Washington County, Arkansas, experienced a cyberattack over the weekend, but state officials say the attempted breach, called a “dictionary attack,” appears to have ended — but not before the county, home to a population of about 250,000, blocked more than 64,000 attempts to log on to its servers.
Tad Sours, the county’s communications director, said Tuesday morning the tens of thousands of attempts to hack into the systems of the northwestern Arkansas county seemed to have stopped.
“There were only 176 attempted log-ons Monday and zero so far today,” Sours told a local paper. “It does appear they tried us for the weekend, and now they’ve moved on,” adding that no problems arose from the repeated attempts to access the system.
The “dictionary attack,” a method of trying to break into a password-protected computer or network by running through a list of common words and phrases, began Friday when county officials blocked more than 14,000 attempts to log on to its servers. On Saturday, officials said the number grew to more than 17,000 and increased again on Sunday with more than 33,000 efforts to access county servers being detected and blocked.
Allan Liska, an intelligence analyst at the cybersecurity firm Recorded Future, said it’s common for hackers to hit targets during weekends, when offices have fewer staff monitoring their security systems.
“If you’re a small town, you can’t afford 24/7 network monitoring. So you probably have [staff] Monday through Friday, and maybe some overnight stuff,” Liska said. “That’s why you see a lot of these attacks start Friday night, because they know if they can get in, they’ll have more time to move before somebody will detect them.”
He said the number 64,000 doesn’t correspond to the number of passwords the hackers tried on the server, but the number of username and password combinations. He added that most organizations configure their systems to lock out users after a certain number of failed login attempts.
“A good security model should automatically lock the account out after so many password fails, especially if that is a system connected to the internet,” Liska said. “So if you are if you’re trying the administrator username and you’re able to try 64,000 passwords against that, then you’ve done something wrong.”
Liska, who specializes in ransomware, said dictionary attacks like the one on Washington County frequently precede ransomware attempts.
“The bad guys have built a relatively complex underground ecosystem,” he said. “And so there’s a division of labor and activities — there’s one group of attackers that gets you the initial access, they’re the ones that do the phishing, they’re the ones to try and do the exploitation. They’re the ones that do the brute forcing, or the dictionary attacks. And then once they get access to a network, they then turn around and sell that to the ransomware actors, like the worst house flipping show ever.”
Sours, the communications director, credited the successful defense to the county’s information technology staff, which he said had done a great job handling the incident.
“The best way to look at this is it was a great exercise in how to deal with this kind of thing,” Sours said. “Our tactics worked. It’s always going to be a learning and training experience.”
Fayetteville, the second largest city in northwest Arkansas, also in Washington County, was hit by a cyberattack in June. Officials said someone changed several system files belonging to an internal city application, degrading performance of the city’s server.
“We want to make sure we keep these systems up and running and fully secure because these attacks, unfortunately, are only going to get worse,” Liska said of the increasing number of cyberattacks on state and local governments.
A November report from the Arkansas state Legislative audit found 130 cybersecurity incidents were reported from July 1, 2022, to June 30, 2023, at 75 public bodies across the state, including higher education institutions, public school districts and city and state agencies.