ARRL Computer Security Incident - Member Report

08/22/2024

In early May 2024, ARRL’s systems network was compromised by malicious actors (TAs) using information they had purchased on the dark web. The TAs accessed on-premises systems at headquarters and most cloud-based systems. They used a wide variety of payloads affecting everything from desktops and laptops to Windows and Linux-based servers. Despite the wide variety of target configurations, the TAs appeared to have a payload capable of hosting and executing encryption or deletion of network-based IT assets, as well as issuing ransom demands, for each system.

This serious incident was an act of organized crime. The attack, which was highly coordinated and executed, occurred in the early morning hours of May 15. When staff arrived that morning, it was immediately apparent that ARRL had been the victim of a large-scale and sophisticated ransomware attack. The FBI described the attack as “unique” because it had not seen this level of sophistication among the many other attacks it has experienced. Within three hours, a crisis management team was assembled, consisting of ARRL leadership, an outside vendor with significant resources and experience in ransomware recovery, attorneys experienced in handling the legal aspects of the attack, including dealing with law enforcement, and our insurance company. Law enforcement was immediately contacted, as was the ARRL President.

The TA’s ransom demands for access to their decryption tools were outrageous. It was clear that they did not know, or care, that they had attacked a small 501(c)(3) organization with limited resources. Their ransom demands were significantly weakened by the fact that they had no access to any compromising data. It was also clear that they believed that ARRL had extensive insurance coverage that would cover a multi-million dollar ransom payment. After days of tense negotiations and high-wire maneuvering, ARRL agreed to pay a $1 million ransom. This payment, along with the cost of restoration, was largely covered by our insurance policy.

From the beginning of the incident, the ARRL Board of Directors met weekly in a special ongoing meeting to provide updates on progress and offer assistance. During the early meetings, there were significant details to cover, and the Board was thoughtfully engaged, asked important questions, and fully supported the headquarters team in moving the restoration effort forward. Member updates were posted on a single page of the website and were posted across the internet in numerous forums and groups. The ARRL worked closely with highly experienced ransomware professionals on each post. It is important to understand that the TAs had the ARRL under their microscope as we negotiated. Based on the expert advice we were given, we could not publicly communicate anything informative, helpful, or potentially adversarial to the TAs during this time.

Today, most systems have been restored or are waiting for the interfaces to come back online to interconnect them. While we were in restoration mode, we also worked to simplify the infrastructure where possible. We anticipate that it may take another month or two to complete the restoration in accordance with the new guidelines and infrastructure standards.

Most ARRL member benefits remained operational during the attack. One was not, with the exception of Logbook of The World (LoTW), one of our most popular benefits. LoTW data was not impacted by the attack and once the environment was ready to allow public access to ARRL network-based servers again, we brought LoTW back online. It is remarkable that LoTW took less than 4 days to process a backlog that sometimes exceeded 60,000 logs.

At the second ARRL Board meeting in July, the Board voted to create a new committee, the Information Technology Advisory Committee. This committee will be comprised of ARRL staff members, Board members with proven IT experience, and additional members from the IT industry who are currently employed as subject matter experts in a few areas. They will help analyze and advise on future actions to be taken with ARRL IT within the organization’s financial means.

We appreciate your patience as we navigate this situation. Emails of moral support and offers of IT expertise have been well received by the team. While we are not completely out of the woods yet and are still working to restore minor servers that serve internal needs (such as various email services like bulk mail and some internal reflectors), we are pleased with the progress that has been made and the incredible dedication of the staff and consultants who continue to work together to navigate this incident.

This information was shared with ARRL members via email on August 21, 2024.