Attack indicators for NG-911 networks
What is in this article?
The attack and heist
Unfortunately for the Sheriff’s Office and the surrounding agencies, there were no smoking guns that indicated their systems had been compromised. Several months had passed since the spear-phishing attacks, so they had been written off as an unsuccessful attempt. On the morning of the heist, the GIS database was updated with a new GIS boundary that surrounded the Diamond Exchange and several city blocks. It was assigned to the default agency that the vendor had created for the test. Thirty minutes before the heist was to take place, the agency zombies were instructed to create phony calls for emergency services all over the county. Hundreds of car crashes, burglar alarms and fire alarms filled up the computer-aided dispatch (CAD) screens.
Emergency services strategically were being led away from the Diamond Exchange in preparation for the heist. Shortly after the CAD queues in the 911 center were filled with spurious calls, the second wave of zombies was called into action. Thousands of voice calls were generated to the Sheriff’s Office and the 911 center. This distributed denial of service (DDoS) attack flooded the 911 system and filled all of the available caller queues, even the overflow queues.
Though the owners of the Diamond Exchange were shocked to see the robbers destroying the display cases and taking diamonds, they were confident that law enforcement soon would arrive. Every crash of the display case would sound an additional alarm that could be heard even outside the store. Witnesses from neighboring stores were calling 911, only to find the lines either busy or silent. Even if the callers were lucky enough to get past the calling zombies, their calls would have been routed to the default agency—where no one would answer.
The robbers loaded diamonds into their bags for more than 10 minutes before fleeing the area. Later, several dispatch calls were discovered that automatically had been generated with the crash of each display case, or the pressing of the panic button. Unfortunately, all were closed in the default agency’s history because of the prior work done by the attackers. And not a single telephone or cellular phone caller in the neighborhood was able to get through to 911 for hours.