Suffolk County law enforcement and technology managers were alerted to a “possible ransomware event” nearly three months before overt signs of a large-scale intrusion were officially detected on Sept. 8, Newsday has learned.
The tip came from a court officer who had been in contact with an FBI agent, according to a copy of a June 21 email sent from a top investigator in the district attorney's office. The email, obtained by Newsday, indicated an event was “taking place in the county” and was sent to Brian Bartholomew, an information technology coordinator for Suffolk.
In an email chain responding to the tip at the time, Bartholomew wrote he was not aware of “any ransomware attack that is going on,” and added that “none of my equipment is lighting up” to indicate a problem. He asked for more specific information and checked with other computer staff.
Suffolk District Attorney Ray Tierney’s office, after initially referring questions to Suffolk County Executive Steve Bellone’s office, on Friday acknowledged the tip.
WHAT TO KNOW
- Suffolk County law enforcement and technology managers were alerted to a “possible ransomware event” nearly three months before overt signs of a large-scale intrusion were officially detected on Sept. 8.
- It remains unclear what evidence the tip was based on, but it may have been one of several missed opportunities to head off the cyberattack that shut down a broad cross section of county services.
- Suffolk said it is taking measures to further secure its system, and some operations are gradually coming back online. The dollar impact is becoming more visible by each day.
“In June 2022, the District Attorney’s Office received an anonymous tip that there may be a potential cyberattack targeted against another county agency,” Tierney said in a statement to Newsday. “Having no access to the county’s IT systems, the [DA’s] Office immediately forwarded that tip to County IT personnel, who spoke directly with the FBI about the information.”
Tierney said his office had been “assured at that time by the Coordinator in charge of County IT that their checks revealed no malicious activity."
“Unfortunately,” he noted, “that assessment was incorrect. We are working with the FBI and our law enforcement partners to apprehend and prosecute the offenders.”
It remains unclear what evidence the tip was based on, but it may have been one of several missed opportunities to head off the cyberattack. The attack shut down a broad cross section of county services and led Bellone on Sept. 11 to declare a state of emergency.
Suffolk County spokesperson Nicole Russo, in an email Friday night, declined to respond directly to the June tip, and an email to Bartholomew bounced back as undeliverable.
More generally, Russo wrote, "There is still an ongoing forensic assessment to determine exactly when and how the threat actors accessed county systems. Our team of cybersecurity experts are working to piece together these details, while we continue with our safe and secure rolling restoration."
Michael Nizich, director of the Entrepreneurship and Technology Innovation Center and computer science faculty member at the New York Institute of Technology, said the prospect of cyberattackers in the system months before the full-on attack likely gave them critical intelligence on what to steal.
"Basically they’re kind of casing the neighborhood," he said. "They're looking for the most valuable items, the richest data they can obtain, and that’s database files."
'Large sum of data' stolen
Newsday previously reported there were likely hundreds of indicators of potential intrusion across county computer systems that were discovered as part of a forensic audit of the malware event, some potentially months before Sept. 8. The attack reportedly led to the theft of some 4 terabytes of personal data of county residents, employees and contractors.
In addition to scrubbing databases for infected files and installing new computers, Suffolk on Friday said it is already taking measures to further secure its system. The proposed 2023 operating budget would create the new position of chief information security officer to "advance these protections" on county systems, and the county is exploring the "possibility of obtaining cyber insurance." Like obtaining life insurance, cyber insurance for the county would require high levels of protection from threats.
Experts suggest it's needed, given the duration of the county computer outages.
Chris Coluccio, chief executive of TechWorks, an outsource information technology provider, said hackers likely were in Suffolk’s system days or weeks before the attack was discovered and network cables physically unplugged.
“Just the amount of data that has been said they stole — which is about four terabytes of data — that takes a decent amount of time to pull off the network to begin with because it’s a large sum of data, so they’d have to be streaming that data out of the system,” he said, adding: “There should have been systems in place that would have caught that.”
The missed June tipoff would not be the first time county-connected systems had been compromised in the past year.
A year before the attack, on Sept. 8, 2021, police arrested Christopher Naples, a veteran county information technology supervisor, for allegedly running a cryptocurrency mining operation out of the County Clerk’s office in Riverhead. Authorities found 46 cryptocurrency mining devices, which require high levels of electricity to run, hidden in six different rooms.
Naples was charged with grand larceny in the third degree, public corruption and computer trespass, according to the felony complaint. His case is pending, and his next court date is scheduled for Nov. 29 in Southampton Justice Court. His lawyer did not return a call for comment.
That event should have prompted a review by county officials, said John Bandler, a former prosecutor who has written two books on cybersecurity.
“When something bad happens, you definitely have to review it," he said. “How did this happen? How do we prevent this from happening again?"
Assessing the financial impact
The event on Sept. 8 of this year has hobbled regular county operations, though some are gradually coming back online. The dollar impact is becoming more visible by each day. On Friday, Newsday reported the county is $140 million in arrears in paying county vendors for goods and services, for everything from PVC pipes to subsidies for child welfare programs. Suffolk spokeswoman Russo said the county has processed more than $40 million in payments to county vendors since the hack, much by handwritten checks.
In addition, tens of millions of dollars in real estate tax payments that typically go out to towns and municipalities have been backlogged for more than a month. Brookhaven Town Supervisor Edward P. Romaine said it has led to the delay of the roughly $2 million a week the town typically receives in mortgage tax payments from the county, a delay that is “disruptive” but not catastrophic.
“All these things will be done and the revenue collected at a later date,” he said. “We can adjust.”
More importantly, Romaine said, the Suffolk ransomware attack is a “cautionary tale” about the importance of preparedness and diligence for all local governments. Just this month, Romaine said, Brookhaven spent $30,000 on a penetration test of its systems to make sure they were locked tight. He has plans to increase the IT budget for 2023.
Newsday last week reported that Suffolk County Clerk Judy Pascale's office, one of the first to restore public-facing computer services, had been pleading with the county legislature’s Ways & Means Committee and the county for funding to upgrade computer systems. Among the upgrades is a high-level firewall, the first line of defense for any computer network. Pascale, in an interview Friday, said her office is still waiting for the firewall.
"The risk would have been mitigated" had the protection been in place, Pascale said, adding that forensic work to date indicates the attack "did not start in my office."
She said her computer technology department has been "sounding the alarm forever" about the need for software upgrades and cybersecurity, but her requests repeatedly were rebuffed.
Legis. Bridget Fleming (D-Noyack), who advocated for the funding, told Newsday it was important specifically because of the threat of cyberattacks.
Meanwhile, Pascale said her office gradually has been returning to full operation, but there's still work to do.
"We're close to halfway there, we're getting close," she said, while the county continues to perform forensics on the network. Title searches have been back for two weeks, in part because backup files were not lost and Gov. Kathy Hochul sent new computer systems to help.
"I've been assured no data was lost," Pascale said. "We want to get back to electronically recording and filing" mortgages, deeds and other paperwork.
Pascale said she would support a cybersecurity chief for the entire county computer system, as Bellone's budget will request.
"Everybody realizes this is a real threat, a global threat," she said. "A cybersecurity chief is definitely needed for a county of this size. Absolutely."