What Happened? Texas Breach

Huge Coordinated Ransomware Attack Hits 22 Texas Towns Last Year

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

More than a year later, Texas officials still are not saying who was behind a massive ransomware that paralyzed the digital operations of 22 communities for a week in August 2019, though one expert told Digital Privacy News that the culprit most likely was a hacker-for-hire with ties outside of the United States.

“The identity or organization of one single threat actor has not been clarified yet,” said Allan Liska, an intelligence analyst with Recorded Future, a Boston corporate-security research firm. “It’s almost impossible to determine who the attacker was due to Ransomware-as-a-Service (RaaS).”

Liska defined RaaS as when a person or group develops ransomware and then rents it out to others for execution. “The person who developed the ransomware may be in Estonia, but people carrying out the attacks could be anywhere,” he said.

“The attack was carried out by the REvil/Sodinokibi team,” Liska added, “but we didn’t know which of their affiliates it was.”

The REvil/Sodinokibi group was one of the first ransomware actors to use managed services providers (MSPs) to get to victims, Liska said. The group demanded a total ransom of $2.5 million — and Texas officials said that they were “unaware of any ransom being paid in this event.”

Targeting vulnerabilities in the Pulse Secure VPN, the group gained access to an MSP — and then used the access to infect the clients of that MSP, he added.

Liska told Digital Privacy News that he could not say for sure where the REvil/Sodinokibi operated from, other than “it is suspected they operate somewhere out of Eastern Europe.”

Officials from the Texas Department of Information Resources (DIR) and from the other affected communities declined repeated requests for comment from Digital Privacy News.

However, DIR officials said that its initial investigation found that “one single threat actor” was responsible for the attack, which lasted for one week, Aug. 16-23, 2019.

Day of Incident

On Aug.16 of last year, Texas officials received notices from local governments of a coordinated ransomware attack that paralyzed online business-critical services in 22 cities and towns.

As a result, birth and death certificates, utility or other payment systems were unavailable online, according to an Aug.19 news release by officials in the north Texas city of Borger.

Initiating the State Operations Center (SOC) later on Aug. 16, Texas officials activated a multiorganizational task force that included DIR, the Federal Bureau of Cyber-Investigation, the Texas Division of Emergency Management, the Texas Department of Public Safety (DPS) and U.S. Department of Homeland Security.

Six days after the initial attack, Armor, a Dallas cybersecurity software company, released an updated list of affected entities in the state.

“The person who developed the ransomware may be in Estonia, but people carrying out the attacks could be anywhere.”

Allan Liska, Boston intelligence analyst.

Besides Borger, they also included the communities of Keen, Kaufman, Wilmer, Lubbock County, Bonham, Grayson County, as well as the Graham Police Department and Vernon Police Department.

Then, 20 days after the initial attack, DIR said that “all impacted entities were recovered and restored” within seven days while DIR said that it was “unaware of any ransom being paid in this event.”

Liska told Digital Privacy News: “It was one attacker who launched all of the attacks, rather than 22 different attacks.”

Manipulating Systems

According to Liska, the attackers most likely used the Texas systems’ administration tools to deploy the malware.

“It was the MSPs that automated a coordinated attack in local governments in Texas,” he told Digital Privacy News. “It allowed them to quickly automate the management of their clients simultaneously.”

That is why one of the first things in responding to a ransomware attack, he observed, “is to figure out how they got in and secure that vulnerability.”

But Pulse Secure researchers last year detected a vulnerability in its VPN products that could be “exploited to infiltrate corporate networks, obtain sensitive information and eavesdrop on communications,” according to a January report by SecurityWeek.com.

The vulnerability was used to “deliver a piece of file-encrypting ransomware tracked as Sodinokibi and REvil.”

Pulse Secure, however, told SecurityWeek in a statement for the report that it had “publicly provided a patch fix on April 24, 2019, that should be immediately applied to the Pulse Connect Secure (VPN).”

The statement called the VPN vulnerability “highly critical,” adding that “customers that have already applied this patch would not be vulnerable to this malware exploit.

“As we have communicated earlier, we urge all customers to apply the patch fix,” the Pulse Secure statement said.

In response to this disclosure, Liska told Digital Privacy News: “Ransomware actors generally do not use zero-day exploits (exploits for previously unknown vulnerabilities).

“Instead, they rely on exploiting well-known vulnerabilities and count on organizations being slow to patch,” he added. “Unfortunately, this is the case too often.”

Tracking the Culprit

Noting that the hacker most likely was a RaaS, Liska said that tracking down the specific location of such hackers — particularly with RaaS — had become far harder for many reasons.

Using a RaaS model, REvil rents out its infrastructure to other ransomware attackers, Liska explained, making it possible for as many as a dozen different groups to deploy the REvil ransomware.

“From a dozen different locations, it will be hard to track down a single group,” he said.

Liska added that the ransomware group had hundreds of successful attacks — making lots of money — which means it could better cover its tracks and could afford even more sophisticated methods.

In fact, the SecurityWeek report from January noted that Sodinokibi “typically asks victims to pay thousands of dollars to recover their files.”

Liska added that using various software providers versus an IT network very likely was a factor in the Texas breach and might have been avoided with better detection methods.

“Obviously, having software providers instead of IT networks had made such a ransomware attack in Texas possible,” he told Digital Privacy News.

“Using Carbon Black or another advanced endpoint solution,” he continued, “can detect a ransomware attack faster and stop it before it can cause damage.”

Other advice: “They needed to enable two-factor authentication for their MSPs. They also needed to do better network segmentation, so that the MSPs only had access to the systems they needed to touch.”

Easier Next Time

Most organizations, Liska told Digital Privacy News, rely on their MSPs solely for network segmentation — and they don’t know “how to set that up or if their MSPs did it correctly.”

But perhaps the biggest danger from the Texas breach is that the systems could be attacked more easily in the future, Liska said.

“Once a victim becomes known, they see an increase in attempts to hit them with more ransomware,” he told Digital Privacy News.

“Especially in nation-state-backed attacks,” once the secure vulnerability of organization is made known to a cyberattacker, he said, “it will make the organization very likely to be hit shortly again.”

Najmeh Tima is a writer based in Iran.

Questions on the Texas Data Breach

Texas officials declined repeated requests for comment from Digital Privacy News, so Allan Liska, an intelligence analyst with Recorded Future in Boston, provided some insight on the ransomware attack.

What happened to the data that was hacked in the ransomware attack? Was it put on the dark web?

“We don’t know if any data was stolen from the ransomware attack in Texas.

“The attack occurred before REvil set up its extortion site, so it may not have stolen any data.

“But if the attack were to happen today, there is no doubt data would be stolen and REvil would threaten to publish it if the ransom wasn’t paid.”

Did Texas officials pay for the ransomware keys to unlock the hacked systems?

“To the best of our knowledge, no. They claimed they didn’t pay and instead restored everything from back-up.

“The total ransom demanded was $2.5 million, which would have been a lot for small towns to pay.”

Did Texas officials restart the computers and reinstall everything?

“Yes, and then restored everything from back-up, as they claimed.”

Do Texas officials actually know what data was obtained? 

“I don’t know the answer to that question. Again, it is possible that REvil did not steal any information.”

— Najmeh Tima

Sources (all external links):

Texas Department of Information Resources: