by ▪

S2 Intelligence Report

Emergency Communications Cyber Threat Overview Report

Date/Time: 251123-2350z

MagCon: BLUE-4 (Heightened Vigilance)

Summary

Emergency-communication systems—including mass-notification platforms, 911 dispatch infrastructure, and municipal warning systems—have increasingly been targeted by cybercriminals and unknown actors. Incidents since 2017 show a pattern of ransomware operations, system misuse, service disruption, and data exposure affecting both commercial vendors and public agencies. The attacks demonstrate growing interest in emergency alerting systems as high-impact leverage points.

Details (Brief History and Description of the Problem)

Over the past decade, threat actors have repeatedly targeted systems that support public alerts and emergency response:

In 2017, attackers triggered all 156 outdoor tornado sirens in Dallas, Texas using spoofed RF commands.
In 2018, the SamSam ransomware campaign disrupted city services in Atlanta and the Colorado Department of Transportation.
From 2019–2021, ransomware groups such as Ryuk and Conti hit multiple U.S. municipalities, degrading 911-adjacent systems.
In January 2024, Akira ransomware disrupted 911 computer-aided dispatch (CAD) in Bucks County, Pennsylvania.
In May 2024, Everbridge reported a corporate-system breach following a phishing compromise of internal credentials.
In November 2025, INC Ransom claimed responsibility for a major attack against OnSolve’s CodeRED system, producing widespread outages and possible resident-contact data exposure.

These incidents collectively indicate that emergency communication infrastructure is now an attractive target for financially motivated attackers seeking leverage, theft, or extortion—and in some cases, for opportunistic actors exploiting control weaknesses.

Location

The highest-profile incidents have occurred in the United States, affecting municipalities, state agencies, and nationwide SaaS vendors.
Notable incident locations include Dallas (TX), Atlanta (GA), Bucks County (PA), Lake City (FL), the Colorado Department of Transportation, and multiple CodeRED-using jurisdictions in the St. Louis region.

Victim Companies

Everbridge, Inc.

Corporate systems breached in May 2024 through phishing-based credential compromise. Business-related files with customer and admin information were accessed.

OnSolve / CodeRED

Targeted in November 2025 by INC Ransom. Widespread outages affected tornado warnings, evacuation alerts, AMBER alerts, and resident notification lists. Some jurisdictions reported password and contact data exposure.

Municipal / Public Agencies

Atlanta (GA) and Colorado DOT hit by SamSam (2018).
Lake City (FL) and multiple local governments affected by Ryuk/Conti ransomware.
Bucks County (PA) CAD/911 operations compromised by Akira.
Dallas (TX) outdoor warning sirens manipulated via RF signaling.

Other mass-notification vendors (Rave, CivicPlus/Regroup, Singlewire) appear in industry reporting but have no comparable publicly reported system-wide breaches in the timeframe of these sources.

Impacts

Operational outages: Loss of mass-notification functions, including tornado warnings, evacuation notices, and 911 CAD automation.
Service degradation: Reversion to manual dispatch, delayed response, and internal communication breakdowns.
Data exposure: Contact lists, administrator details, and login credentials accessed in several incidents.
False alerts or unauthorized activation: Notably, Dallas sirens were activated without a real emergency.
Public trust erosion: Repeated outages reduce confidence in official emergency alerts—potentially decreasing compliance during real events.
Financial costs: Municipalities report high recovery expenses following ransomware incidents.

Sponsors or Supporters (Threat Actors)

INC Ransom

Cybercriminal ransomware group claiming responsibility for the CodeRED attack.

Akira

Linked to Bucks County 911/CAD disruption.

Ryuk & Conti

Russian-language ransomware ecosystems targeting municipalities and first-responder systems.

SamSam

Associated with operators indicted in the U.S. as Iranian nationals; responsible for major city-level disruptions.

Unknown Actors

Everbridge corporate breach: attributed to unknown attackers using data from a previous phishing campaign.
Dallas siren attack: method identified (RF spoofing) but no perpetrator identified.

Short Description of Tactics Used

Phishing and credential harvesting targeting vendor employees (Everbridge).
Ransomware intrusion chains including lateral movement, server encryption, and data exfiltration (Ryuk, Conti, Akira, INC Ransom, SamSam).
RF command spoofing of outdoor siren networks (Dallas).
Exploitation of centralized SaaS architecture to cause multi-jurisdictional outages (CodeRED).
Targeting of 911/CAD systems to disrupt emergency-response workflows.

Threat and Risk Assessment

Threat Level: High and persistent. Emergency-notification systems provide “high leverage” for cybercriminal groups because outages directly impact public safety and can increase pressure to pay ransom.

Key Risks:

Centralization means one vendor breach affects thousands of jurisdictions.
Emergency systems store valuable contact data and operational information.
Many local agencies have inconsistent access control, shared passwords, or limited monitoring.
Disruption of alerting capabilities during severe weather, active threats, or disasters can magnify harm.

Overall Risk Posture:
High likelihood of attempted compromise; impacts range from moderate to severe depending on outage duration, incident type, and system redundancy.

Indicators to Watch For

Technical Indicators

Unexpected login attempts from foreign or anomalous IP ranges.
MFA prompts triggered outside normal business hours.
Credential-stuffing bursts against administrative portals.
Sudden “template changes” or unauthorized edits in alert content.
Irregular API activity between CAD/GIS and notification systems.
SMS/voice alert failures occurring in clusters without a corresponding carrier outage.

Operational Indicators

Delays or errors when dispatchers attempt to send alerts.
Missing or corrupted GIS boundary files.
Support tickets from vendors referencing “service degradation” without clear explanation.
Residents reporting alerts that were never issued (or failed alerts that should have been received).

Recommendations

Protective Actions

Enforce MFA for all administrative and operational users.
Restrict administrative login to approved IP ranges or geofenced regions.
Require two-person verification for high-severity public alerts.
Disable mobile-app alerting capabilities unless operationally necessary.
Rotate credentials quarterly and eliminate shared admin accounts.

Avoidance Zones / Times

Avoid running live-alert tests during periods of known system instability (e.g., known vendor maintenance windows, local carrier outages, severe weather peaks).
Avoid uploading or modifying GIS boundaries without verification during active incidents.
Avoid using unsecured networks or personal devices to access alerting systems.

Monitoring Guidance

Export system logs to a SIEM instead of relying on vendor dashboards.
Monitor authentication logs for spikes in failed MFA attempts.
Track vendor-service health bulletins and compare with local anomaly reports.
Monitor SMS/voice delivery metrics for sudden or unexplained degradation.

Documentation Steps

Maintain a log of all administrative changes in the system (roles, templates, credentials).
Document any anomalies in alert delivery or system performance.
Keep up-to-date vendor security documentation, audit reports, and incident notifications.
Establish an after-action review template for alert failures or disruptions.

Analyst Commentary

Emergency-notification systems have become high-value targets because they provide both operational leverage and psychological impact. While most attacks are financially motivated, the effects extend far beyond monetary loss: they disrupt critical services, create confusion, and can undermine public trust. The incidents reviewed here fit a broader pattern affecting U.S. municipalities and cloud vendors—ransomware groups and opportunistic actors exploiting weak identity controls, over-centralized architectures, and legacy system interfaces such as RF-based sirens.

The risk is not that emergency systems are uniquely vulnerable, but that they are uniquely consequential. As more jurisdictions adopt centralized SaaS platforms and integrate dispatch, GIS, and notification workflows, the potential for cascading failures increases. Strengthening identity security, enforcing administrative controls, enhancing monitoring, and maintaining resilience through redundancy are key to reducing the likelihood and impact of future events. This problem is manageable, but only with sustained attention to vendor security, local governance, and operational discipline.

References (with URL links)

Everbridge Inc. Breach

OnSolve / CodeRED Attack (INC Ransom)
5. https://databreaches.net/2025/11/22/cyberattack-disables-onsolve-code-red-emergency-alert-system-across-st-louis-region/
6. https://breached.company/nationwide-codered-emergency-alert-system-compromised-inc-ransom-attack-leaves-thousands-without-critical-communication/
7. https://www.fortra.com/blog/inc-ransomware-what-need-know

CAD / 911 Attacks (Akira, Ryuk, Conti, Others)
8. https://www.buckscounty.gov/CivicAlerts.aspx?AID=572 (Akira impact reference)
9. https://www.securityweek.com/ransomware-attacks-hit-us-cities-public-safety/
10. https://www.govtech.com/security/akira-ransomware-impacting-911-services

SamSam (Atlanta / CDOT)
11. https://www.justice.gov/opa/pr/two-iranian-men-charged-deploying-ransomware-against-computer-networks
12. https://www.nytimes.com/2018/03/22/us/atlanta-computer-ransomware.html

Dallas Siren Attack (2017)
13. https://www.dallasnews.com/news/2017/04/08/hackers-set-off-all-dallas-sirens-in-the-middle-of-the-night/
14. https://www.wired.com/2017/04/hackers-set-off-emergency-sirens-dallas/

akira codeRED cyber threat everbright inc ransom onSolve ryuk & conti samsam

Infrastructure National National Intel Bulletin

Comments are closed

251123-2350z