The Housing Authority of the City of Los Angeles, or HACLA, is once again dealing with a severe ransomware incident. The Cactus ransomware gang has claimed responsibility for a cyberattack that reportedly exfiltrated nearly 900GB of sensitive data from the organization. This marks HACLA’s second major cybersecurity breach in just two years, spotlighting significant challenges in securing critical public sector data.
The Current Attack: Cactus Strikes
HACLA, responsible for managing over 32,000 public housing units and overseeing a budget of $1 billion annually, confirmed the attack, “We’ve been affected by an attack on our IT network. As soon as we became aware of this, we hired external forensic IT specialists to help us investigate and respond appropriately,” a HACLA spokesperson told BleepingComputer. The Cactus group claims to have accessed a significant amount of confidential data, including:
- Personal identification information
- Database backups
- Financial documents
- Executive and employee records
- Customer information
- Internal corporate communications
To back their claims, Cactus uploaded an archive allegedly containing samples of the stolen data. While HACLA insists that its core systems remain operational, the extent of the breach and the potential damage remain unclear. The agency has not yet specified when the attack was first detected or the timeline of its containment efforts.
The Breach Before: LockBit’s Year-Long Infiltration
This isn’t the first time HACLA has been targeted. In 2022, the LockBit ransomware gang managed to breach HACLA’s network and maintain unauthorized access for nearly a year before detection. The timeline of the first attack is telling:
- January 15, 2022: LockBit gained initial access to HACLA’s systems.
- December 31, 2022: HACLA’s IT team discovered their systems had been encrypted, prompting an immediate server shutdown.
- February 13, 2023: An investigation revealed the true scope of the breach.
- January 27, 2023: LockBit published the stolen data after ransom negotiations failed.
The discovery of encrypted systems on New Year’s Eve 2022 forced HACLA to take swift action by shutting down its servers and launching an investigation. Despite efforts to mitigate damage, the investigation revealed that highly sensitive data, including Social Security numbers, birthdates, passport and driver’s license numbers, tax and military IDs, financial details, and health records had been compromised.
The Fallout From Refusing to Pay
HACLA’s decision not to pay the ransom led LockBit to escalate their pressure tactics. They initially published samples of stolen data to prove their possession of valuable information and later released the full data set on January 27, 2023, after failed negotiations.
While the download link on LockBit’s extortion site eventually became inactive, reducing the immediate spread, the breach’s impact remained significant due to the length of unauthorized access and the sensitivity of the compromised data.
The Cactus Ransomware Group: A New Threat
The Cactus ransomware gang, relatively new on the cybercrime scene since their emergence in March 2023, is already making waves with sophisticated double-extortion tactics. This method involves both encrypting files and stealing data, with the threat of public disclosure used as leverage. Their modus operandi includes purchasing stolen credentials, executing targeted phishing attacks, and exploiting vulnerabilities in publicly accessible systems.
By publishing snippets of allegedly stolen HACLA documents on their leak site, Cactus signaled their possession of highly confidential material, ramping up pressure on the agency. This public display underscores the severe security challenges facing public institutions, particularly those that handle large amounts of personal data.