Full Report
Russell Kinsaul reports a serious situation in St. Louis, Missouri: A cyberattack has caused a nationwide outage of the Code Red emergency notification system, leaving cities and counties across the St. Louis region unable to use the popular system to send tornado warnings and other emergency alerts directly to residents’ phones. Code Red has been... Source
Analysis Summary
# Incident Report: Nationwide Outage of Code Red Emergency Alert System
## Executive Summary
A cyberattack targeting the Code Red emergency notification system, operated by OnSolve (now Code Red by Crisis24), resulted in a nationwide outage affecting the ability of local governments, including those in the St. Louis region, to issue critical emergency alerts such as tornado warnings. The incident was reported in early November 2025, leading to significant operational disruption for emergency management services relying on the platform. The threat actor INC Ransom claimed responsibility, posting proof of access but without explicit claims of encryption.
## Incident Details
- **Discovery Date:** Early November 2025 (when the outage was first noted by local directors).
- **Incident Date:** Early November 2025 (Outage started).
- **Affected Organization:** OnSolve / Code Red by Crisis24 (Vendor).
- **Sector:** Emergency Management, Government Services (Subcontractor).
- **Geography:** Nationwide impact, with specific mention of St. Louis, Missouri region cities (e.g., Eureka, Warren County).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to early November 2025.
- **Vector:** Undisclosed (Implied network intrusion).
- **Details:** The nature of the intrusion is not detailed, but the threat actor INC Ransom later claimed responsibility and shared images suggesting they had remote access to the system.
### Lateral Movement
- **Details:** Not specified in the source material. The outcome suggests the attackers successfully gained access sufficient to disable the core notification service nationwide, indicating potential access within the service delivery infrastructure.
### Data Exfiltration/Impact
- **Details:** The primary impact was the **operational shutdown** of the Code Red system, preventing emergency alerts (tornado warnings, etc.) from being sent to residents signed up for the service. INC Ransom claimed *access* but did not explicitly claim encryption or data exfiltration, though the presence of proof-of-access images suggests data was accessed or viewed.
### Detection & Response
- **Details:** The incident was detected operationally when local emergency management directors (e.g., Mike Thornton, Warren County) found the system non-functional in early November. Response actions noted only the resulting service disruption; specific remediation steps by OnSolve/Crisis24 are not detailed beyond the ongoing outage.
## Attack Methodology
- **Initial Access:** Claimed by INC Ransom; specifics unknown, likely exploiting vulnerabilities or compromised credentials leading to internal network access.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** INC Ransom provided images suggesting access to internal systems.
- **Exfiltration:** Unconfirmed, but intrusion suggested data access.
- **Impact:** Denial of Service (DoS) on the emergency notification platform, impacting official communication channels.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Unconfirmed if specific citizen data was exfiltrated, but vendor system access occurred.
- **Operational:** Severe disruption to local emergency management in affected regions (like St. Louis), forcing reliance on alternate, potentially slower, notification methods for critical events like severe weather.
- **Reputational:** Significant negative impact due to the inability to quickly warn the public about life-threatening emergencies.
## Indicators of Compromise
*Note: No specific indicators were provided in the source material.*
- **Network indicators:** None provided (defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** System-wide failure of the Code Red alert delivery service starting early November.
## Response Actions
- **Containment measures:** Not explicitly detailed, but containment implies the threat actor activity ceased or the system was taken offline to prevent further damage.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Ongoing at the time of reporting, with no estimated time for full restoration.
## Lessons Learned
- **Key takeaways:** Reliance on a single, centralized emergency notification vendor creates significant systemic risk for disparate local jurisdictions. Attack on a single point of failure halts nationwide public safety alerting capabilities.
- **What could have been done better:** Organizations relying on Code Red likely failed to maintain robust, tested, and redundant secondary alerting mechanisms capable of replacing the primary system instantly.
## Recommendations
- **Prevention measures for similar incidents:**
1. Emergency management agencies must implement and rigorously test fully independent, redundant community alert systems (e.g., utilizing integrated Wireless Emergency Alert - WEA, EAS, or independent local systems).
2. Vendor due diligence should include mandated transparency regarding service resilience and backup procedures following cyber incidents.
3. Local agencies should diversify communication channels for high-priority alerts (e.g., weather sirens, social media pushes, radio overrides) in case a digital mass notification platform fails.