A booby-trapped email message led to the massive data breach of South Carolina’s tax system over the summer, according to the latest timeline of events.
On Aug. 13, unknown perpetrators sent an email containing malicious code to “multiple” South Carolina Department of Revenue employees, according to a four-page report from Mandiant released Tuesday. “At least one” employee fell for the trick and opened the file, which infected the computer. It’s likely the malware had keylogging capabilities to intercept the employee’s username and password. IT security firm Mandiant has been investigating the breach and provided a detailed timeline of the attack in its report.
South Carolina made two major mistakes, according to Mandiant. State workers were not required to use multiple passwords when trying to obtain sensitive information and the state also did not encrypt sensitive tax data. Back when the state disclosed the breach, Nikki Haley, South Carolina’s governor, defended the lack of encryption, as the guidelines from the Internal Revenue Service did not require Social Security Numbers to be encrypted. The state had followed best practices, Haley had said at the time, asserting that “nothing could have been done” to stop the breach.
“Could South Carolina have done a better job? Absolutely, or we would not be standing here,” a better-informed Haley said at a press conference Tuesday.
South Carolina discovered Oct. 10 that attackers had accessed Department of Revenue systems multiple times in August and September and transferred database backup files to a remote computer. The compromised database contained tax records that had been electronically filed since 2002, although some records went as far back as 1998. About 387,000 credit and debit card numbers of residents, 3.6 million Social Security numbers, and personally identifiable information of 1.9 million dependents were exposed. All in all, around 80 percent of South Carolina residents and 657,000 businesses were affected.
It all began with a malicious email sent to multiple employees, which eventually resulted in 44 systems, used 33 pieces of malicious software and utilities, remotely accessed Revenue Department servers from at least four IP addresses, and used at least four valid department user accounts to carry out their nefarious activities, the report said.
After stealing login credentials, the attacker used the legitimate user data to use the Critix remote access service, Mandiant said. The attacker used the Citrix portal to log into the user’s workstation and escalated privileges in order to access other systems and database on the network. The attacker harvested account passwords on six different servers, executed an utility to steal passwords for all Windows user accounts, and opened a backdoor to the compromised machine.
The attacker copied database backup files to a staging directory on Sept. 12 and zipped them into an archive, Mandiant found. The archived database file was transferred to a remote machine back on Sept. 13, that she said does not require the encryption of Social Security numbers, creating what the governor dubbed a “cocktail of an attack,” Haley said.
“But what we can do is put so many layers in this process that it is awfully hard to get into.”
As this incident illustrates, and despite all the warnings, organizations are still failing to properly secure privileged access points.
According to security firm Cyber-Ark Software, attackers continue to breach the corporate perimeter through common attack methods such as phishing attacks, malware infected attachments, social engineering, and other methods. Once inside, Cyber-Ark said, cyber-attackers infiltrate privileged access points to gain access to additional servers, databases and other high value systems.
“For years, the discussion on securing privileged access points focused mostly on the insider threat and ensuring that only the properly credentialed had access to these power accounts. Sophisticated cyber-attackers understand the power and wide ranging access these accounts provide — which is why they continue to be the number one target in the majority of cyber-attacks,” Adam Bosnian, executive vice president Americas at Cyber-Ark said in a recent statemet.
“Unsecured critical access points are a threat to all sensitive corporate data and systems and represent the greatest security challenge most businesses will face. Identifying all privileged access points and locking them down should be a priority for any security and compliance conscious executive,” Bosnian added.