Report: 600 malware instances on Suffolk computers went undetected for years

A special legislative committee investigating the September ransomware attack on Suffolk County has been examining a previously undisclosed report that found more than 600 instances of malware on county computers that might have gone undetected for years.

The Suffolk County Legislature's committee and its outside counsel, Richard Donoghue, a former U.S. deputy attorney general, also have been interviewing witnesses and gathering information on events leading up to the attack, including examination of a trip by county officials to India during which the county network was accessed.

The Sept. 8 ransomware attack also is being investigated by the Suffolk District Attorney's Office, District Attorney Ray Tierney said, working with the Suffolk Police Department and the FBI. Tierney said the FBI is investigating the criminal enterprise behind BlackCat malware, which has been responsible for cyberattacks across the country perpetrated by hackers based outside of the United States.

Officials on the legislative committee stressed that it is too early to say whether findings in the reports will shift the forensic case presented by County Executive Steve Bellone: that failure to patch a security breach in the county clerk's computer network ultimately led to the ransomware attack.

The cyberattack cost the county $5.4 million to investigate and restore systems, and Suffolk has spent upward of $12 million on new products and software officials said were needed anyway, Newsday has reported. The attack crippled many online systems for months, and impacted police dispatch, email, and vendor payment systems, among dozens of other functions. Late last month, Newsday reported some online services were still down.

Bellone, while accepting some responsibility for the attack, has mostly blamed the county clerk's office and its information technology director, whom he suspended with pay but hasn't publicly named, for the breach. That director, Peter Schlussler, has rebutted Bellone's claims, arguing in witness testimony and a 157-page report to the committee that the county missed numerous opportunities to prevent the attack months before it happened. 

Bellone, in three ransomware press appearances since suspending Schlussler in December, has mentioned a bitcoin mining operation uncovered in 2021 in which an assistant IT director is accused of bitcoin mining on county computers. More recently, a county spokesperson asserted the county did not make any correlation connecting the ransomware attack to the bitcoin mining operation.

Earlier this month, Donoghue confirmed that the special committee received a report from Dell Technologies and "some other vendors" as part of the investigation. The reports are separate from the official report prepared by Palo Alto Networks, the county's primary security vendor whose Unit 42 division conducted a forensic investigation after the attack.

Palo Alto concluded the breach occurred because of a failure by the clerk’s office to patch a vulnerability known as Log4j, which has been used by hackers to gain access to networks. Dell was contracted by the county in the days following the attack and worked for about a month, but its findings were not widely shared, officials said.

Dell scanned 39 county devices

A copy of the Dell report describes its work to scan and "sanitize" 39 devices. Dell reported finding more than 600 instances of malware variants in desktop, storage and server devices in the district attorney’s office and the Suffolk County Police Department, among others. The report also referenced work done in certain IT environments in the Board of Elections and clerk's systems.

Dell was paid $313,000 for the report, according to information obtained through a Freedom of Information Law request. The scans detected hundreds of variants, including phishing emails, HTML exploits and Trojan horse malware, but the county in an email said that appears to be in addition to the BlackCat/ALPH malware that was chiefly responsible for the ransomware attack.

“It’s certainly possible that there was malware wholly apart from the malware that was involved in the actual cyberattack,” Donoghue said.

Legis. Anthony A. Piccirillo (R-Holbrook), who chairs the investigative committee, said it was his understanding that the malware found on the systems had been there potentially for years, before it was discovered by Dell, which didn't return messages seeking comment. 

“It’s very concerning,” Piccirillo said, noting the potential for compromised data on the district attorney and police department storage devices.

Suffolk, in a statement, said none of the malware “would have resulted in any compromised data on those devices.”

Piccirillo also expressed concern that the committee received the Dell report from a third party, not the county. “We should have known about this,” he said. “We weren’t briefed on it.”

Suffolk said the report findings “were shared with the DA, Police Department and Board of Elections [personnel] who requested the Dell services, and the results were reviewed with the forensic incident response team, Unit 42.”

Tierney said a reporter’s call was the first he and his team heard about the Dell report. “No one in my office or anyone associated with our county-run IT department ever saw it,” he said.

Not conducting criminal investigation

Piccirillo said that while the committee has subpoenaed witnesses to compel testimony, it is not conducting a criminal investigation. “If I find anything that looked criminal, I’d refer it” to the district attorney’s office, he said. The committee will issue a report on its findings.

Meanwhile, the legislative committee is also looking into what role, if any, was played by access granted to the county computer network when three county officials took a trip to India in August, weeks before the ransomware attack.

“We are aware of that,” Donoghue said. “We’ve come across communications related to that, and we’ve talked about it. Whether that plays in any way into the breach, I can’t form an opinion at this point.”

Three top county officials, including chief deputy county executive Lisa Black, traveled to India for six days in August and stayed at the Le Meridian Hotel in New Delhi.

While Bellone administration officials said there's no evidence network access granted during the trip led to the attack, cyber thieves are widely known to seize use of Wi-Fi accessed at international hotels to infiltrate systems. Suffolk declined to answer questions about how an employee accessed the internet while on the trip.

Black in November denied she had accessed the county’s network. Pressed on the matter last month, Guilfoyle confirmed that “one employee accessed the VPN while on a work trip to India," but added there was "zero evidence of any attempted compromise of VPN or any evidence to suggest that the trip to India impacted the cyberattack in any way."

Piccirillo said, “That will bear itself out once we delve into it.”

Newsday requested records of each time Suffolk’s Department of Information Technology opened up access to county employees traveling internationally. County officials initially said they couldn’t access the records because of the cyberattack. Later, they said they needed more time to process the request. To date, the county has not provided the records.

A separate FOIL to the county comptroller’s office earlier this month turned up extensive travel records of the trip, which was conducted to "establish relationships with business leaders in India to support Suffolk businesses with supply-chain issues and other barriers.”

Speaking of the unidentified employee who accessed the network through the county's virtual private network, Guilfoyle said there’s “no prohibition on international VPN access or anything that confines VPN to the contiguous 48 states.” She included a copy of the county's VPN policy, which was last modified in 2008.

Guilfoyle declined to say whether the India access required a change to county network firewall rules. Nor would Guilfoyle say whether the access was via Wi-Fi or a wired connection, at the hotel or another location.

The VPN policy states that users "will not access the system in a public area and can’t connect using an unprotected wireless router or access point.” Users also shouldn't try to “circumvent or in any way disable safeguards that are in place to protect county property.”

County: India trip not related to attack

Guilfoyle said, "The evidence that does exist makes it clear that the India trip could not possibly be related to the cyberattack. Any implication otherwise would be factually inaccurate."

Michael Nizich, director of the Entrepreneurship and Technology Innovation Center and computer science faculty member at New York Institute of Technology, said use of a secure VPN should limit exposure to hackers. He expressed doubt that the India access was related to the ransomware attack.

Two other county employees attended the trip, along with several outside entities. They are John Schneidawin, Suffolk’s director of business development, whose expense report listed costs of $3,487.96, and Mohinder Singh Taneja, director of diversity outreach. The trip included a tour of the Taj Mahal with “Amity University as hosts.” Amity has a sister campus in Oakdale.

Attempts to contact Schneidawin and Taneja were unsuccessful, and the Newsday FOIL request did not turn up an expense report for Taneja, whose Instagram profile lists affiliations with the American Diversity Forum, the Long Island Sikh Council and SVAM International, a “global information technology services provider."