Report: Suffolk had high cyberattack risk months before detection
Suffolk Department of Information Technology Commissioner Scott Mastellon (middle) testifies before the Suffolk County Cyber Investigation Committee in Hauppauge on Friday. Credit: Morgan Campbell
All of Suffolk County’s cyber domains were at high risk for a crippling ransomware attack more than six months before one was discovered in September 2022, according to excerpts of a report made public Friday by a special legislative committee investigating the attack.
Excerpts from the “Suffolk County Cybersecurity Assessment Final Report," commissioned by County Executive Steve Bellone's administration and prepared by Round Rock, Texas-based CyberDefenses, were read during a meeting of the Cyber Intrusion Investigation Committee. The full report was not made available.
CyberDefenses reviewed the county’s systems from September 2021 through December 2021 and issued its report Feb. 24, 2022. The cyberattack was discovered Sept. 8, 2022.
“There is a heightened concern that should the threat actor achieve success through reconnaissance or initial access, that the damage that could occur would be significant," according to the report.
Committee members said they were not aware of the report until Monday, the day before they interviewed Scott Mastellon, commissioner of the county's Department of Information Technology. Mastellon, who testified at the meeting Friday, called it an "oversight."
The committee’s outside counsel, Richard Donoghue, a former U.S. deputy attorney general, said the report explained in detail how the county’s cyber defenses were outdated and inadequate and asked Mastellon how the county had addressed the warnings.
“That report is as close as you get to a smoking gun in a case like this, and you sat on it until the day before you're interviewed,” Donoghue told the commissioner.
Mastellon disputed Donoghue’s characterization. “There were steps that were being taken to address each one of these particular issues across the entire organization," he said.
The cyberattack shut down many online services for months, some of which are still offline, and set off an ongoing debate over who in the county was responsible for the breach and the response to it.
Mastellon noted a report prepared by Palo Alto Networks, the county's primary security vendor whose Unit 42 division conducted a forensic investigation after the attack, found that attackers infiltrated the county clerk’s domain through a vulnerability known as log4J. Bellone has repeatedly pointed to the report to make the case that a failure to patch a security breach in the county clerk's computer network ultimately led to the attack.
“That [the attack] was a direct result of the clerk's office failure to take appropriate cybersecurity measures against threats that quickly spread through the system,” Mastellon testified.
Bellone administration officials on Friday again blamed Peter Schlussler, the clerk office's information technology director who was put on paid administrative leave after the attack. Schlussler has testified that the county missed numerous opportunities to prevent the attack months before it happened.
County spokeswoman Esther Jensen said the investigative committee has had "the actual 'smoking gun' in the forensics report for months, but instead they continue to ignore the evidence and play politics by mischaracterizing an internal cyber document."
Mastellon and his attorney, David Kelley, urged the panel not to release the full report or share images that identified the county’s domains and their threat risks.
“What you're doing here is putting up a map of what was identified as a vulnerability and inviting people to come and check to see whether those vulnerabilities are now ironclad, or whether or not there's a way around it,” Kelley said.
Donoghue countered that the deficiencies identified in a nearly two-year-old report should be fixed by now.
“This was 20 months ago, and many millions of dollars and many remediation efforts ago,” he said. “Hopefully … the county is in a much better shape, and that the vulnerabilities that are reflected here are not still in place.”
In May, the investigative committee said it had received a separate report from Dell Technologies that also was previously undisclosed. It found more than 600 instances of malware on county computers that might have gone undetected for years.
The Suffolk District Attorney's Office said it received an anonymous tip in June 2022 about a potential cyberattack targeted against another county agency. The tip was forwarded to county IT personnel, who spoke with the FBI about the information, according to the DA's office.
Correction: Peter Schlussler is the information technology director for the Suffolk County clerk's office. His name was misspelled in a previous version of this story.
All of Suffolk County’s cyber domains were at high risk for a crippling ransomware attack more than six months before one was discovered in September 2022, according to excerpts of a report made public Friday by a special legislative committee investigating the attack.
Excerpts from the “Suffolk County Cybersecurity Assessment Final Report," commissioned by County Executive Steve Bellone's administration and prepared by Round Rock, Texas-based CyberDefenses, were read during a meeting of the Cyber Intrusion Investigation Committee. The full report was not made available.
CyberDefenses reviewed the county’s systems from September 2021 through December 2021 and issued its report Feb. 24, 2022. The cyberattack was discovered Sept. 8, 2022.
“There is a heightened concern that should the threat actor achieve success through reconnaissance or initial access, that the damage that could occur would be significant," according to the report.
Committee members said they were not aware of the report until Monday, the day before they interviewed Scott Mastellon, commissioner of the county's Department of Information Technology. Mastellon, who testified at the meeting Friday, called it an "oversight."
The committee’s outside counsel, Richard Donoghue, a former U.S. deputy attorney general, said the report explained in detail how the county’s cyber defenses were outdated and inadequate and asked Mastellon how the county had addressed the warnings.
“That report is as close as you get to a smoking gun in a case like this, and you sat on it until the day before you're interviewed,” Donoghue told the commissioner.
Mastellon disputed Donoghue’s characterization. “There were steps that were being taken to address each one of these particular issues across the entire organization," he said.
The cyberattack shut down many online services for months, some of which are still offline, and set off an ongoing debate over who in the county was responsible for the breach and the response to it.
Mastellon noted a report prepared by Palo Alto Networks, the county's primary security vendor whose Unit 42 division conducted a forensic investigation after the attack, found that attackers infiltrated the county clerk’s domain through a vulnerability known as log4J. Bellone has repeatedly pointed to the report to make the case that a failure to patch a security breach in the county clerk's computer network ultimately led to the attack.
“That [the attack] was a direct result of the clerk's office failure to take appropriate cybersecurity measures against threats that quickly spread through the system,” Mastellon testified.
Bellone administration officials on Friday again blamed Peter Schlussler, the clerk office's information technology director who was put on paid administrative leave after the attack. Schlussler has testified that the county missed numerous opportunities to prevent the attack months before it happened.
County spokeswoman Esther Jensen said the investigative committee has had "the actual 'smoking gun' in the forensics report for months, but instead they continue to ignore the evidence and play politics by mischaracterizing an internal cyber document."
Mastellon and his attorney, David Kelley, urged the panel not to release the full report or share images that identified the county’s domains and their threat risks.
“What you're doing here is putting up a map of what was identified as a vulnerability and inviting people to come and check to see whether those vulnerabilities are now ironclad, or whether or not there's a way around it,” Kelley said.
Donoghue countered that the deficiencies identified in a nearly two-year-old report should be fixed by now.
“This was 20 months ago, and many millions of dollars and many remediation efforts ago,” he said. “Hopefully … the county is in a much better shape, and that the vulnerabilities that are reflected here are not still in place.”
In May, the investigative committee said it had received a separate report from Dell Technologies that also was previously undisclosed. It found more than 600 instances of malware on county computers that might have gone undetected for years.
The Suffolk District Attorney's Office said it received an anonymous tip in June 2022 about a potential cyberattack targeted against another county agency. The tip was forwarded to county IT personnel, who spoke with the FBI about the information, according to the DA's office.
Correction: Peter Schlussler is the information technology director for the Suffolk County clerk's office. His name was misspelled in a previous version of this story.
Vera Chinese joined Newsday in 2017 after working as an editor for the East End lifestyle publication northforker and a general assignment reporter for the New York Daily News.
Judge delays Trump sentencing ... Holiday travel forecast ... Navigating politics over Thanksgiving ... FeedMe: Holiday pies ... Get the latest news and more great videos at NewsdayTV
Judge delays Trump sentencing ... Holiday travel forecast ... Navigating politics over Thanksgiving ... FeedMe: Holiday pies ... Get the latest news and more great videos at NewsdayTV
