The fact that the city of Antwerp could face a devastating cyberattack at the end of 2022 was mainly due to a lack of security. What did the city do wrong and what can your organization learn from it?

In December 2022, the digital infrastructure of the city of Antwerp was paralyzed by a massive cyberattack. The ransomware attack affected numerous departments and caused services to go offline for weeks or even months.

The city and its mayor have been anything but transparent since then. Mayor Bart De Wever (NVA) promised immediately afterwards that neither Antwerp itself nor anyone else on behalf of the city had paid ransom to the hackers. However, several experts who have since spoken anonymously to ITdaily have stated that they have at least strong doubts about this statement.

The impact on citizens’ data was also minimized from the start. Since personal data was indeed stolen, the Flemish Supervisory Commission (VTC) launched an investigation. The VTC is responsible for monitoring the application of the GDPR by the Flemish administrative authorities.

Bad report

Although this investigation is largely confidential, ITdaily was able to see a letter with the results. In it, the VTC uncovers several major flaws in Antwerp’s digital strategy. The city lagged behind in most key areas of cybersecurity, which is an important lesson for companies today.

Specifically, Antwerp lagged behind in seven areas, according to VTC. All the mistakes the city made can also apply to organizations large and small. What did Antwerp do wrong? And how do you ensure that your organization is better prepared against attackers?

1. Patches and updates

Updates and patches are not always easy, but they are important. In Antwerp, critical patches for a known vulnerability in Exchange Online were not implemented. However, these vulnerabilities were actively exploited by hackers.

Such a vulnerability is like an open window or door, allowing attackers to easily gain a foothold. Patches are always important, especially when patches fix vulnerabilities in important software. As annoying as it is, an update for a critical bug should always be a top priority.

• What went wrong: Antwerp left a known and actively exploited security vulnerability unpatched.
• What you can learn: Updating quickly is very important and can have concrete consequences if you underestimate its importance. Don’t think of patches and updates as disruptions, but as a crucial and expected part of daily IT management.

2. The role of MFA

Multifactor authentication (MFA) is an essential part of account security, but Antwerp lacked MFA. Without MFA, a hacker armed with a stolen account name and password can log into the corporate environment unhindered. MFA prevents this by requiring additional identity confirmation when attempting to log in, for example via smartphone. After all, the chances are slim that an attacker has stolen your physical mobile phone in addition to your password.

However, MFA has a (wrongful) reputation for being annoying for users. At a press conference after the hack, De Wever himself referred to the decreasing user-friendliness. However, this assumption is based on prejudice.

A good MFA implementation allows a user to confirm their identity occasionally (e.g. after a few weeks or when logging in from a new location or an unfamiliar device). For example, an employee may occasionally have to pull out their smartphone, but the impact is not greater. In return, MFA protects against more than 99 percent of attacks using stolen account credentials

• What went wrong: The city relied on an outdated account security strategy that focused on passwords without adequately implementing MFA.
• What you can learn: There is no measure that will immediately increase your protection more than introducing MFA. The disadvantages are limited (employees occasionally pull out their smartphones during work hours), but the advantages are immense. You don’t have MFA? Plan the rollout now at least for your administrator accounts and later for all your employees.

3. Not all backups are the same

A good backup is more than just a check mark on your to-do list. Antwerp had backups, but they proved inadequate. To provide real protection, a backup must meet many conditions.

For example, the backup must be inaccessible to hackers so that it cannot be destroyed in an attack. Moreover, having a backup is not enough: you need to practice recovery at regular intervals and know how to restore an environment from the backup. You also need to know exactly how long it will take. The VTC described Antwerp’s backups as unreliable, which meant that the protection was inadequate.

• What went wrong: Antwerp had set up backups, but they were not reliable enough.
• What you can learn: A backup strategy is an ongoing process. Evaluate where your backups are located, make sure a hacker with access to the original data cannot easily access the backup, and regularly check that you know how to restore your backup.

4. Logging is knowledge

Your log files track everything that happens in your IT environment. Without adequate logs, you cannot accurately estimate the damage an attacker has caused during an incident. In Antwerp, some of the log files had disappeared.

The VTC therefore points out that the city cannot in good conscience claim that only a small amount of personal data was stolen, as it no longer has access to data to support that claim. With log files protected in a good backup, you can better reconstruct what exactly happened.

If personal data is stolen, Antwerp, like other organizations, must report it under the GDPR. Without logs, you cannot prove that personal data is safe. The VTC points out that in such a case, one should assume the worst possible scenario.

• What went wrong: Important log files disappeared after the attack. This meant that the city could not prove exactly which data was leaked, which is important both in terms of transparency towards citizens and for damage assessment under GDPR legislation.
• What you can learn: No security strategy is foolproof. If an incident does occur, logs are essential for damage assessment. Make sure you can reconstruct network activity from log files and protect those logs with backups.

5. Network segmentation

If an attacker does manage to gain access despite everything, it doesn’t necessarily have to be a complete disaster. That was the case in Antwerp. The city had no network segmentation, which meant that a hacker with access to one system and one department could navigate between virtually all services, with few exceptions.

Network segmentation is an important part of a good network infrastructure, especially in a large company. Anyone who gains access to your accounting systems should not be able to easily navigate from there to production. The larger the organization, the more important and relevant this separation is.

• What went wrong: The IT environment of the city of Antwerp was hardly segmented. After an initial successful hack, the attackers easily managed to reach almost all city services, which were thus all affected at the same time.
• What you can learn: Segment your network. Separate departments that have little to do with each other, as well as public and corporate networks. For example, in the context of a smaller company, you can ensure that IoT devices are not on the same network as your employees and the servers that contain critical information.

6. Preparation is half the battle

The VTC notes that the services of the City of Antwerp were not sufficiently prepared for a cyberattack. There was a crisis mechanism, but not specifically for the digital area. In fact, Antwerp had no plans in the event of a massive cyberattack.

For some services, this was different. For example, the healthcare company was in better shape and had already conducted recovery tests before the attack. On the day of the attack, it took only a few hours to start an alternative method. This shows how important a detailed plan is.

• What went wrong: Before the attack, the city did not have a detailed crisis plan for a large-scale attack.
• What you can learn: Make a plan now that will cover a serious scenario. This is the only way you will know what to do if your cyber infrastructure collapses.

7. Restructuring plan vs. reality

Not all plans are good plans. The VTC found that Antwerp did not have a recovery strategy that could withstand the confrontation with reality (except for the health company). The existence of a folder labelled “recovery plan” is not synonymous with a real recovery plan.

A good plan is realistic and based on concrete and achievable goals. There is only one way to find out if your plan is appropriate: test it. Only by occasionally putting the recovery strategy into practice in a preventative manner will you be able to recover when needed.

• What went wrong: To the extent that Antwerp had a recovery plan, it was unrealistic and therefore useless.
• What you can learn: Make a plan and test it. A self-written recovery story won’t help you when you need it, but a tested and up-to-date step-by-step plan will.

Into the future

After the attack, Antwerp is working on a new and modern strategy. The city improved its security strategy before the end of 2022, but the efforts came too late. Antwerp is currently working on a completely new environment based on a good strategy, although the VTC notes that a first version of this is not yet very concrete. In the meantime, the city has produced a more concrete report, which we unfortunately were not able to see.

Organizations large and small can learn from the Antwerp failure. The impact of the cyberattack in late 2022 was due to a combination of several factors. Poor update policies, no MFA, inadequate backups, limited network segmentation, and an inadequate and unrealistic recovery plan made the impact so large and long-lasting.

All of the above pillars contributed to the damage. Look at your own organization through the lens of hacking and evaluate: How realistic is your plan? And do you already have MFA or is implementing it somewhere at the bottom of your to-do list along with patching? Every improvement you make can reduce the impact of a hack.