Willis, Michael
Hyperlink Exit Door
Last Modified Date
Lesson Background HTML
Between February 21-23, 2018, a threat actor executed a ransomware attack on the Colorado Department of Transportation (CDOT) that ultimately affected roughly half of the Department’s computers. Despite immediate action by CDOT and Governor's Office of Internet Technology (OIT), CDOT suffered a second attack on March 1, 2018 that was discovered to pose risk to other state resources. On March 3, CDOT, OIT, and the Colorado Division of Homeland Security and Emergency Management (DHSEM) formed a Unified Command Group (UCG) to provide direction and control for incident responders. On March 8, the UCG completed Phase 1 (Containment) objectives and shifted to Phase 2 (Eradication) operations. On March 9, the UCG completed Phase 2 (Eradication) objectives and shifted to Phase 3 (Recovery) operations.

Root cause analysis revealed several vulnerabilities related to a newly created, Internet-accessible virtual server with direct connection directly into the CDOT network and administrative privileges that did not have OIT security controls in place. This server was compromised within two days of creation and was under SamSam ransomware attack within one additional day. Containment, eradication, and recovery of services required approximately four weeks.

Though CDOT operations were degraded, CDOT continued to execute its core mission to provide a multi modal transportation system for Colorado. This success may be attributed to a sound Continuity of Operations Plan that allowed CDOT to continue to operate and an OIT response that brought in the right people at the right time to contain and eradicate the threat. The creation of the UCG provided a clear direction and control structure that unified and focused the efforts of the numerous government agencies and private contractors involved. Though the State effectively responded to and recovered from this incident without paying the ransom, the threat to the State and its networks remains.
Priority Research Area
Publication Sort Date
Colorado DOT
Result Type
Source ID
CDOT Cyber Incident After-Action Report
Source Review
External URL Disclaimer

(Our website has many links to other organizations. While we offer these electronic linkages for your convenience in accessing transportation-related information, please be aware that when you exit our website, the privacy and accessibility policies stated on our website may not be the same as that on other websites.)