One week after the cyberattack on St. Paul’s computer system, the city council extended the local state of emergency to 90 days.
RELATED: St. Paul City Council extends local state of emergency following cyberattack
The city’s technology teams are now working to restore any impacted servers safely, before bringing them back online, in what St. Paul Mayor Melvin Carter calls “forensic analysis.”
“That’s probably the most important lesson to learn,” says Kyle Loven, a former FBI agent. “Make sure our system is less vulnerable, as they contain a lot of very vital and critical information.”
But experts say finding who’s responsible for the hack is a big challenge.
“We can hide our identity behind the computer, and so this comes forward in a lot of different ways,” notes Jonathan Wrolstad, a former intelligence operative for the federal government. “When it comes to doing malicious activities, it’s perfect.”
Now a cybersecurity professor at the University of Minnesota, Wrolstad says he worked in Washington, D.C. for five years, tracking threat actors.
He notes hackers often hide their trail by hopscotching between internet service providers.
“They will proxy their internet traffic through several ISPs and often end up internationally, in a place that’s hard to investigate or somewhere that doesn’t reveal where they’re really from,” Wrolstad explains.
According to a 2024 FBI internet crime report, government facilities are the third largest critical infrastructure sector target by hackers.
Wrolstad says the reasons are simple.
“They cannot suffer the downtime easily,” he explains. “People want to get back online and have their city services.”
But Loven says investigators do have tools to identify the attackers.
“Through IP addresses, there can be those traces. You can do it through subpoenas; you can go through service providers,” he says. “If it’s a state actor, you can try to get help through the host country to determine the identity of the IP address.”
The job of tracking down who’s responsible is being handled by the FBI and the Minnesota National Guard’s cyber unit.
RELATED: Here’s why the National Guard was called in to help with a cyberattack on St. Paul
Loven says the task is more difficult because hackers will use programs to mask their true identities.
“Until they determine the nature of the attack, i.e., what was compromised, what was stolen, what was the aim, or the objective of the attack, it’s going to be difficult to answer these types of questions,” he explains.
