Scant months after the state of Idaho took steps to beef up its cybersecurity, state government computers fell prey to two attacks in a matter of days.
First, on May 9, an employee at the Idaho Tax Commission fell prey to a phishing attack, a type of scheme in which email purporting to be from someone legitimate actually has malware attached to it. Cybersecurity training, which all executive branch employees were required to take earlier this year, covered such attempts, but it’s difficult to detect, said Jeff Weak, director of information security. “It’s getting so hard to differentiate between legitimate and threat email,” he said. “It was an entity she had worked with in the past, and a person she had worked with, who had their credentials stolen.”
The Tax Commission doesn’t believe the employee or the agency was deliberately targeted, said Renee Eymann, public information office for the agency. “The phishing email came from a small business that was unaware that it had been compromised,” she said. All the employees in the office had taken cybersecurity training, she added.
In addition, the malware used a zero-day exploit, meaning it was an otherwise unknown security flaw. “We can’t trace it back to who did it, but it was something we hadn’t seen,” Weak said. “There was no way to prevent or safeguard against it.” In fact, the Tax Commission worked with its security vendor to help develop a patch to send out to other users of the security software, he said.
Then, on May 11 – the same day that the phishing exploit was revealed — the Idaho Legislature website, as well as the iCourt website, were electronically vandalized to display a set of messages, including one that stated that the group hadn’t taken any data, just written over it. After the vandalism was discovered, the website was restored through a backup image, said Weak.
“It was equivalent to graffiti on a wall,” he said, saying the website data was unavailable for about ten minutes.
The attackers, an Italian group known as Anon+, entered the websites through a vulnerability Weak did not identify, but he indicated that it had been corrected. “I’m pretty confident that something like this won’t happen again in the future,” he said.
The Legislative Services Office isn’t part of the executive branch, which houses Weak’s office, but he said his office could still help fix the problem despite the separation of powers. That afternoon, his office took the websites down for a few minutes to fix the vulnerability.
Weak said that no data was lost through the LSO attack, and that information taken from the Tax Commission attack was limited to what was on that person’s computer. Personal information of 36 taxpayers was in the employee’s email box, and phishing email was also sent to 103 outside contacts, according to the Tax Commission. The agency said it is notifying these people that their information may have been compromised.
Both events pointed out the importance of keeping up with training and security maintenance. “We have to hammer it home with cybersecurity awareness training and the importance of the person sitting at the keyboard,” Weak said. “They’re the first and last line of defense. All of those safeguards can be rendered useless if the person behind the keyboard isn’t judicious about what they click on.”