecurity protections and upgrade the outdated computer network. Four months later, the city’s system was attacked. Officials at that time said it was caught before it could infect the whole network.

Why target local governments?

Ransomware attacks are increasingly directed at government agencies, law enforcement and public service departments because they tend to have comparatively weaker cyber security controls and measures compared to private companies, according to Kaustubh Medhe, vice president of research and threat intelligence with Cyble, which specializes in gathering intelligence from the different depths of the internet.

“Most of the ransomware groups have a variety of mechanisms to actually infiltrate a victim’s network. It generally starts off either with a phishing mail or maybe a malware, which helps you steal credentials of users, or by exploiting some kind of a vulnerability,” he said.

In fact, over 90% of successful cyber attacks start with a phishing email, according to Cybersecurity and Infrastructure Security Agency regional external affairs officer Jeffery Kelly.

The ecosystem surrounding ransomware has changed over the past few years, Danahy said, noting there’s now a two-tier economy inside the ransomware groups. One creates the infrastructure used to run the technically difficult parts of the attack to spread the vulnerability. Then, they sell access to the platforms to affiliates, which Danahy defines as organizations that figure out how to run a phishing attack or find a way to get into the system. Once the attack is over, the groups do a revenue split.

“If you are the attack group that’s creating the infrastructure, you get reuse of the tooling that you’ve built for whatever purposes. And then if you’re one of the affiliates, you can actually get these relatively sophisticated attacks done without having to understand or use all the technical underpinnings of them yourself,” he said.

Governments being targeted also means residents are at increased risk of having their information leaked to the dark web. The issue has become so prevalent, Danahy said, that people should recognize their information could very well already be out there.

What do investigations look like?

The first step for investigators after an attack is to isolate the issue by disconnecting from the network, which could lead to shutting down websites, Medhe said. Governments and private companies typically have incident response plans in place to rely on.

Security teams have to put together a timeline and figure out how the attacker got in, what they accessed and what was moved out of the network. This, he said, takes a lot of skill and time. Investigations can take anywhere from a few weeks to a few months depending on how widespread the infection was.

During this time, residents could encounter issues with doing business or paying bills online, could contend with longer wait times and could lose access to the same level of service responsiveness from government agencies, Medhe said.

“My recommendation always is that as citizens we have a responsibility to both respect and have some patience with the team during the cleanup, but we also have the responsibility to demand transparency,” Danahy said.

“The last thing you want to have happen is for the organization to feel pressured to get it over with quickly. And they leave some small amount behind, which allows the same attackers to have a back door to do it again.”

What can be done to prevent attacks

After the attack, governments should “make sure antivirus and endpoint security solutions are up to date on their endpoints and servers, so they can detect any suspicious activity and block them before an attack goes through,” Medhe said.

Companies and governments must also have a strong patch management program to regularly look for vulnerabilities, educate staff on phishing attacks and teach the help desk about social engineering to prevent bad actors from calling and posing as employees in order to have a credential reset, according to John Bryant, cybersecurity advisor with the Cybersecurity and Infrastructure Security Agency.

The agency offers no-cost resources that includes things from assessments to cyber hygiene scanning to workshops. They also offer training and tabletop exercises to mature cyber security programs.

Kansas City officials have not disclosed the cause of the latest computer outage and did not immediately respond to comment. The Kansas City FBI confirmed they’ve been in contact with the city, but did not provide further information.