Suffolk cyber incursion began a week before full-scale attack, report says

Cyber-hackers began actively staging a massive ransomware incursion across Suffolk County systems on Sept. 1, one week before a full-scale attack  began encrypting data, leaving ransom messages and forcing the county to take its systems offline for five months, according to a report released Wednesday.

The attack, according to digital forensic firm Unit 42, followed months of exploitation by the attacker, BlackCat/ALPHV, beginning in the county clerk’s domain. It resulted from the failure to install a critical security upgrade against a known vulnerability and the discovery of a folder of passwords on that network, the report says. Hackers first breached the network through the clerk’s office in December 2021, according to the report.

The heavily redacted report doesn’t explain why security systems by Palo Alto Networks, which is the parent of Unit 42, didn’t detect or prevent the attack once the hackers had shifted from the clerk's office to the broader county network. County Executive Steve Bellone noted that happened 18 days before the Sept. 8 attack.

Pressed on the matter during a news briefing Wednesday, Bellone said, “That is not something that’s going to be picked up” if, as the report noted, the clerk’s office “did not address that [security] vulnerability” months before. “They were already in the house in the clerk’s environment.”

A Palo Alto spokeswoman didn’t return messages seeking comment.

Bellone accepted some responsibility for the circumstances leading up to the attack, including the county’s failure to hire a chief information security officer who would oversee all county cybersecurity, and failing to centralize all county networks into a single secure network. Several county departments have their own IT staff and environments, including three managed by Republican elected officials. Bellone is a Democrat.

“There are plenty of things we could have been doing better, that I could have been doing better,” Bellone said.

But Bellone also attacked what he called the “false narratives” from the clerk’s office that officials had been seeking access to more secure systems for months. Newsday has reported on a series of emails in which former clerk Judy Pascale and IT director Peter Schlussler had pushed the county and the legislature for a Palo Alto hardware firewall.

“The one time the former clerk does raise the issue of cyber [security] formally in June, she does so generally, not specifically, and remember at that point the criminal actors have been in her IT environment for six months,” Bellone said.

Pascale on Wednesday said: "I've already spoken to [legislative committee counsel Richard] Donaghue regarding the cyberattack and I anticipate the sequence of events leading up to the attack, including where and how it originated, will be unearthed when he concludes his investigation."

The Unit 42 report was released to the county legislature’s special committee investigating the cyberattack last week.

Schlussler referred to a report he has provided to the legislative committee to explain the security issues. That report hasn’t been publicly released.

A June 2022 email from Pascale to IT Department Commissioner Scott Mastellon specifically said she was “somewhat taken aback” by Mastellon’s statement that the clerk had “not demonstrated an appropriate justification to support this purchase” of a hardware firewall. One such device ultimately was installed in the clerk’s environment about a week after the ransomware attack. It’s since been removed and replaced by the virtualized firewall the county had initially proposed, county officials said.

In a footnote to the report, Unit 42 noted that law enforcement had alerted Suffolk to an “alleged ransomware incident” on June 21, 2022, as Newsday has reported. At the time, Unit 42 said it “observed unauthorized access to the Clerk’s VMware environment in June 2022, but did not observe a ransomware event occurring within the June time frame.”

Unit 42 said it found that 71 systems within the county, the county clerk's office and the Department of Health Services were impacted by the BlackCat ransomware event, 50 were determined to contain data “at risk,” and nine had direct evidence of infiltration, with eight showing evidence of having appeared on the BlackCat leak site. Suffolk has some 10,000 computer systems, with a total of 139 considered “compromised.”

The chairman of the legislative committee probing the cyberattack said Wednesday that he is considering hiring an outside firm to vet the Unit 42 report and assure its objectivity.

Legis. Anthony Piccirillo (R-Holbrook) said he has been in contact with Donaghue and has discussed working with an outside firm to help decode some of its more technical aspects.

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.