As Baltimore remained under curfew after riots over Freddie Gray's death, a cyberattack knocked out the city's website while hackers who sympathized with protesters on the streets threatened to target the government's computer systems, according to newly released documents.
The behind-the-scenes cyberbattle shut down the website baltimorecity.gov for at least 16 hours, according to a situation report dated May 1. The site, which provides information on government services, updated citizens on the citywide curfew at the time.
"Not sure when site will be up and running. Need to set up alternatives," the report stated.
Emails and other documents obtained by The Baltimore Sun this week under the Maryland Public Information Act give new insights into the attack as well as a campaign that targeted police and city databases and claimed to be affiliated with Anonymous, an international network of activist hackers.
The documents also detail efforts to combat the hackers by information technology experts, including city and state officials, a special detachment of National Guard troops, and a Baltimore security company that witnessed activity online and offered its services.
Computer security analysts said that activist groups frequently launch hacking campaigns amid civil turmoil — and that government officials often find themselves ill-equipped to respond.
Such attacks can be minor nuisances that knock out websites for short periods or major security breaches that put troves of sensitive data at risk and disrupt access to government services.
Richard Forno, who teaches cybersecurity at the University of Maryland, Baltimore County, said local governments need be prepared for online attacks. "We should expect these type of parallel attacks or cyberactivism to coincide with social unrest," he said.
In Ferguson, Mo., the scene of protests after the death of another unarmed black man in a confrontation with police, hackers disrupted the city's website and servers.
Gray died April 19, a week after suffering a severe spinal cord injury while in police custody. His death touched off widespread protests against police brutality, and rioting, looting and arson on the day of his funeral. To restore calm, Mayor Stephanie Rawlings-Blake imposed the curfew, and National Guard troops were deployed.
Jerome Mullen, chief technology officer under Rawlings-Blake, said in an interview that his team had been working to improve the security of the city's networks before the riots broke out. "The events of the civil unrest went beyond any normal type of cyberattack," he said.
As tensions mounted in the days after Gray's death, city leaders began to receive warnings that attacks were imminent and that their networks were vulnerable, the documents released this week show.
On April 25, someone claiming allegiance to Anonymous, the amorphous group of hackers, posted a message to the website Pastebin. A link to the message was included in a catalog of social media posts included in the city documents.
"Anonymous is drawing a line in the sand, and that line runs right through Western Police Station," the post reads. "How many more of our children, brothers, and sisters will we let them take from us?"
The post called on protesters to continue taking to the streets and members of Anonymous to hack a number of city websites and share any information they found.
The city documents also note efforts to release information on specific police officers — a practice known as "doxing," in which hackers seek to leak the private records of individual targets.
Six Baltimore police officers were charged on May 1 in Gray's arrest and death. They were subsequently indicted and have pleaded not guilty to all of the charges. A trial is set for October.
Two days after the Anonymous post appeared, James C. Foster, chief executive officer of Baltimore social media and cybersecurity company ZeroFOX, emailed city leaders with the subject line: "IMMEDIATE CALL to ACTION: ZeroFOX needs to help Baltimore City ASAP."
Foster said the company had applied its technology to the police and city sites and found a number of problems. He wrote to officials, calling the deficiencies they discovered "alarming."
His message went to computer security officials and a state intelligence agent, the emails show, and Foster said officials asked the company to help. ZeroFOX produced a report dated April 28 that outlined a number of threats to and weaknesses in the city's defenses, including out-of-date software, and suggestions for fixes.
"It's pretty typical," Foster said. "I don't think Baltimore is any worse than any place else. Everybody in the world has problems with security."
The report also identified several online accounts as "threat actors." It identified accounts tied to Anonymous as cyberthreats, and said well-known activists including DeRay McKesson posed a physical threat.
McKesson, a Baltimore native who participated in protests in Ferguson and here, said in a Twitter message that the threat designation was "a reminder that the truth has always been a threat to a corrupt [government] apparatus."
Foster said ZeroFOX software identifies potential threats based on the content of online messages and social media ties, and it is up to human analysts to decide whether any response is needed.
"I wouldn't say that we characterized them; it's the system," he said.
City officials continued to get warnings. On April 29 the FBI identified a malicious email being sent to city accounts, according to a bulletin from the Maryland Coordination and Analysis Center. The email targeted a weakness in Web-based message systems.
"Please be extremely suspicious of any unexpected emails that contain themes related to the current unrest in Baltimore," the bulletin reads.
Then, on April 30, the city's site collapsed.
The emails and documents released in response to The Baltimore Sun's public records request do not identify who was responsible for the attack.
Mullen said in an interview that the city fell victim to a common tactic known as a denial-of-service attack, which involves flooding a site with traffic until it is forced offline.
The May 1 situation report — prepared by the city's emergency management office, which gave regular updates during the unrest — noted as new information in red text that the site was down because of a cyberattack.
"Current downtime 16hrs 20 mins as of 1000 hrs," the report reads.
Just before midnight, an updated situation report announced that the attack had been overcome.
"We are working and protected," the later bulletin read. "We are working on protecting sub-sites. Continuing to mitigate risks and stay online."
Mullen said he did not know of any data taken during the attacks, and a spokesman for the mayor said internal systems continued to function even as the website was down.
Mullen said that his team has been working to make improvements and that addressing all vulnerabilities is a difficult task. He declined to discuss details.
"Information security is a priority of the city," Mullen said. "Any time bad actors seek to disrupt communication — internal communication, or communication with the citizens — we take that very seriously."