Hackers Mined a Single Software Flaw for a Year in NY Cyberattack

Questions remain, including, most pressingly, how much sensitive data was stolen. A separate criminal investigation by the F.B.I. is ongoing.

In late 2021, the United States Cybersecurity & Infrastructure Security Agency issued an urgent advisory that organizations were vulnerable to the flaw that allowed Suffolk’s hackers in, warning that “sophisticated cyber threat actors are actively scanning networks” to exploit the weakness, and urging them to update their systems.

In Suffolk County, several departments created a cyber patch in response to the warning, essentially blocking hackers from entering their systems. But the county has no centralized cybersecurity protocol across departments, and information technology teams operate in separate fiefs, a vulnerability the hack has since exposed: The office of the county clerk, Judith A. Pascale, did not make the fix, said Lisa Black, the chief deputy county executive.

Since 2017, more than 3,600 local, state and tribal governments across the country have been targeted by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, an organization that seeks to improve the United States’ cybersecurity position. A November report from Tenable, a company that seeks to mitigate organizations’ exposure to hackings, found that in the months since the government warning, nearly three-quarters of organizations still remained vulnerable.

After penetrating the Suffolk County clerk’s system in December, the hackers appeared to spend months nosing through its nooks and crannies, according to investigators, who followed the “digital bread crumbs” the hackers left behind. The next month, several Bitcoin mining programs were installed in the clerk’s system, the investigators found, establishing what is known in cybercrime as “persistence” in the clerk’s network; the hackers, in other words, were testing the limits of the system’s penetrability.