Breached Alaska Gov Systems Still Down—After 5 MONTHS

It’s been more than 20 weeks since a “sophisticated cyberattack” was detected at Alaska’s Department of Health and Social Services (DHSS). It seems likely that hackers compromised the network at least five months ago.

It’s believed attackers stole a wide range of private info. But even now, state officials appear hazy about how many Alaskans are affected.

And systems are still down. In today’s SB Blogwatch, we point to the culprit.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: iOS security still sucks.

The Last Frontier?

What’s the craic? Danny Palmer reports—“Four months on from sophisticated cyberattack, Alaska’s health department is still recovering”:

Still haven't been restored
As a result of the incident, an unknown number of people have potentially had their personal information stolen. This information could include full names, dates of birth, social security numbers, telephone numbers, health information, financial information and other data that could be exploited.

The potential breach of personal information has only just been revealed, despite the incident being first detected in May. … According to a DHSS statement, this was delayed until now to avoid interference with a criminal investigation. … No additional information is currently being revealed. However, DHSS does state this wasn’t a ransomware attack.

Four months on from the initial attack, some DHSS online services still haven’t been restored. … There’s no timeline for when they’ll be back.

Four months? Catalin Cimpanu makes it sound more like five—“Alaska discloses ‘sophisticated’ nation-state cyberattack on health service”:

All systems breached by the intruders remain offline
The attack, which is still being investigated, was discovered on May 2, earlier this year, by a security firm, which notified the agency. … The agency described the intruders as a “nation-state sponsored attacker” and “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities.”

Officials said they believe to have expelled the attacker from their network; however, there is still an investigation taking place into what the attackers might have accessed. … Notification emails will be sent to all affected individuals [but] “The breach involves an unknown number of individuals,” … officials said.

All systems breached by the intruders remain offline. This includes systems used to perform background checks and systems used to request birth, death, and marriage certificates. … Data stored on the DHSS network [that] could have been collected by the nation-state group, includes: …

  • Full names
  • Dates of birth
  • Social Security numbers
  • Addresses
  • Telephone numbers
  • Driver’s license numbers
  • Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
  • Health information
  • Financial information
  • Historical information concerning individuals’ interaction with DHSS.

Why target Alaska? Here’s the inside track, from JWoody907:

China, North Korea, and Russia
As … a state government employee, I’ll add … Alaska has not had the best track record with IT to begin with. Our IT department is iffy at best, and given that the state budget has had issues for 7 years, including cuts to services each year for most of a decade, I can speculate that there’s been some missed updates and upgrades in that time. Not to mention some talent has left for greener pastures.

And moving into the realm of pure speculation, if this was a nation-state actor, who’s the most likely suspects? China, North Korea, and Russia top my list. What state is geographically closest to all three, a major air corridor for the Great Circle, and contains both a Global Missile Defense and air interception functions from major military bases? Alaska.

But was this actually a “sophisticated” attack? takionya speculates thuswise:

Lemme guess, someone opened a Microsoft Office document that came in an email attachment.

Surely it couldn’t be that simple? Jim Salter schools us:

Should be actively firewalled
What you may be missing is the likelihood that an organization hasn’t properly segmented their resources, and thus is more vulnerable to a pivot from the entry point. … We do know the attackers pivoted from a public-facing website to deeper in the network, which heavily implies a massive segmentation problem.

You shouldn’t trust your webserver, ever. It gets access to the data it absolutely one hundred percent needs to do its job, and it gets nothing else—it should be actively firewalled off from the rest of your network, in the same way that the Internet itself is actively firewalled off from your internal network. (This can be a very hard sell to both manager and director levels, not only because $$$, but because it’s just so damn convenient to be able to touch all the things.)

With a slightly sarcastic PoV, DarkOx has this “translation”:

Cyrillic in a string
We know this happened because someone made a decision that every armchair expert will recognize as bad. And we haven’t a clue who is really behind it. But there was Cyrillic in a string so — RUSSIA.

Cue: The standard rant about using an SSN as ID. IllegitimateLobsterParty obliges:

Security is hard
Kill Social Security #s as a secret password. It is not secret and any competent entity can pretty much obtain anyone’s SSN or any other information (name, address, DOB, phone-number).

We all know security is hard but really there is no cost to change the status quo other than band-aids. So really this is what’s going to continue for a long time.

But what can be done? mi has a suggestion:

Invite help
Invite experts from Estonia. The little Baltic country had to defend its networks from Russian onslaught.

They succeeded too. Perhaps Americans ought to invite help of Estonia, a fellow NATO member.

Meanwhile, Urist scoffs at the offer of credit monitoring to affected Alaskans:

At this point everyone has 5–10 lifetimes worth of free credit monitoring.

And Finally:

Good grief! Apple still hasn’t fixed this lock-screen bypass in iOS 15

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Charlene—@moondelune (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi