SF Muni hack contained. Next transit hack could be train wreck

The San Francisco transit system avoided paying a ransom and restored its systems. But the hack shows US infrastructure is vulnerable.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Train, bus and trolley car service was not disrupted by a hacking attack that started Friday.

Smith Collection/Gado/Getty Images

File it under "Bad, but could have been worse."

The SF Municipal Transportation Agency fell victim to a hacking attack in which someone or some group tried to extort about $73,000 from the transit service in exchange for giving back control of its computer systems. Rather than pay ransom, the agency, called Muni by locals, took back control after three days.

While Muni was restoring its systems, cybersecurity experts ended up hacking the transit hacker, poring through the servers and emails used by whoever is behind the attack and sharing the information with reporters.

Hacks of public services and government systems are becoming routine. In 2015, a hack of the US Office of Personnel Management led to the theft of data of more than 22 million federal employees. During the countdown to the 2016 US election, hackers accessed data on 200,000 Illinois voters from the state's voter registration database.

With the hack on Muni, it's clear attacks on government-run infrastructure are possible -- and the next hack on a transit agency could be much more dangerous than this one was.

Watch this: Hackers attempt to extort San Francisco transit agency

In fact, this might be the rare hack that doesn't turn into a PR disaster. That's because Muni, which runs San Francisco's bus, light rail and trolley car systems, had a backup of its system and no customer data was stolen.

Muni lost money by giving away free rides over the weekend, but it didn't pay the 100 bitcoins in ransom demanded by a hacker or hackers calling themselves "Andy Saolis." Instead, Muni restored its systems with help from the agency's internal tech team.

What's more, the hack wasn't as bad as the hacker claimed in an email sent to CNET and other news agencies, a Muni spokesman said. "Our customer payment systems were not hacked," Muni said in a statement Monday. "Also, despite media reports -- no data was accessed from any of our servers."

Thomas Pore, director of IT and services at cybersecurity company Plixer, said the the attack could have been "far worse" if Muni hadn't been able to restore its systems from backup copies of its data. The attack also lost some of its oomph because it didn't directly affect transit service in San Francisco. Instead, the hacker locked out some Muni personnel from their workstation computers and left the agency without access to some of its systems over the weekend.

The attack started Friday and plagued the agency until Sunday night.

The so-called Saolis gave a different account of the attack, gloating about his ability to compromise Muni systems. The hacker claimed Monday to have stolen 30 gigabytes of Muni employee, customer and technical data, in addition to hacking payment kiosks.

Saolis has been responding to questions sent to an email address registered with Yandex.com, a Russian email service. The email address was displayed by the attacker on Muni workstation screens.

In broken English, Saolis detailed these supposed achievements and said he was showing the world how bad the cybersecurity at Muni is. "Welcome !" he wrote in an email.

Saolis also provided a Bitcoin wallet in case anyone wanted to send a donation in gratitude for his hack. Muni is the bad guy here, Saolis seemed to insist.

"They give Your Money and everyday Rich more! But they don't Pay for IT Security and using very old system's !" Saolis wrote in the email.

The fact that Muni was able to restore its systems from backups suggests the agency is following the FBI's general recommendations for fighting this type of attack. Called ransomware, the attack often gets victims to click on malicious links, then downloads malicious software that scrambles up the victim's data. Then hackers demand a ransom to get it back. Saolis reportedly asked for 100 Bitcoin (about $73,000) in return for decrypting the agency's systems.

Muni "never considered paying the ransom," the agency's statement said. Muni doesn't yet have an estimate on how much money it lost by giving away free rides over the weekend, said spokesman Paul Rose. He added that the ransomware used to target Muni spreads through links in pop-up ads.

While Muni is looking smart right now for backing up its data and systems, the hacker, it seems has become the hacked.

Security writers Brian Krebs of KrebsOnSecurity and Thomas Fox-Brewster of Forbes each reported Tuesday that a cybersecurity expert contacted them to say they'd accessed the servers of the person behind the Muni hack. The expert, who spoke with reporters anonymously, determined that whoever is running the Saolis email account and servers is based in Iran.

Many of the hacker's victims have paid ransoms to him, and some of them have even paid extra for the hacker to help them secure their systems from future attacks, Krebs wrote.

While the hacker might be looking foolish now, the attack is still unsettling, according to cybersecurity expert Pore.

"Now there is proof that public transportation is at risk," he said.