Emergency Communications Network Breach Incident Score: Analysis & Impact (EME5462554112725)

In this Rankiteo incident briefing, we review the Emergency Communications Network breach identified under incident ID EME5462554112725.

The analysis begins with a detailed overview of Emergency Communications Network's information like the linkedin page: https://www.linkedin.com/company/emergency-communications-network-llc, the number of followers: 1019, the industry type: IT Services and IT Consulting and the number of employees: 56 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 100 and after the incident was 100 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Emergency Communications Network and their customers.

City of Harrisburg, South Dakota recently reported "Cyber Attack on Harrisburg's CodeRED Emergency Notification System by Crisis24", a noteworthy cybersecurity incident.

A targeted cyber attack compromised the OnSolve CodeRED emergency notification system in Harrisburg, South Dakota.

The disruption is felt across the environment, affecting OnSolve CodeRED emergency notification system (single server), and exposing Names, Addresses and Email addresses.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Prompt closure of the affected server, and began remediation that includes Migration to another Crisis24 server, while recovery efforts such as Restoration of alerting and public notification capabilities by late November 2024 continue, and stakeholders are being briefed through Public disclosure via Dakota News Now, Letter from Crisis24 published on the city website with FAQs and contact email and Alternative communication channels (news stations) for snow emergencies.

The case underscores how Ongoing (restoration in progress; no final report mentioned), teams are taking away lessons such as Increasing reliance on online services heightens exposure to cyber risks, even for critical systems like emergency notifications. Proactive coordination with service providers and backup communication plans are essential for resilience, and recommending next steps like Enhance server security for emergency notification systems, Implement multi-layered authentication and access controls and Develop redundant communication channels for critical alerts, with advisories going out to stakeholders covering City coordinated with Crisis24 and prepared alternative communication methods for residents.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (75%), with evidence including compromised the **CodeRED emergency notification system** in Harrisburg, SD, and hackers gained access to a server (no phishing/lateral movement mentioned) and Valid Accounts (T1078) with moderate confidence (50%), supported by evidence indicating contained within the CodeRED environment (possible abuse of existing system accounts). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (85%), with evidence including type such as **Ransomware Attempt**, primary motive appeared to be **ransom extraction**, and server was promptly isolated (implies disruptive action) and Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating server was promptly closed (possible destructive action during containment). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including potentially exposing **user data**—including **names, addresses, email addresses, and phone numbers**, and data accessed but no confirmation of exfiltration. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate confidence (60%), with evidence including data accessed (implied but unconfirmed exfiltration for ransom leverage), and no confirmation of exfiltration (lower confidence). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with lower confidence (40%), supported by evidence indicating server was promptly closed (possible attacker cleanup or admin action). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.