The ransomware group Play says it hacked into Dallas County’s network and has posted some of the stolen information on the dark web. The post threatens a full release if there is “no reaction.”
Play demanded a ransom, which county officials have not disclosed, and the county appears not to have paid it.
“We are currently in the process of thoroughly reviewing the data in question to determine its authenticity and potential impact,” a county statement said. “As the investigation progresses, when our review determines personal information has been involved, we will notify the affected individuals directly.”
The state requires that organizations report system breaches that affect 250 or more Texans within 30 days of discovery. According to the state data breach database, Dallas County has not reported a breach.
Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas, reviewed some of the pilfered files posted on the dark web. He found arrest records that include dates of birth, arraignments, court orders for mental evaluations and DNA analysis related to court cases. He is unsure how many individuals were affected.
“The attack was real, ” he said. “I don’t know how much they exfiltrated, but these are legitimate files.”
While he hasn’t reviewed all of the files, Kantarcioglu said most of what he’s seen is publicly available information.
Joe Kingland, CEO of Blue Team Alpha, a cybersecurity company based in St. Paul, Minn., said this ransomware group has been a real threat to several countries.
Play emerged in 2022, attacking organizations in the U.S., Argentina, and Switzerland. The cyber terror group has hit Oakland, Calif., where several network systems were down for days, shut down systems and services of an Argentinian local judicial system, and published a Swiss newspaper’s employee information on the dark web after the media group refused to pay.
“They’ve hit hundreds of different organizations across the world,” Kingland said.
County officials told The Dallas Morning News that hackers with stolen credentials tried to infiltrate the county network on Oct. 19 at 3 a.m. Staff received an alert of suspicious activity and shut down the system. That morning, every user was required to change their passwords.
While the county may have kicked the hackers out of the county system mid-attack, cybersecurity experts have told The News that they could have still stolen information before the shutout.
The ransomware group posted on the dark web nine days later that they had stolen Dallas County information but waited to release any of the purloined data until Tuesday.
Very little information on the impact, subject and details of the cyber attack has been released. The county’s statement last week said that there is no evidence that hackers still have access to county systems, but further investigation is ongoing.
“Given these measures and findings, it appears at this time that the incident has been successfully contained and that Dallas County’s systems are secure for use,” the statement said.
According to the county, security measures that stopped the hackers mid-attack include requiring multifactor authentication for remote access to the network, forcing frequent password changes for all users, monitoring devices accessing the network and reviewing potentially malicious IP addresses attempting to access or remove content from the county network.
Kingland questioned whether these measures were fully implemented at the time of the attack. If every user was required to verify a login through another device, he said that would stop most cyber attacks.
“Multifactor authentication will stop an extremely high amount of attacks — in the 90th percentile,” he said. “If they got in through leaked credentials from a third party, it should have stopped that.”
Among other cybersecurity tips, Dallas County told employees in an internal email last week to monitor their credit scores for suspicious activity and consider placing a freeze on credit reports or setting up fraud alerts.
“While our goal is to be transparent and forthcoming with information relating to the incident, we do not want to make premature assumptions about the extent of impact or other details, which may evolve as the forensic investigation advances,” the Thursday email said.
The county emailed employees Tuesday about another mandatory password change, calling it a “proactive measure.”
Kingland pointed to other cyber attacks in the area — the City of Dallas’ attack in April, when hackers stole more than 800,000 files and the Dallas Central Appraisal District’s November 2022 Election Day attack that left employees’ access to computers, emails and the website frozen.
He said that he wishes governments spent more money on cybersecurity before an attack.
“They’re not gonna prioritize it until it’s hitting them right in the mouth,” Kingland said.
©2023 The Dallas Morning News, Distributed by Tribune Content Agency, LLC.
