Illinois Attorney General Kwame Raoul said he has spent more than $2.5 million in crisis management after a massive ransomware hack crippled the agency in April and potentially exposed gigabytes of personal and confidential records on the dark web.
The taxpayer money is being used to rebuild computer systems, notify individuals their personal information may be at risk and get the office fully back online following the April 10 attack, carried out under a name linked to a notorious gang of cybercriminals based in Russia.
The breach came just eight weeks after state auditors met with officials at the attorney general’s office to warn of deficiencies in the agency’s cybersecurity programs.
In the meantime, many of the basic functions of the office — including consumer complaints, public records disputes and financial aid for crime victims — are being conducted by mail and telephone as online access remains shut down. The office has established a call center to handle identity theft issues and other public inquiries.
In his first detailed interview about the attack, Raoul told the Tribune and the Better Government Association his office never considered paying the blackmail demand from the hackers. He declined to say the amount of the ransom demand or how it was conveyed because of the ongoing federal investigation.
.ai2html-blurb iframe {min-width:100%; width:280px;}
https://pym.nprapps.org/pym.v1.min.js
var pymParent = new pym.Parent(‘journo2-blurb’, ‘https://graphics.chicagotribune.com/fatal-fire-project-links/journalism-blurb2.html’, {});
“Notwithstanding whatever the amount was, it’s our philosophy as state head law enforcement agency that paying criminals is not something we do and not something we contemplate doing,” Raoul said during an hourlong interview Tuesday. He said federal authorities have also threatened to impose penalties for paying ransom.
He said he is unaware of any other state attorney general in the nation being attacked in a similar fashion, although hundreds of other government agencies have been compromised by recent attacks.
“Yes, it angers me. Yes, it frustrates me, and most certainly, it’s embarrassing to have it happen to your agency,” Raoul said.
Asked why it’s taking more than three months to fix, the Democratic attorney general said his office has been cautious amid an ongoing, complicated federal investigation. He said he did not want to “jinx our process” by predicting when the office would be back to normal.
“It’s important to do this the right way, that we don’t compromise the security of our network and our investigation,” he said. “And if we rush, we could find ourselves right back … where we are.”
Federal authorities in Washington are heading up the investigation, which also involves the Chicago offices of the Federal Bureau of Investigation and the U.S. attorney, according to a source familiar with the investigation.
Raoul said his office is still investigating how long the cybercriminals were in his system. He declined to discuss whether the thieves invaded the system before April 10.
On Jan. 29, roughly three months before the hack, Raoul’s office received a draft copy of a state auditor general investigation that put it on a list of what has now grown to 29 state agencies and universities with significant weaknesses in cybersecurity. Auditor General Frank Mautino’s report cited inadequate controls over equipment and weaknesses in cybersecurity programs and practices that were deemed a “significant deficiency.”
Officials in Raoul’s office discussed the findings Feb. 9 with auditor general officials and a private audit firm, according to the auditor general’s office.
The audit recommended a “formal risk assessment,” and officials within Raoul’s office issued a written response saying they had established a new position for a security analyst and emphasized the office “maintains a highly secure computer environment that safeguards confidential and personal information from attacks and unauthorized disclosure.”
In his interview, Raoul said it is nearly impossible to build an impenetrable wall.
“From an Apple manufacturer to a pipeline to federal governmental agencies to over 100 governmental agencies — many who have had superior or inferior cybersecurity protection have had their networks compromised,” he said. “I don’t think there is an entity out there who can claim that they are hack-proof.”
He said his office maintained safeguards based on evaluations of the system, including security, monitoring, stringent network authentication requirements, firewalls and intrusion protection.
Since the breach, Raoul said, the office has had three training sessions, introduced staff to new protocols, and upgraded and restructured the computer network, saying the technology staff is “churning around the clock.”
After meeting with legislative leaders in the days after the breach, his budget got an $8 million boost. Much of it is expected to help the office recover from the attack and beef up cybersecurity. Along with his efforts to strengthen and rebuild the computer system, the attorney general said each of the agency’s nearly 800 employees is getting a new laptop and mobile phone. The office also is sending letters to people warning their personal information may be compromised.
The attorney general’s office provided copies of some contracts associated with the expenditures but redacted many of the details, citing ongoing law enforcement proceedings.
Parts of the contracts identify steps that could include “ransomware negotiation,” “bitcoin or other cryptocurrency payment” or “similar ransomware services.” Raoul said none of those options is being considered.
‘Their time to pay is over’
The ransomware attackers have posted messages online stating they had stolen a massive amount of data, about 200 gigabytes, from the attorney general’s office and threatening to release the files “progressively.”
The posts, which use the name DoppelPaymer, say many of the office’s confidential files already have been leaked onto a site created on the dark web.
“Below you can find private data of the companies which were hacked by DoppelPaymer. This companies decided to keep the leakage secret,” reads the grammatically incorrect message at the top of the leak site. “And now their time to pay is over.”
Raoul’s office confirmed in public notices that certain types of private information — such as Social Security numbers, medical information, driver’s license numbers or the identities of crime victims — could be at risk of being stolen by people savvy enough to use the right browser and website address.
Raoul said the investigation is still “trying to get to the bottom” of the identity of the group behind the ransomware demand.
“There are a lot of bad actors out there, and there are different bad actors that change their name,” Raoul said. “To really get to knowing who committed this (attack), it takes a very sophisticated investigation that doesn’t happen overnight.”
DoppelPaymer ransomware has been linked by French cybersecurity officials to Evil Corp., identified by federal authorities as a criminal organization headed by Maksim Yakubets of Russia. Yakubets has been accused of wire fraud and hacking in two separate federal indictments; the FBI and the U.S. Treasury Department have offered a $5 million reward for information leading to his capture.
Among his alleged victims: the Franciscan Sisters of Chicago in Homewood. An affidavit filed in federal court alleges a fraudulent bank transfer by Yakubets and associates of about $25,000 from their account in 2009.
Federal authorities estimate Yakubets’ total criminal earnings exceed $100 million. According to the U.K. National Crime Agency, he owns a Lamborghini with a personalized license plate that means “thief” in Russian.
Treasury Department records also connect Yakubets to the Russian spy service that succeeded the KGB. Attempts to reach Yakubets were unsuccessful.
Anxiety over cyberattacks like the one that crippled Raoul’s office has reached around the globe. Targets of recent high-profile hacks include Colonial Pipeline, JBS Foods and Kia Motors, and one massive hack by another Russian organization affected more than 1,000 businesses over the July 4 weekend.
In a summit with Russian President Vladimir Putin in June, President Joe Biden applied pressure to crack down on the attacks, many of which are thought to have originated in the Russian federation.
Five days after the April 10 hack, Raoul’s chief of staff, Nathalina Hudson, distributed to other senior attorney general officials an advisory from the Treasury officials that warned against paying cybercriminal groups, including Yakubets and Evil Corp.
A copy of the warning, obtained through a public records request, cited Evil Corp. and the Yakubets-created malware known as Dridex, which federal officials say was used in major attacks in 40 countries.
The warning said it will “impose sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”
Determining whether the AG hack is linked to Yakubets and his associates is difficult in part because Evil Corp has begun to offer ransomware as a service to other actors.
A 2019 indictment describes a model in which the company contracts out its ransomware services for an upfront payment of $100,000 and 50% of all revenues with a minimum of $50,000 a week in earnings.
The federal indictment also names Evil Corp’s botnet administrator, Igor Turashev, as offering his technical services for hire. Like Yakubets, he is wanted by the FBI on charges of conspiracy, wire and bank fraud.
Local governments often vulnerable
The attack on the attorney general’s office is part of a spate of recent breaches at local government agencies.
Since 2019, the Rockford Public School District, La Salle County and Heartland Community College have all been breached, and a spokeswoman for Southern Illinois University said the university paid $472,000 in ransom after a 2019 breach caused the computer system at the Edwardsville campus to go offline temporarily.
Heartland Community College was hacked during the pandemic in 2020, temporarily shutting down online classes that students depended on. College spokesman Steve Fast estimated it took about a week to get systems back online. Some personal data was involved, and the college offered identity protection services to affected individuals, Fast said.
The college has budgeted more than $1 million to upgrade its systems, Fast said.
The Rockford school district was hit by ransomware in 2019. Attendance, transportation and financial records were among the systems affected, according to Jason Barthel, who handled the school’s technology and computer systems at the time of the attack.
Barthel, who has worked in cybersecurity for more than two decades, estimated the district got basic functionality back within a month. He said it took about eight months before everything was fully restored.
He said the Rockford school district spends about $1.5 million a year to protect itself from future attacks.
“I think people are starting to understand, really, the importance of it,” Barthel said.
Andy Green, a security and privacy researcher at Kennesaw State University in Georgia, said government agencies are often attractive to hackers because they are viewed as soft targets without the staff required to protect their network, and they are also backed by taxpayer dollars and insurance.
Adam Ford, chief information security officer at the Illinois Department of Innovation and Technology, testified before a state House panel about cybersecurity weaknesses earlier this month.
“Local government is less resourced and prepared to deal with this than state government is. State government is less resourced than the federal government,” he told lawmakers.
Rep. Lamont Robinson, D-Chicago, who led the cybersecurity committee hearing, has set a goal of making Illinois a national model for stopping thieves from stealing identities and money from government websites.
At the July 15 hearing, Jennifer Ricker, acting secretary of the Illinois Department of Innovation and Technology, said: “The sophistication and scale of malicious cyber activity taking place within the last year has increased in frequency and severity. What we’re seeing now is really well organized criminal and nation-state actors that are successfully exploiting vulnerabilities in systems and networks worldwide.”
The hearing came only two weeks after the Tribune reported the Illinois Department of Employment Security was late to adopt fraud-fighting tools pushed by federal officials and then struggled with a flood of fake claims that diverted money intended for Illinois workers who were laid off during the pandemic.
Some other state legislatures, including North Carolina, Pennsylvania and Texas, have filed bills to limit ransomware payments by government agencies in recent months. Some, such as New York, go further, proposing to ban anyone from paying such ransoms.
There is a bill at the federal level that would provide financial support to federal, state, local and tribal governments, as well as private entities, affected by a cyberattack.
In Illinois, the state auditor general’s office has also reported breaches at the Department of Human Services and the Department of Healthcare and Family Services.
Despite the severity of the attack on his office, Raoul said the breach “hasn’t brought the attorney general’s office to a grinding halt.”
Since the hack, he said, his lawyers have conducted six civil trials in federal court and continued to work on criminal cases, including a downstate murder trial and cases of gun trafficking and internet crimes against children.
Raoul said his consumer complaint section is handling some issues in person and its hotline is still functioning. In addition, the office set up to deal with public records disputes is accepting complaints and taking action on cases, he said.
“I am proud of my staff,” he said.
He said the “silver lining” of the attack is that other agencies can better prepare to defend themselves.
“Am I in any way saying that I can ensure that this will never happen again? I can’t say that,” Raoul said. “I don’t think anybody can say that.”
Here are some of the key contracts Raoul’s office has signed to address the ransomware attack:
Moxfive, a Virginia cybersecurity company: $840,000 to restore the office’s data, records and computer servers from backup files and to provide other consultant services.
Rust Consulting, a Minnesota firm: $356,000 to set up a call center and send up to 5 million letters in response to the breach.
Express Services Inc., a global staffing company: $175,000 to provide payroll services that were compromised.
CrowdStrike, a California company: $138,000 to conduct a forensic audit.
TransUnion, a major credit monitoring company based in Chicago: $50,000 to provide identity protection to citizens who call to complain about compromised data.
Arete Advisors, a Florida consulting company: $13,700 to perform “forensics investigative services” and to help unlock data.
Tribune’s Jason Meisner contributed to this report.
