A Suffolk County employee has been placed on administrative leave following the ongoing investigation into a massive cyberattack on county government systems. County officials revealed that the threat began one year ago as hackers moved through systems in the Suffolk County networks.
A forensic investigation into the breach discovered that hackers first gained access to county servers on Dec. 19, 2021 through the clerk's office by leveraging a vulnerability in their system. County officials said that security flaw was first brought to light after the September 2021 arrest of former county employee, Chris Naples, who is accused of running an illegal bitcoin mining operation in the clerk's office.
County Executive Steve Bellone said at least $2 million was earmarked for key security upgrades in the clerk's office since the cryptocurrency mining incident, but the funding was never used.
Bellone said Peter Schlussler, the clerk's IT director, never implemented those security measures despite red flags of a cyber threat. He has been placed on paid administrative leave.
"This individual's actions deceived the county clerk and caused significant damage to this county," said Bellone. "The clerk IT director refused the offer to implement the existing security technology and importantly, as of this date, still has not implemented the $700,000 in security upgrades approved by the IT committee."
In January, hackers allegedly installed cryptocurrency mining software on multiple clerk servers and established "persistence."
A few months later, the criminal actors bypassed network security and installed remote monitoring as they began to create new user accounts, as well as compromise active accounts.
In June, the Suffolk County District Attorney's Office was alerted to a possible cyberattack targeting the clerk's office. According to emails, Schlussler told county IT staff that he found nothing on their end revealing any malicious activity. Later that day, however, Schlussler sent an email to at-home employees that they will no longer be able to work remotely due to "a significant security flaw."
Officials say the clerk's office was vulnerable because a different employee had an illicit Bitcoin-mining operation there.
In July, hackers accessed a folder called "IronKey" that contained a file labeled "TMpasswords," according to the forensic report. County officials believe the hackers used that information to obtain credentials and ultimately access county servers on August 20.
The county may never know what type of sensitive information was stored in the "IronKey" folder, Bellone said, because it was deleted from the clerk servers on Sept. 29—three weeks after the county shut down its networks.
"We know the criminal actors could not have deleted it because the networks had been shut down on Sept. 8. We also know that county IT staff had no access to the clerk's systems," Bellone said. "Who deleted the "IronKey" folder and why?"
More emails revealed by county officials show that Schlussler was made aware of newly created user accounts as early as July, but delayed meetings with county IT staff to discuss a possible breach.
Another part of the problem is that the IT systems for the county and the county clerk's office are separate, and one side couldn't see what the other was doing.
There is talk about integrating them but so far, the system has not changed.
Lance Ulanoff, U.S. editor-in-chief for TechRadar, says the attackers were sophisticated but should have been spotted sooner.
Ulanoff says the county did make the right decision not to pay the $2.5 million in ransom and instead pay to fix the problem.
"It always seems like a slippery slope to pay the ransomware attackers because there is no guarantee they will unlock your files," Ulanoff said.
The cyberattack has cost Suffolk County at least $6.8 million as the county continues to restore services and investigate the breach. At least 26,000 social security numbers were leaked and more than 470,000 driver's license numbers of people with moving violations over the past decade may have been exposed. The breach has also delayed county payments to thousands of local businesses.