{
	"id": "38f1d142-5a41-4b57-9787-a0bb5140b313",
	"created_at": "2026-04-06T00:11:59.43656Z",
	"updated_at": "2026-04-10T13:11:36.257893Z",
	"deleted_at": null,
	"sha1_hash": "61e1f42fcd75f3fd9725179b9dba8b8191cbb5a7",
	"title": "Here's how a hacker set off Dallas' emergency sirens last weekend",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 401267,
	"plain_text": "Here's how a hacker set off Dallas' emergency sirens last weekend\r\nBy Written by Zack Whittaker, ContributorContributor April 12, 2017 at 2:05 p.m. PT\r\nArchived: 2026-04-05 20:04:01 UTC\r\n(Image: file photo)\r\nDuring the weekend, a hacker activated Dallas' emergency outdoor sirens, which are designed to warn local\r\nresidents in the event of a tornado or severe weather. Officials said at first it was a system malfunction, but then\r\nthey said it was a \"hack.\"\r\nNow, with more details coming to light, researchers think they know how the unknown hacker pulled it off.\r\nSecurity\r\nAt a press conference on Monday, Dallas city manager T. C. Broadnax confirmed at a press conference the\r\nintrusion that caused the sirens to go off around the city was a \"radio issue\" that is used to centrally control the\r\nsiren system, rather than an issue with the computer system -- effectively ruling out one of the various theories\r\nthat an attacker had remotely logged in with a stolen city staff password.\r\nhttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/\r\nPage 1 of 3\n\nBroadnax wouldn't go into detail in an effort to prevent a similar attack, but another report, citing a city\r\nspokesperson, said that the radio had not set the system to use an encrypted signal.\r\nIn other words, it's possible that the attacker may have picked up the siren-sounding signal and broadcast it\r\nthemselves.\r\nHere's how: The city's outdoor warning system is manufactured and sold by Federal Signal, which is made up of\r\n156 sirens placed around the city of Dallas. It's known as a hybrid system of both old and new technologies, say\r\nresearchers, but they're typically controlled by a number of means, such as Dual-Tone Multi-Frequency (DTMF),\r\nfor example, which can be broadcast from a central computer console over an emergency radio frequency. The\r\nFederal Communications Commission (FCC) currently has the 700MHz range reserved for US public safety.\r\nIn Dallas' case, there are a number of ways that the attack could have been carried out, but the most likely is that\r\nsomeone carried out a \"radio replay\" attack, which involves recording the radio signal that was broadcast during\r\nthe latest monthly test of the emergency siren system and playing it back repeatedly on Friday, according to\r\nBastille, a security firm specializing in finding and remediating radio frequency vulnerabilities.\r\nThat would have triggered all of the sirens at once, making the replay attack more likely than other hypotheses.\r\n\"Such a replay attack could be accomplished with a software defined radio (SDR) or with other off-the-shelf radio\r\nfrequency (RF) test equipment,\" said Chris Risley, Bastille's chief executive.\r\nThe attack would have required someone with a deeper knowledge of radio frequencies and equipment, and they\r\nwould needed to have done their homework.\r\n\"A system like the one in Dallas is typically complex, and would require someone with intimate knowledge of the\r\nfrequencies, codes, and layouts pertaining to the sirens,\" said Kyle Wilhoit, senior security researcher at\r\nDomainTools.\r\n\"Since not all sirens may communicate in a multicast fashion, the attackers had to orchestrate this attack with\r\nexcellent timing,\" he said.\r\ndallas.jpg\r\n(Image: Dallas City Hall)\r\nMark Loveless, a senior security researcher at Duo Labs, came to a similar conclusion. He said that most of the\r\ninformation needed to carry out this kind of attack can be easily found from online documentation.\r\n\"Most of this knowledge could be gleaned from Google searches, you can download manuals for a lot of different\r\nsirens and systems, and most of the software being sold to control these systems can be downloaded for free\r\n(demo versions only) allowing for a crash course in [outdoor warning system] management,\" said Loveless in a\r\nblog post.\r\nWe found through our own searches documentation of Federal Signal equipment, including in one case a device\r\nthat is designed to send the siren-starting signals to the radios being sold with default user credentials. Any of\r\nhttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/\r\nPage 2 of 3\n\nthose devices still running default credentials could be at risk, and many of these devices are connected to the\r\ninternet. It's not known, however, if Dallas' systems are internet-connected.\r\nFor now, things are over for Dallas, and lessons have been learned. Rocky Vaz, the city's director of Office of\r\nEmergency Management, said Monday that the siren system had been restored.\r\nAs for Federal Signal, the company said in an emailed statement on Monday that while it was no longer\r\ncontracted to maintain Dallas' emergency outdoor sirens, the company is \"actively working\" with the city to find\r\nthe cause of the activation.\r\nThe results of that investigation could prove useful, given that other cities may be vulnerable to similar attacks,\r\nsaid Risley.\r\n\"Radio frequency attacks are getting much more common as attackers can buy commercial software defined\r\nradios,\" he said. \"Systems which use radio controls (not just Emergency Siren Systems) are often vulnerable to\r\ninvisible radio attacks.\"\r\nIn this case, the city still doesn't seem to know who is to blame, though experts say it's not impossible to\r\ntriangulate where the signal came from. The city has already called in experts at the Federal Communications\r\nCommission to help find the culprit. But, so far, the blame is on the city for not protecting the siren-activating\r\nsignal in the first place.\r\nThe reality is that infrastructure and emergency systems will always be a target for hackers, and the Dallas siren\r\nattack is further evidence that even the most unassuming systems can still be attacked.\r\nIt certainly got Dallas' attention. Which city will it be next?\r\nVIDEO: Russian Fancy Bear hackers steal athletes' medical records\r\nZDNET INVESTIGATIONS\r\nSource: https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/\r\nhttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"
	],
	"report_names": [
		"experts-think-they-know-how-dallas-emergency-sirens-were-hacked"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61e1f42fcd75f3fd9725179b9dba8b8191cbb5a7.pdf",
		"text": "https://archive.orkl.eu/61e1f42fcd75f3fd9725179b9dba8b8191cbb5a7.txt",
		"img": "https://archive.orkl.eu/61e1f42fcd75f3fd9725179b9dba8b8191cbb5a7.jpg"
	}
}