The company that operates a fiber optic network that supports statewide and local government entities across North Dakota was a victim of a recent ransomware attack that included some of the firm’s files being published on a website that attempts to shame victims into paying.
Dakota Carrier Network is a consortium of 14 independent broadband companies across the largely rural state that collectively own more than 40,000 miles of fiber and counts among its customers STAGEnet, a network shared by the state government and about 400 other public-sector entities, including city, town and county governments; K-12 schools; libraries; and the state university system. But early last Sunday morning, DCN learned its internal systems had been infected with ransomware.
DCN’s chief executive officer, Seth Arndorfer, said the attack was detected about 1:18 a.m., but that the organization was able to respond quickly.
“We quickly shut everything down and restored all of our data from the most recent tape backup, which was Friday, April 24,” he told StateScoop in an email.
On Thursday, though, DCN learned that some of its files had been posted on the website operated by the hackers behind the Maze ransomware, which has popularized the tactic of stealing and publishing victims’ data in hopes of extracting a payout. Arndorf said the attackers only stole administrative data.
“It seemed that we were able to shut it down before they were able to get to any user data,” he said.
A zip file available on the Maze website contains invoices, payroll information, vendor lists, password-reset requests and customer profiles, though no sensitive personal information like Social Security numbers appears to have been exposed. The breach also included at least one photograph of Queen lead singer Freddie Mercury.
“As always, it’s impossible to say what else they may have obtained,” said Brett Callow of the cybersecurity firm Emsisoft, which tracks global ransomware activity. “They seem to start by publishing old and less sensitive documents, presumably so as not to lessen the victims’ incentive to pay.”
The North Dakota Information Technology Department did not respond to a request for comment, but Arndorfer said DCN’s “authorized contacts with the State of North Dakota have all been notified of the situation” and that there was no disruption to its fiber services, which reach about 164,000 customers across the state.
According to research published this week by Microsoft, Maze frequently targets IT providers and public service providers. It sometimes is delivered via a phishing email, though the hackers behind it are also known to use brute-force attacks targeting known vulnerabilities in Microsoft’s Remote Desktop Protocol.
Microsoft’s research also found that ransomware actors, including Maze, have increased their attacks against critical services like IT and health care as the COVID-19 pandemic has spread across the globe. Arndorfer said that activity on DCN’s network has increased between 25 percent and 30 percent over the past five weeks.