Extent Of Ransomware Hack Of Attorney General Remains Uncertain

CHICAGO — Illinois Attorney General Kwame Raoul's admitted for the first time this week that his office — which often advises people on ways to protect themselves from identity theft and fraud — had suffered a ransomware attack earlier this month, exposing the personal data of an as-yet-unknown number of residents.

Three days after the April 10 discovery of the hack, Raoul issued a statement saying his office's networks had been compromised to an unknown extent.

On April 21, several gigabytes of files apparently taken from the attorney general's office were uploaded to a dark web website called Dopple Leaks, which contains "private data of the companies which were hacked by DoppelPaymer," a ransomware gang.

"This companies decided to keep the leakage secret. And now their time to pay is over," the website says.

The site claims about 200 gigabytes of "confidential information will be progressively uploaded" from its hack of the attorney general's office. So far, the uploaded records appear to be authentic and include a mix of publicly available and private information.

On Thursday, Raoul's office issued a public notification of the hack, which described the breach as a "ransomware attack that has compromised the office's network."

State law requires businesses and institutions to notify residents when their information has been compromised by a data breach, so the attorney general's office posted a public notice saying officials were unaware of what was stolen.

But it noted the hacked material could include the names, addresses, social security numbers, account numbers, health insurance, tax, medical, driver's license and "other such information as necessary," according to the notice.

"While we do not yet know with certainty what was compromised in the ransomware attack, we are working closely with federal law enforcement authorities and outside technology experts to determine what information was exposed, how this happened, and what we can do to ensure that such a compromise does not happen again,” Raoul said in the statement.

“This process will take time, but I understand that members of the public may have questions now, which is why I am establishing a toll-free hotline and making information available online," Raoul said.

People can call the hotline which will be staffed by a consulting company at 833-688-1949 during business hours, according to the attorney general.

"I am committed to transparency throughout this very sensitive process and will continue to provide updates that do not jeopardize the progress of our ongoing investigation or the security of our network,” he said.

---

First reported in April 2019, DoppelPaymer ransomware software is believed to be the work of EvilCorp, a cybercrime group based in Russia, according to security firms.

According to a December 2020 FBI alert about the software, it has targeted hospitals, 911 centers and educational institutions, locking police and fire personnel out of city or county computers.

And a September 2020 attack on a German hospital resulted in one patient having to be re-routed to another facility 20 miles away. The patient later died, although German authorities did not blame the hackers for the death after determining the person was already so ill they would likely have died anyway.

The FBI reported the DoppelPaymer ransomware gang is one of the first where the hackers call up the victims in an attempt to talk them into making payments. They have also been among the first to threaten to publicly post hacked documents, rather than simply encrypting it and demanding payment for its release.

"In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom," according to the FBI.

An audit of the Illinois Attorney General's Office completed in February and covering the two years ending on June 30, 2020, found a "significant deficiency and noncompliance" when it comes to "weaknesses in cybersecurity programs and practices" in Raoul's office.

"Office management indicated a comprehensive internal cybersecurity risk assessment was not performed due to competing priorities within the Information Technology (IT) Bureau," according to the audit.

"The lack of adequate cybersecurity programs and practices could result in unidentified risk and vulnerabilities which ultimately leads to the Office’s confidential and personal information being susceptible to cyber-attacks and unauthorized disclosure."

The attorney general's issued a response saying it accepts the recommendation to conduct a comprehensive risk assessment and "emphasizes that it maintains a highly secure computer environment that safeguards confidential and personal information from attacks and unauthorized disclosure."

Those safeguards were evidently insufficient to protect against the ransomware gang.

"Further," Raoul's office asserted, "the Office's cybersecurity programs and practices are administered by a staff of highly proficient information technology professionals with decades of experience related to cybersecurity, network and database administration, application development, and security administration."

The upload of the documents onto the Doppel Leaks site was first reported by cyberintelligence news site The Record. The auditor general's findings about cybersecurity weaknesses in the attorney general's office were first reported by the Chicago Tribune.

Patch has inquired with Raoul's office regarding when officials learned the breach was a ransomware attack or whether Raoul had ever performed a risk assessment of its cybersecurity practices, as the audit recommended.

"Our ability to provide certain information is limited at this time," a spokesperson told Patch, "as we restore the integrity, security and confidentiality of the office’s computer network and seek not to compromise an ongoing investigation."

EARLIER: Illinois Attorney General's Computer Network Hacked Over Weekend