Forensic report on Suffolk cyberattack shows 71 systems encrypted by ransomware
Suffolk County's cybersecurity firm, Palo Alto, has completed their forensic analysis into how hackers bypassed their firewall and infiltrated government systems.
The full report states that cybercriminals accessed the clerk, county, health and sheriff domains, compromising 139 systems and encrypting 71 systems with ransomware.
County officials would not release more details about the type of sensitive data that was stolen, but Team 12 Investigates has previously reported that it includes at least 26,000 social security numbers and more than 470,000 driver's license numbers.
The forensic analysis discovered that cybercriminals gained entry to county systems by mining a software flaw, known as a Log4J vulnerability, in the County Clerk's system. County Executive Steve Bellone said that security weakness was known, and ignored, by the Clerk's Office for seven months.
"The main causes of this cyberattack are clear," said Bellone. "It's a failure to address the Log4J vulnerability in the clerk's office, the unprotected IronKey folder on the clerk's network, the clerk's segregated IT structure and them withholding information. Everything else is a distraction from the truth."
The clerk's IT director, Peter Schlussler, has been on paid administrative leave since December. County officials said he did not implement critical security upgrades, ignored red flags of a cyber threat and obstructed access to their systems after the Sept. 8 cyberattack, which allegedly delayed the restoration and recovery process by months.
The full forensic audit by Palo Alto is now being reviewed by the special legislative committee tasked with doing their own investigation into the cyberattack. The Cyberattack Investigation Committee is chaired by Legislator Anthony Piccirillo.
"We have been conducting witness interviews through this process and this was a big piece of the puzzle that we need to now have our experts look at, decipher, and then sit with us and basically go through it page by page," said Piccirillo.
County officials said the forensic audit shows that the impact of the cyberattack was limited to less than two percent of county systems. However, it still took months to rebuild servers and bring services back online.
"After containment, you work to eradicate what was in the system, what malware was there. You pull it all off," explained Chief Deputy County Executive Lisa Black. "Then, you move into restoration process where you have to test the system to make sure they can speak to each other, that the networks are communicating appropriately. Rebuild appropriately. Then you move to the lessons learned and that's where we are now."
A third, criminal investigation is ongoing. The district attorney's office has released few details about what it entails.