How Hackers Used One Software Flaw to Take Down a County Computer System
The malicious cyberattack that forced Suffolk County government offline for weeks this fall, plunging it back to the pen and paper and fax machines of the 1990s as it fought to stem the threat, began more than a year ago, county officials revealed on Wednesday.
A forensic digital investigation into the cause of the attack, in which hackers stole sensitive data, forcing officials on Long Island to disable email for all 10,000 civil service workers as the New York county scrubbed software to stave off the intrusion, revealed that hackers first penetrated Suffolk’s computer system on Dec. 19, 2021. They entered via the county clerk’s office, exploiting a flaw in an obscure but commonplace piece of software.
Hackers spent much of the next year at large in the clerk’s system, the investigation found, ultimately managing to breach the wider county network in late summer, before they revealed themselves in September, posting ransom notes on the dark web. In response, the county took itself offline. Officials have declined to say how much money the hackers demanded.
The investigation, which began immediately following the discovery of the attack and is still incomplete, examines the how and when of the hacking, which county officials have said was carried out by BlackCat, a professional hacking outfit also known as ALPHV. Today the county’s system is largely back online, but several workarounds remain in place.
Questions remain, including, most pressingly, how much sensitive data was stolen. A separate criminal investigation by the F.B.I. is ongoing.
In late 2021, the United States Cybersecurity & Infrastructure Security Agency issued an urgent advisory that organizations were vulnerable to the flaw that allowed Suffolk’s hackers in, warning that “sophisticated cyber threat actors are actively scanning networks” to exploit the weakness, and urging them to update their systems.
In Suffolk County, several departments created a cyber patch in response to the warning, essentially blocking hackers from entering their systems. But the county has no centralized cybersecurity protocol across departments, and information technology teams operate in separate fiefs, a vulnerability the hack has since exposed: The office of the county clerk, Judith A. Pascale, did not make the fix, said Lisa Black, the chief deputy county executive.
Since 2017, more than 3,600 local, state and tribal governments across the country have been targeted by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, an organization that seeks to improve the United States’ cybersecurity position. A November report from Tenable, a company that seeks to mitigate organizations’ exposure to hackings, found that in the months since the government warning, nearly three-quarters of organizations still remained vulnerable.
After penetrating the Suffolk County clerk’s system in December, the hackers appeared to spend months nosing through its nooks and crannies, according to investigators, who followed the “digital bread crumbs” the hackers left behind. The next month, several Bitcoin mining programs were installed in the clerk’s system, the investigators found, establishing what is known in cybercrime as “persistence” in the clerk’s network; the hackers, in other words, were testing the limits of the system’s penetrability.
In Suffolk, the hackers found a porous system, which they broached and explored for months undetected. According to the investigation:
By March 2022, the hackers had installed remote-management tools that enabled them to run county clerk’s office computers from afar.
By April, they had created their own account in the clerk’s system, “John,” the first of several fictional rogue users empowered with administrative permissions.
By July they were lifting whole files from computers, including on July 13, when they found and made off with one bearing the label “Passwords.”
By August they had installed scripts that collected login credentials, allowing them to capture every clerk employees’ password.
By the end of the month, they had begun to jump from the clerk’s computer network to other, separate systems in the county, including the traffic and parking agency and the health department. There, the hackers encrypted files to make them inaccessible and hold them hostage.
Ms. Pascale’s office is no stranger to unlawful use of its computer systems. In September 2021, a few months before the cyberattacks, the police arrested one of her I.T. supervisors, Christopher Naples, who prosecutors say had hidden 46 specialized cryptocurrency mining devices in the Riverhead building where his office was located. He was charged with public corruption and grand larceny among other charges. If convicted of the top charge against him, Mr. Naples faces up to 15 years in prison.
Indeed, one of the rogue accounts that hackers created over the summer seemed to hint at knowledge of this incident; it is a play on Mr. Naples’s name.
Mr. Naples is on administrative leave, awaiting trial. He still draws a salary, according to the county spokeswoman, Marykate Guilfoyle. She said the county had no knowledge of any connection between Mr. Naples and the cyberattack.
Though hackers slipped into Suffolk computers right before Christmas last year, it was only on Sept. 8 when the county’s antivirus software — the systems that alert it to hackers — began pinging.
Within hours, the county had pulled itself offline, scrambling to stop an incursion it had just learned of, eight months and 21 days after the cyberattack had actually begun.