Last week’s coordinated ransomware attack in Texas — which state officials say has affected 22 local government agencies — is the first known incident of its kind to strike the public sector. But an executive with a national cybersecurity information clearinghouse warned state government IT officials at a conference in Indianapolis on Tuesday to watch for more attacks of this type to come soon.
“Will it happen again? It is happening again. It’s probably happening right now,” said James Globe, vice president of operations for the Center for Internet Security’s Multi-State Information Sharing and Analysis Center.
Experts have speculated as to the type of ransomware that was used in the coordinated attack, with some claiming it’s Sodinokibi, a variant of GandCrab, while others saying it’s yet another case of Ryuk, one of the most costly and destructive forms of ransomware used today. Whatever the type, Globe said, it’s already evident that this is but the latest in a string of ongoing attacks leveled against state and local government agencies that appear to be getting more severe.
In fact, Globe said that his organization, which provides tools and information to state and local government agencies and helps them respond to cyberattacks, on Monday received a request from one of its members in the electricity sector asking for support to remediate an incident.
Texas’ Department of Information Resources, which itself has not been attacked, is assisting those affected in conjunction with the Texas Division of Emergency Management, the Texas National Guard, Texas A&M University and the state’s Commission on Environmental Quality and Public Utility Commission. But aside from two brief updates from DIR, information on the attack has been sparse.
“It’s kind of radio silence, which is not uncommon when the actual incident is happening because people are focusing on assessing and recovering,” Globe said.
Doug Robinson, executive director of the National Association of State Chief Information Officers, told StateScoop that the coordinated attack has illuminated a challenge in regional information sharing. Larger organizations have the resources to participate in such cooperatives, but the smallest organizations that need the most help often don’t have dedicated cybersecurity personnel to dedicate to recovery.
In his presentation, Globe urged the state technology directors in attendance to lean on the MS-ISAC for information and resources to prevent such an incident from affecting their organizations. Though ransomware attacks against state and local government are on the rise — there have been more than 50 this year so far, not counting the latest Texas incident — Globe said that certain types of malware dipped in usage this summer, which he called a suggestion that hackers are resting up and modifying their code for more sophisticated attacks later this year.
“We have some threats, like Emotet and Trickbot, which really ramped up in February, March and April, and as we go into May, as it got warm, suddenly it just went away,” Globe said. “And we attribute that back to a group of cybercriminals, and well, they probably went on vacation. They made enough money in the attacks they carried out. What do they do in that down time? What you will find is they are modifying their code and their method of attacks.”