[BreachExchange] North Dakota government fiber provider hit by ransomware

Tue May 5 10:17:01 EDT 2020

https://statescoop.com/north-dakota-government-fiber-provider-hit-maze-ransomware/

The company that operates a fiber optic network that supports
statewide and local government entities across North Dakota was a
victim of a recent ransomware attack that included some of the firm’s
files being published on a website that attempts to shame victims into
paying.

Dakota Carrier Network is a consortium of 14 independent broadband
companies across the largely rural state that collectively own more
than 40,000 miles of fiber and counts among its customers STAGEnet, a
network shared by the state government and about 400 other
public-sector entities, including city, town and county governments;
K-12 schools; libraries; and the state university system. But early
last Sunday morning, DCN learned its internal systems had been
infected with ransomware.

DCN’s chief executive officer, Seth Arndorfer, said the attack was
detected about 1:18 a.m., but that the organization was able to
respond quickly.

“We quickly shut everything down and restored all of our data from the
most recent tape backup, which was Friday, April 24,” he told
StateScoop in an email.

On Thursday, though, DCN learned that some of its files had been
posted on the website operated by the hackers behind the Maze
ransomware, which has popularized the tactic of stealing and
publishing victims’ data in hopes of extracting a payout. Arndorf said
the attackers only stole administrative data.

“It seemed that we were able to shut it down before they were able to
get to any user data,” he said.

A zip file available on the Maze website contains invoices, payroll
information, vendor lists, password-reset requests and customer
profiles, though no sensitive personal information like Social
Security numbers appears to have been exposed. The breach also
included at least one photograph of Queen lead singer Freddie Mercury.

“As always, it’s impossible to say what else they may have obtained,”
said Brett Callow of the cybersecurity firm Emsisoft, which tracks
global ransomware activity. “They seem to start by publishing old and
less sensitive documents, presumably so as not to lessen the victims’
incentive to pay.”

The North Dakota Information Technology Department did not respond to
a request for comment, but Arndorfer said DCN’s “authorized contacts
with the State of North Dakota have all been notified of the
situation” and that there was no disruption to its fiber services,
which reach about 164,000 customers across the state.

According to research published this week by Microsoft, Maze
frequently targets IT providers and public service providers. It
sometimes is delivered via a phishing email, though the hackers behind
it are also known to use brute-force attacks targeting known
vulnerabilities in Microsoft’s Remote Desktop Protocol.

Microsoft’s research also found that ransomware actors, including
Maze, have increased their attacks against critical services like IT
and health care as the COVID-19 pandemic has spread across the globe.
Arndorfer said that activity on DCN’s network has increased between 25
percent and 30 percent over the past five weeks.