- Governor had warned that state was target of phishing campaign
- Timing of attack furthers concerns about election stability
Hackers have launched a sprawling, multifaceted cyber-attack against the state of Washington, according to two people familiar with the matter.
The attack infested many of the state’s agencies with sophisticated malware, including one type known as Trickbot, according to the two people, who requested anonymity because they aren’t authorized to talk to the media.
The attack has already lasted more than a week, but it has yet to significantly affect state operations even while exposing flaws in the state’s security apparatus, the people said.
The cyber-attack didn’t impact the state’s election systems. Nonetheless, coming nearly a month ahead of November’s presidential election, it highlights the potential vulnerability of state computer networks, which include election systems.
Tara Lee and Mike Faulk, both of whom are spokespersons for Governor Jay Inslee, didn’t respond to requests for comment. Secretary of State Kim Wyman’s office tweeted Thursday that they’re “aware of an active cyber threat facing government entities…though we have no reason at this time to believe this is targeted at elections.”
On Thursday, Inslee said at a press conference that a nationwide “phishing campaign” — phony emails that usually include an attachment that detonates malware when opened — was targeting the state. But the reality of the attack hitting state computer networks is more serious than a phishing campaign. Attackers have successfully gained access to multiple state agencies, spreading malware and establishing a foothold from which they could deepen their attack.
Microsoft spokesperson Frank Shaw declined to comment. Messages sent to the FBI in Seattle weren’t acknowledged.
Further details about nationwide phishing campaign, as Inslee said, weren’t available.
The attackers’ motives remain unclear. It’s not known if any data was stolen or if the hackers had planned to detonate the kind of ransomware attacks that have devastated cities, school districts and businesses across the country in recent years. Such attacks seek to lock users out of their computers, demanding a hefty ransom to regain access, and can significantly disrupt operations for days or even weeks.
Still, the timing of the attack has raised security questions ahead of the first presidential election since Russia meddled in the 2016 race by hacking Democratic Party emails and targeting election systems in all 50 states, according to federal authorities. DHS has repeatedly warned about the risk of cyber-attacks and even ransomware before the upcoming vote.
At least some state employees received calls on Sept. 18 directing them to avoid accessing emails. On Sept. 21, an updated directive asked employees to stop clicking on new attachments, according to a state employee who asked not to be identified because they’re not authorized to speak to the media.
“The potential for damage here is the inability for the state to operate its services that rely on computer systems,” said Michael Hamilton, former chief information security officer for Seattle and the founder of the cyber firm, CI Security. “While the state is handling multiple dilemmas — an election, record unemployment, civil unrest, fires — a broad scale compromise could be crippling.”
One of the people familiar with the investigation said early analysis of the intrusion indicated that the hackers may not have been targeting Washington but rather happened upon — and took advantage of — flaws in the state’s cybersecurity system. Responders are continuing to monitor the malware’s behavior across a broad swath of the state’s network, said the person.
At least 13 of the state’s departments and commissions were impacted by the attack, including corrections, parks and recreation and fish and wildlife, according to one of the people familiar with the matter. That person also said another type of malware, called Emotet, was used in the attack, in addition to Trickbot.
Janelle Guthrie, a spokesperson for the Department of Corrections, echoed the governor’s statement, saying many public and private organizations across the country, including the state of Washington, were being targeted by a phishing campaign.
“Washington state is taking proactive measures to protest state systems, which may require taking certain applications offline temporarily,” she said. “There is no known indication of state services being impacted at this time.”
Anna Gill, a spokesperson for Washington’s Parks and Recreation Commission, referred requests for comment to the governor’s office.
The election isn’t only a political target for some attackers with nation-state allegiances. They are also a potential tool for cybercriminals seeking profit because victims may be desperate to pay to ensure their systems are operational, said Brett Callow, a threat analyst at the New Zealand-band cybersecurity company Emsisoft.
“What better time for an attacker to extort payment from government systems than the time it needs access the most?” said Callow, adding that the hackers could be “holding fire” until the days leading up to Nov. 3 Election Day.
Washington state is widely viewed as boasting one of the country’s most sophisticated cybersecurity systems, especially its election system defenses. Because of its dependence on postal ballots, Washington ranks among the highest for pandemic voting preparedness, according to a report by the Rand Corp. about voting system confidence in 2020.
The Emotet banking Trojan, first identified in 2014, gained notoriety by targeting banks and financial data but has since evolved into a spamming and malware service, according to cyber research firm, Malwarebytes Inc. Its ability to evade detection has drawn the ire of the U.S. government which has branded Emotet among the world’s most dangerous malware with an estimated cleanup cost of $1 million per incident.
Hackers are often capable of moving around inside the network, allowing them to compromise additional departments. In the case of Emotet, the attackers are also known for resending phishing emails to victims from the internal email system.
In addition, it’s not uncommon for attackers to take their time after gaining access to a network, before deploying ransomware or some other kind of damaging attack. The hackers can use that time to explore the network looking for sensitive data or figuring out how to exploit a vulnerability.
Trickbot is another Trojan which originally targeted banks and financial institutions that has since seen expanded its attack surface to all enterprise networks. Using a particular vulnerability called EternalBlue, Trickbot can spread through networks then reinfect computers or servers that were previously infected and then sanitized. “IT teams need to isolate, patch, and remediate each infected system one-by-one. This can be a long and painstaking process,” according to Malwarebytes report on the malware.
Emotet and Trickbot are frequently used in tandem, especially by the Russia-based cybergang, Ryuk, according to the cybersecurity firm CrowdStrike. First recognized in 2019, Ryuk became notorious in its first six months of operation for attacking enterprise networks, yielding revenue upwards of $4 million, according to CrowdStrike.
As Ryuk’s activity faded slightly in the early-spring and summer of 2020, another threat actor emerged with a similar attack profile, called Conti, according to Emsisoft. In its short history, Conti, which also appears to be Russia-based, has gained notoriety for attacking state and local governments, including state courts in Louisiana in September, the cyber firm said.