Organization: Kalix municipality
Goal: Provide a secure process to reset all employees’ passwords after a ransomware attack
Result: 2000 password resets within just a few days of implementation
Solution: Specops uReset
Reviewing password management was already on the agenda when a group of hackers used weak and hacked passwords to carry out a ransomware attack on the municipality of Kalix in Sweden. The December 2021 attack shut down all of the municipality’s computer systems, causing wide-spread problems, from the elderly not receiving home healthcare to salaries not being paid correctly.
The municipality worked with IT consultants and security experts to complete the equivalent of three years of system upgrades over the course of three weeks.
Kenneth Björnfot, Head of IT for Kalix, explains that implementing a secure password reset solution was essential before the 1400 full-time employees could start working in the computer systems again.
“We locked all accounts and informed our staff that they would need to authenticate with Mobile BankID to set a new password,” Kenneth says. “Everyone is familiar with BankID so it was very easy for them to authenticate themselves and reset their passwords. And from IT’s point of view, we know that the process is secure.”
Mobile BankID is a high-trust electronic identification system which is used in Sweden to authenticate to government services, banks, credit institutions and many other services that require trusted authentication. The system depends on personal identity numbers, which can be stored in an attribute in Active Directory.
Kalix already had the personal identity numbers in Active Directory, which made the rollout of Specops uReset a seamless experience for Kalix employees. The staff went to the correct URL, authenticated themselves with Mobile BankID and were instructed to set a new password. The new password requirements are more stringent to prevent the use of insecure passwords.
The role of weak passwords
The police investigation is still underway to determine the events that led to the ransomware attack, but Kenneth explains that weak and hacked passwords were to blame.
“In tracing the path the attackers took, we can see the accounts they gained access to and the weak passwords in use,” Kenneth says. The news media reported that the attackers were in the system for some time before infecting all systems with the virus and demanding a ransom, which the municipality refused to pay.
Prior to implementing Specops uReset, password resets were handled by the service desk staff. To reset a password an employee would call the service desk, say the personal identity number, and receive a temporary password over the phone. It wasn’t required to change the temporary password, and many times employees continued using this password for long periods of time which could compromise security. The other major security concern with this process is that a criminal could easily impersonate an employee to get a temporary password, since personal identity numbers are readily available online.
Specops uReset enabled the Kalix municipality to not only clean up their post-attack password reset problem quickly, but also has ensured the burden on their internal IT desk is lifted moving forward.
In the wake of this attack, other municipalities are reviewing their security posture and weaknesses associated with passwords. A quick way to do this is to start with a situational analysis and complete a password audit to highlight password-related vulnerabilities; Specops Password Auditor was developed to identify multiple vulnerabilities, exportable in report format all in a matter of minutes.