Hackers Had Access for Months Before Launching Ransomware Attack

In another sign that accountability is rising in cyber security, the IT director of the Suffolk County Clerk’s Office in New York has been put on paid administrative leave. An investigation following a September ransomware attack found that hackers had been exploring and exploiting Suffolk County’s systems since December 19, 2021, and accused IT Director Peter Schlussler of acting in “an incredibly nonchalant manner” toward the county’s cyber security.

Schlussler disputed the investigation’s findings in an email to The New York Times, noting that his requests for stronger cyber security at the County Clerk’s office had been rejected by superiors. Suffolk County wound up taking all of its systems offline in September when the hack was finally discovered and, according to the Times, is still using workarounds for some online functions.

Suffolk County Hack Timeline Illustrates Common Tactics and Detection Failures

An examination of the Suffolk County hack reveals opportunities when the intrusion could have been detected, had the IT Director been following security protocols that most cyber security specialists recommend.

December 19, 2021: Criminals gain access to the County Clerk’s systems via a known flaw in a common piece of software. Investigators found that there was no centralized authority for the municipal systems run by Suffolk County. As a result, patches to fix the known vulnerability were not applied across all systems. Suffolk County Executive Steven C. Bellone cited the IT director’s failure to patch the vulnerability as a cause of the cyber attack.

January 2022: Hackers install Bitcoin mining software on the Suffolk County systems. Criminals install software like this for two reasons: To see if it will be detected and removed, and to see if the data it sends will be detected and removed. Organizations that fail to spot rogue software communicating with unknown parties will have their data stolen.

Many IT directors perform regular scans of all systems to look for new software installations, which can be sign of a breach. This can be a challenging task in a large, decentralized environment, which is why cyber security professionals recommend centralized administration for users and software.

March 2022: Hackers install tools to run Suffolk County systems remotely. Criminals who do this have a high level of confidence in their ability to carry out significant attacks. These systems will be tested before the next phase of intrusion begins, offering an opportunity to detect the activity.

Every IT director and security professional should be scanning systems regularly for all known remote clients. Although New York investigators did not specify the kind of remote access tools used, many criminals use the same remote-access software that organizations use to keep their own remote employees connected. By itself, the presence of remote access software may not trigger concern, but the alarm should be raised if it is suddenly used more often, at unusual times of day or in unusual ways. Use a Virtual Private Network (VPN) secured with two-factor authentication (2FA) to enhance the security of remote access.

April 2022: Criminals create the first of several admin-level user accounts in the County Clerk’s systems. This is the boldest step yet, and at this point, the hacker is the IT director. With Admin-level access, criminals can install software, exfiltrate data and manipulate systems to cover their tracks.

There are a number of ways to alert IT staff when new accounts are created, and a number of ways to limit the access that new users have. Beyond these safeguards, user lists and access levels should be audited and verified on a regular basis, with any unrecognized accounts immediately flagged and suspended.

July 2022: Data exfiltration begins, including at least one file with the name, “Passwords.”

August 2022: Keyloggers are installed. Intrusions begin on systems connected to the County Clerk’s system. Hackers encrypt everything they can access as they prepare to launch a ransomware attack.

What should stand out about the Suffolk County attack is the patient, meticulous nature of the hackers. This was not a high-speed raid or a crime of immediate opportunity. Hackers got in, then slowly built up their presence and toolkit over time, starting with nuisance software and moving on to complete control and surveillance. At each step, the hackers stopped and waited to see if their activity would be detected. When it was not, they executed the next step of their takeover plan.

The month-by-month increase in activity correlates with what hackers know about most cyber security solutions: Scans run at least once a month. If 30 days pass and software or activity has not been detected, it is safe to escalate. Think of this like a burglar finding a series of unlocked doors in a home. After opening each door, the burglar looks around to make sure it is safe before opening the next door.

The Myth of “Opportunistic” Cyber Attacks

Far too many business owners and organizational leaders think a cyber attack occurs because someone lets their guard down for a moment. While these attacks do occur, they tend to be low-level financial attacks that scam a few hundred or a few thousand dollars. Real cyber criminals are as patient and methodical as the group that attacked Suffolk County, and the damage they cause can lead to millions of dollars in remedies and restitution. Large, distributed, heavily used networks like those found in municipal government offices are ripe targets for the troves of personal information they hold and the opportunities they offer for criminals to conceal their activities.

We see multiple points where the Suffolk County attack could have been stopped, but we also see the challenges faced by the IT director, which are common to both businesses and the private sector. Too many leaders do not understand the real nature of cyber attacks. Too many government and private-sector organizations see Virtual CISO services or Dark Web Monitoring as a needless expense. The irony here is that they wind up paying for these services after a breach, alongside any fines and costs associated with data loss and system repairs, when they could have prevented the intrusion in the first place.

There is also the question of accountability, and the decision to suspend the Suffolk County Clerk’s IT director. This follows Federal sanctions against the CEO of Drizly following the theft of customer data. In both of these cases, investigators uncovered events that should have been prevented by cyber security best practices and held the people responsible for overseeing cyber security accountable.