Franklin, Tennessee suffered a cyberattack in March. Do employees know their information was involved?

Franklin, Tennessee was the victim of a cyberattack in March. Because they have not issued any public statements or responded to inquiries as to whether they have notified those whose personal information was accessed or acquired, DataBreaches is providing this report.

In the Beginning

During a recent chat with the Trigona ransomware group about an attack on a medical entity, their spokesperson mentioned that they had also attacked FranklinTN and were willing to provide DataBreaches with proof and details. Because Trigona claimed that they still had access and were preparing to launch ransomware, DataBreaches reached out to Jason Potts, Franklin’s IT Director, by phone on May 8 and left him a message. The message told him that attackers were in the city’s network and they were preparing to launch ransomware. The message also left this site’s phone number where the IT director could call for more information.

When there was no response, DataBreaches sent an email to Potts, Shauna Billingsley (the city attorney), and a paralegal whose login credentials to numerous accounts included security questions with her personal information as answers.  The email did not include the name of the ransomware group but reported the group’s claim that they had exfiltrated more than 425 GB of files and had information on the police and fire department personnel as part of what they acquired. The email included specific security questions and answers that would have enabled the paralegal to recognize that yes, her credentials had fallen into others’ hands.

When there was still no response from the city, DataBreaches reached out to CISA and shared the information with CISA so that they could alert the city. Whether CISA contacted the city or not is unknown to DataBreaches, but DataBreaches received an acknowledgment of the initial contact and then a notice that they were closing the matter on May 26 as no further action on their part was required.

What We Know So Far

Trigona claims that they not only accessed FranklinTN’s network, but they claim they exfiltrated 428 GB of files that “include most employees’ passwords and information.”  As proof of the latter, they provided DataBreaches a list of login credentials. Trigona claimed some of them were taken from the Chief of Police’s browser. DataBreaches could not confirm that claim but the credentials provided appeared to be from a legal assistant to the city and from the public information officer for the police department. DataBreaches did not attempt to log in to any of the accounts, but did spotcheck and found that accounts in those usernames existed and those individuals are still employed by the city.

List of security questions answered by employee with personal details.Trigona also provided DataBreaches with an Excel file that showed a few employees’ login credentials to city accounts. One employee, a paralegal for the city, had answered numerous security questions for a number of accounts for the city, such as in what town her first job was, in what city she had met her spouse, and the name of her first stuffed animal. Not only did the breach appear to reveal personal information that puts the employee at greater risk of identity theft, but inspection of the Excel file revealed a lot of password reuse across various city accounts.

SWAT Callout Sheet with officers' names, ranks, and cell phone numbers. Redacted by DataBreaches.netTrigona also provided this site with files containing some personal information related to the police, SWAT team, and fire department, such as the SWAT callout roster, redacted by  “There should be a document with full information about each policeman and commando. Full name, photo, residential address and mobile phones,”  the Trigano spokesperson told DataBreaches about the full leak, not seen by DataBreaches.  Other files seen by DataBreaches related to the type of equipment and inventory maintained by the police and SWAT team, and the use of a drone for surveillance of a suspect in a drug selling case.

According to the spokesperson, Trigona was able to access FranklinTN on or about March 10. They claim that the IT department detected them and terminated the RDP login after about a week, but never detected all the beacons so they still had multiple means of access including Anydesk, VNC, proxy,  and TeamViewer. At one point, they provided DataBreaches with the results of a current scan of Franklin’s network.

The spokesperson also claimed the group was demanding 10 BTC to delete all the data. There was no mention of any decryptor because Trigano had not locked any data.

The City Responds

On May 11, DataBreaches received an email from a address from someone calling themself “Franklin TN.” They asked if DataBreaches could tell them who the hackers are and if there was some way to contact them. DataBreaches promptly provided them with both pieces of information.  (Note: the omission of the information in the email of May 8 was intentional so that DataBreaches would know if the city was trying to follow up on the email).

Days later, Trigona informed DataBreaches that someone claiming to represent Franklin showed up in their chat. The username of the representative was one DataBreaches has seen before as a negotiator for a college attacked by Bl00dy Gang. DataBreaches does not know which firm they work for, but they appear to be a professional negotiator.

One month later, Trigona’s spokesperson told DataBreaches that the negotiations were not going well because Franklin wanted a complete file list and Trigona was not inclined to give it to them. To DataBreaches’s surprise, though, Trigona informed this site that even though the city had not paid or agreed on an amount, Trigona gave them detailed information on how they had been attacked. “I gave them full assistance in hacking their network so that they quickly cover their holes and change all the possible flaws in their network.”

So not only did Trigona not launch the ransomware that they could have launched, but then they gave them information on how to secure their network against the type of things Trigona had done.

“We did not touch them, we decided to leave only the data. So that their work does not stop and goes on as usual. We can say that this was our first experiment in this format,” the spokesperson told DataBreaches. When DataBreaches expressed surprise about their strategy, the spokesperson elaborated, “We wanted to do the best we could, we even made the file buyback the lowest on the market. We do not need millions or some super-large sums. But as you can see, they ignore and do not understand the consequences.”

On June 8, DataBreaches emailed the mailfence account, asking whether employees had been notified of any personal or personnel information that had been acquired by Trigona.

They did not reply, so on June 11, DataBreaches sent the inquiry to city executives. But once again, there has been no reply.

So did Franklin ever tell their employees about the breach and any personal information acquired by Trigona that will be put up for sale?  And have they changed all of the passwords and login credentials that are now in Trigona’s hands?

Trigona’s listing for FranklinTN, seen by DataBreaches, says, in part:

By purchasing this information, you will have access to:

• Financial reports and budget projections for the city and its departments, allowing you to identify investment opportunities and potential areas for growth.
• Personal information of city officials, employees, and residents, which can be used for targeted advertising or even identity theft.
• Police reports, criminal investigations, and other law enforcement communications that could be useful in the wrong hands, for example, to blackmail or threaten individuals.
• Sensitive information from emergency services such as fire and rescue, which could be used to gain an advantage in emergency situations.
• Internal communications from the city’s administrative offices, providing insights into the decision-making processes of local government.

What Next for Trigona?

From what Trigona told DataBreaches, they were experimenting with just exfiltrating data and not locking it.  Given that FranklinTN only offered to pay $40,000 when Trigona wanted $150,000 to delete data, DataBreaches asked whether they were likely to continue the experiment of not encrypting victims. “Yes, while we will try in schools and hospitals,” the spokesperson told DataBreaches.

About the author: Dissent

Comments are closed.