An early warning network designed to notify subscribers about dangerous weather in Australia has been compromised. The hacker sent many bogus messages via phone, SMS, and email, telling users that the service had been hacked.
Early Warning Network, a service used by local governments to send notifications about weather hazards, found itself firing these rogue missives into the void late on Saturday evening. They haven’t revealed how many people received a message, but they caught the attack quickly and shut it down.
A warning from Early Warning Network
The website says:
At around 930pm EDT 5th January, the EWN Alerting system was illegally accessed with a nuisance message sent to a part of EWNs database. This was sent out via email, text message and landline. EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert
The text sent to subscribers read as follows:
EWN has been hacked. Your personal data is not safe. Trying to fix the security issues. Email [address] if you wish to unsubscribe.
If you were on the receiving end of the email version, you would have found it to be identical:
Click to enlarge
Some people in EWN’s comments sections reported receiving phone calls simply stating “You have been hacked,” which would be a little alarming, to say the least. An Early Warning Network shouldn’t come with a warning, but this is where we’re at.
How did they do it?
The alert service has so far confirmed that the attack took place from inside Australia, and the rogue message was the result of login credentials obtained without permission. There’s no other information available at time of writing, but it does seem likely that this was a targeted spear phish.
EWN have also stated that user information wasn’t at risk:
The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to login and post a nuisance spam-notification to some of our customers. The link used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the Police and Australian Cyber Security Centre involved
This directly contradicts the hacker’s claim that “your personal data is not safe.” It is also claimed that the links in the emails and SMS messages were not harmful.
What was the point?
Given the flat denial of user data being put at risk, it seems this is more about reputation damage. Perhaps someone has a weirdly specific grudge against a lifesaving service, or maybe it’s just a trollish prank done for cheap laughs. Either way, it’s an incredibly careless thing to do.
In the Phlippines, PHIVOLCS warn about seismic activity and volcano eruptions, while PAGASA deal with weather systems, typically via media alerts and social media. These are high-end setups, almost always government run. In the US, a variety of warnings are available under wireless emergency alerts, which can include everything from weather safety to AMBER alerts. Early warning systems can save thousands—as was evident by the lack of systems in place to warn tourists and locals about the Boxing Day tsunami in 2004, which claimed more than 200,000 lives.
That’s why alert system tampering is always a bad idea. If people unsubscribe as a result of this attack, they could potentially put their lives in danger. EWN is not a huge organisation, and this attack on their systems and reputation could have a huge impact. It’s no wonder police are quick to investigate the attack taking place on this particular network.
What can the affected organisation do now?
Given there’s no further information as to how credentials were obtained, we can only offer an educated guess. If our hunch from earlier is correct, and it is a targeted phish, then some staff training may be needed. Additionally, they shouldn’t be relying on “just” a password to keep things safe.
Even the longest password around is a chocolate fireguard if someone manages to swipe it. That’s where two-factor authentication (2FA) comes into play. If more than one person has to share a single login, there’s a number of ways to get around that, too. Some password managers let groups share logins without revealing the password. If you haven’t thought about beefing up password security, now is as good a time as ever.
Most people have seen an article about hacked road signs at some point, and probably suppressed the odd giggle or two. There are good arguments for not doing that; there are great arguments for not messing with emergency alert systems.
It remains to be seen if the person responsible for this will be caught. This is definitely not a great situation for anyone reliant on the integrity of these networks in bad weather regions. Will anyone even believe the next message sent out? And how much trouble will the person who did this be in, should fatalities occur? Our feeling is, a slap on the wrist is not enough.