State

Maine’s recent phishing attack could have been ‘far more serious’

State officials determined that no data was compromised during a phishing attack that hit three state agencies on Wednesday, including the bureau that oversees elections.

By Ryan Johnston

September 27, 2019

The Maine State House in Augusta (Getty Images)

A phishing attack with the potential to cause a ransomware incident that targeted servers across three state agencies in Maine on Wednesday did not access any private data, including voter databases, state officials determined.

Servers at the Maine Bureau of Corporations, Elections and Commissions, or CEC; the Maine Bureau of Motor Vehicles; and the Maine State Archive were affected by the attack on Wednesday afternoon, according to a press release Thursday. While no data was compromised, Maine Secretary of State Matthew Dunlap said in the release that the attack “could otherwise have been a far more serious incident” had email filters not flagged the vast majority of 1,600 emails that contained malicious links.

“The cybersecurity measures we have in place through OIT, combined with the immediate actions taken by our Information Services team, left us with minimal impact,” Dunlap said.

An investigation led by Dunlap’s office and Maine’s Office of Information Technology revealed just 18 of the 1,600 emails made it into employees’ inboxes. Though the attack only affected the CEC and internal servers within the state’s BMV and archives, it was designed to compromise the entire state government with ransomware, said Kristen Schulze Muszynski, a spokeswoman for Dunlap.

“I’m told it’s the type of attempt that could become ransomware if you do not detect it, but it certainly did not get anywhere near that point, because we detected it immediately and were able to clean up our systems,” Muszynski told StateScoop.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced last month it is launching a program to help protect election officials from ransomware attacks, which are often delivered through malicious links. At a conference in Washington on Thursday, CISA Assistant Director Jeanette Manfra said small government organizations often struggle to defend themselves. “The biggest thing is having that backup, and most organizations that are being targeted don’t have those resources in place,” she said.

All of Maine’s affected systems, including election and vehicle registration systems are back online as of Friday, Muszynski said. Wednesday’s incident came during a period of reorganization for the state’s IT office, as chief information officer Fred Brittain announced in August that it would be dividing the OIT into four divisions: information security, project management, enterprise shared services and client and infrastructure services. The restructuring was the first update in Maine’s IT governance since 2005, and designed to serve the individual IT needs of specific agencies, according to Brittain.

Benjamin Freed contributed reporting to this story.