Hackers demanding Suffolk County pay $2.5 million in ransom following the Sept. 8 cyberattack accessed computer networks though the county clerk’s computers thanks in part to an ex-employee’s illegal bitcoin mining, a report released Wednesday showed.
Officials blamed technical vulnerabilities on a former information technology deputy commissioner who was arrested last year for allegedly installing hidden computers in the Riverhead-based clerk’s office in a scheme to mine bitcoin — the process in which cryptocurrency transactions recorded — and his boss who officials said failed to catch his deputy’s alleged scheme or the ensuing cyberattack partly done in the deputy’s name. A computer program security flaw known as a “Log4J vulnerability” also helped get the hackers in the door, according to the report from Palo Alto Networks Inc., one of several companies hired to help in the aftermath of the attack.
“As a result of forensic examination, we now know with certainty that while the clerk IT director knew of the vulnerability, he failed to protect the county clerk’s IT infrastructure from this threat,” Suffolk County Executive Steve Bellone told reporters during a Dec. 21 news conference detailing the timeline of the attack for the first time. He said that the IT director misled Suffolk County Clerk Judith Pascale, who did not seek re-election in November, and did not respond to a request for comment.
Peter Schlussler, the $164,636-per-year IT director for the county clerk’s office, was put on paid leave amid the ongoing response to the attack, which has cost Suffolk $5.4 million so far — $3.4 million on restoration and $2 million on investigation. Christopher Naples, the former deputy from Mattituck, was fired after being charged with public corruption, grand larceny, computer trespass, and official misconduct in September 2021. He pleaded not guilty and his case is pending. When investigators entered the clerk’s IT room, alarms were signaling that the temperature was 20 degrees too high due to the excess equipment overloading the system.
“Instead of examining every single device in that environment to find out what was going on, this individual instead chose to berate an HVAC employee,” Bellone said of Schlussler.
Two months after Naples’ arrest, hackers with a group known as BlackCat first exploited the Log4J vulnerability to gain access to the servers in the clerk’s office, Bellone said. The county executive noted that because the clerk’s office is a separate agency with its own IT administrator separate from the county’s main system, Schlussler’s colleagues overseeing other county agency operations were unaware of the infiltration. In addition, when Naples designed the IT environment for the clerk’s office — hiding 46 cryptocurrency mining devices in the process — the clerk’s office did not implement a $1.4 million cyber security hardware update known as VxRail, Bellone said. Instead, the tool that could have enabled centralized monitoring and potentially thwarted the attack sat unused since 2019, he added.
The hackers had access to the clerk’s system for eight months without detection before they discovered a folder hosted on the server that was labeled Iron Key, Bellone said. That folder contained passwords and other sensational information the hackers exploited to broaden their access beyond the clerk’s office. They created a fake account in Naples name to advance their attack.
“After acquiring the necessary credentials, they were then able to migrate to the county,” Bellone said. About a month later, the hackers issued their ransomware demand and the county took its website offline to try to contain the damage.
“Early on in this process, I determined that I would not support paying a ransom,” Bellone said. “Payment is not guarantee that the criminal actors will honor their commitment or that they won’t come back later to extract additional demands. But more importantly, we don’t know who these criminal actors are. Are they terrorists? Are they engaged in sex trafficking? Are they engaged in activities that are hostile to our nation’s interests? By paying this ransom, would we be using Suffolk County taxpayer dollars to fund activity that could do harm to human life?”
The county executive said that without answers to any of those questions, he was not prepared to take a chance and pay the ransom.
Schlussler knew something was amiss beforehand, Bellone said. The county executive released an email — one of several showing missed opportunities to stop the attack — to the county’s IT department asking about the suspicious Naples account the Friday before Labor Day weekend, days before the attack. It’s unclear how long Schlussler knew there was an issue, but tried to hide it because he was “afraid of being embarrassed once again by Chris Naples,” Bellone said. Schlussler, who told investigators he believed Naples was behind the attack, according to Bellone, could not be reached for comment. He told Newsday, “I did my absolute best.” Neither Naples nor any other suspects have been charged in connection with the cyberattack.
The attack caused a ripple effect across the county. Information critical to real estate transactions were inaccessible for weeks. Hundreds of thousands of residents’ personal information was compromised. Election results were slowed by contingencies put in place. Suffolk police had to rely on outside law enforcement agencies for assistance handling some basic functions, such as fingerprinting. The county’s main website is still down, with a temporary landing page with basic contact information in its place for the time being. And the criminal investigation is continuing in tandem with a legislative probe.
“We have been and will continue to work with the FBI and SCPD regarding the ongoing criminal investigation,” Suffolk County District Attorney Raymond A. Tierney said. “Thankfully, my office had additional internet technology defenses in place, so that no criminal prosecutions were compromised.”
Bellone said the biggest lesson was the need to simplify and not compartmentalize.
“Complexity is the enemy of security,” he said. “A single IT security presence with jurisdiction across the entire county IT enterprise is the responsible and necessary approach to protect the government and its taxpayers for the future.”
