Idaho’s recent cybersecurity-training efforts haven’t panned out for the state government so far. As first reported by Idaho Business Review, Idaho fell victim to two separate cyberattacks in just three days earlier this month, including one attack that included the use malware that security experts say they had not previously seen.
The first attack, on May 9, took hold of one tax commission employee’s computer through a phishing email sent from a local business. The business wasn’t aware that the email contained a malicious link, according to Renee Eymann, public information officer for the state, and neither was the state employee who clicked on the link and entered government credentials.
State information security director Jeff Weak told StateScoop that after informing the tax commission’s IT department, his office worked with computer security firm McAfee to patch the exposed computer. The damage, Weak said, was limited to just the one employee’s computer.
Nonetheless, the state has had to inform 36 taxpayers that their personal information was sitting in the email inbox of that employee while the attack took place and has been compromised. The state employee’s email also forwarded the phishing email to 103 other contacts, who the state is also informing of the cybersecurity threat.
Both Weak and McAfee say they had ever seen the particular piece of malware used in the phishing attack before.
“It was probably some sort of morphed phishing malware that’s been used in the past,” Weak said. “It was certainly an anomaly for everyone involved at the start.”
The state is still investigating the origin and motive of the attack, Weak said.
“[The email] did come from a third-party that we deal with on occasion … so it was something that wasn’t out of the ordinary for [the state employee] to be corresponding with that person — it was just the fact that it was a spoofed email that had the malware attached,” Weak said.
Just two days later, on May 11, both the state legislature’s website and iCourt website, which provides a portal for status updates and payments on Idaho trials, were vandalized. The attacks came from an Italian hacking group called Anon+, Weak said. He did not disclose the vulnerability exploited, and the motive remains a mystery.
“I have no idea why they would choose us,” Weak said.
The websites were taken down for a few minutes while the state restored them from a backup image, Weak said — no data was compromised.
Officials say they believe the attacks were unrelated, and that the state’s agencies are attacked daily by actors looking for weak spots.
The state will continue providing cybersecurity training to its employees in the wake of the attack, following a call from Republican Gov. “Butch” Otter in January to create a more regimented approach to cybersecurity awareness and training throughout the state.