Dallas County said Tuesday that an attempt to hack into its computer systems earlier this month has been thwarted and staff are continuing to investigate the incident.
The county announced on its website that its IT staff interrupted an attempt to steal data and “effectively prevented any encryption of its files or systems.”
“Currently, there is no evidence of ongoing threat actor activity in our environment,” the county statement said. “Given these measures and findings, it appears at this time that the incident has been successfully contained and that Dallas County’s systems are secure for use.”
The statement also said, “We do not want to make premature assumptions about the extent of impact or other details, which may evolve as the forensic investigation advances.”
Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas, said that he still has questions after reading the county’s statement. If the county stopped the attack, he said it still isn’t clear whether the hackers stole any information before they were kicked out of the system.
Oftentimes once hackers have gained access to an organization’s system, they will snoop around for information, extract it, then encrypt the system and leave a ransom note on devices. Kantarcioglu said if the county cut the hackers’ access mid-attack, they still could have pilfered some information.
Kantarcioglu, who focuses on cybersecurity and data privacy, said that most of the time once hackers post a ransom demand claiming to have information on the dark web, hackers have collected at least some data.
“I don’t suspect they are bluffing, but how much they have we don’t know,” he said.
The county’s Tuesday statement said its system was able to stave off a full attack due to bolstered measures.
According to the county, security measures include requiring multi-factor authentication for remote access to the network, forcing frequent password changes for all users, monitoring devices accessing the network and reviewing potentially malicious IP addresses attempting to access or remove content from the county network.
Kantarcioglu said if the statement is true, Dallas County came away from the cyberattack better than most organizations.
“This is a good example of investing in cybersecurity,” he said. “If you invest, it will help reduce the impact of the attack.”
See here for the background, and here for the county’s statement. I largely agree with Professor Kantarcioglu. The attackers said that they would begin publishing data on November 3 – it’s not clear to me if they are demanding a ransom – so we’ll know soon enough if they are bluffing or not. The security measures mentioned are all good, but there could still be vulnerabilities or other gaps in their controls. Let’s see what happens on Friday. In the meantime, I’m hoping for the best.