IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Experts: Florida County Should Have Reported 2016 Hack

The ransomware attack against the Palm Beach County Supervisor of Elections Office in 2016 was left unreported until the incident was made public earlier this month. Experts say that’s several years too late.

(TNS) — Is three years too long to learn that a ransomware attack happened at the Palm Beach County Supervisor of Elections Office? Yes, say cybersecurity and IT experts.

In the wake of the dispute over the cyberintrusion at the county elections office, The Palm Beach Post asked a series of security professionals to weigh in on the revelation of the Zepto virus exposure in September 2016.

"Not only should they report this, they should understand that just because everything seems normal it might not necessarily be," said Silka Gonzalez, founder of ERMProtect in Coral Gables. "Even if a hacker is already inside your network and passively stealing your information everything in your workplace is going to look normal and 'business as usual.' These things don't come with sirens and red lights."

The scrutiny over Zepto and its purported encroachment by an unknown entity through an elections office computer in the weeks before the 2016 presidential vote has been a source of controversy. This month, current Supervisor of Elections Wendy Sartory Link revealed the previously unknown cyberattack via a Zepto virus. The severity of the episode, however, has been disputed by her predecessor, Susan Bucher.

So, what is Zepto, and how does it work?

Resist the urge to grab your facemask: Zepto isn't like the coronavirus. Rather, it's a type of ransomware virus that typically infiltrates a system through a phishing email, the sender posing as a seemingly legitimate source.

Gonzalez noted that Zepto is a "very aggressive cryptolocker" and a variant of a virus called Locky, which peaked in 2016.

"People often assume (ransomware means) someone actively hacked in," said Alan Crowetz, president and CEO of West Palm Beach-based InfoStream, Inc. "It generally means someone within the organization was tricked."

The virus is then launched by either clicking on a link or attachment and "effectively grants the ransomware permission to go in and begin encrypting the files on your system," said Paul Debogorski, owner of Corvinus IT Solutions in Jupiter.

The virus renames typical office files with a ".zepto" extension, rendering them inaccessible without an encryption key.

"Almost always it means the hacker is not in your stuff. They've scrambled your stuff, but they're not actually seeing your data," Crowetz said. "I can't break into your car, but I can put a clamp on your tire and make you pay me."

A ransom is demanded of the victim to get this encryption key needed to regain access to files and data — something the U.S. government does not recommend anyone pay.

"Sometimes (victims will) pay the ransom and get the key to decrypt the files, and other times (bad actors will) just take the money and run," Debogorski said.

Without paying a ransom, the encrypted files that aren't saved on a backup will be lost. The best way to prevent the spread of such a virus is to turn the computer off or disconnect it from the network and WiFi, Debogorski said.

"If you get to it quickly enough, if you have an effective backup system ... and also if you train your staff as well to spot phishing emails ... you can minimize the impact," he said.

Both former and current election chiefs — Bucher and Link, respectively — have said the office did not pay a ransom after the 2016 ransomware attack.

Link said the incident happened on a computer at the main headquarters on Military Trail, encrypting Microsoft Word documents and Excel spreadsheets. Officials said voter information was not impacted, and that servers were immediately shut down, preventing the attack from spreading.

The email that delivered the virus was opened by an employee. It purported to be from the employee's bank, Bucher told the Post Editorial Board on Feb 14. Bucher has not accepted a Post reporter's multiple interview requests since Link first disclosed the incident on Feb. 12.

Bucher, in speaking the Post's editorial board this month, said that she was reassured that the virus was contained behind a strong firewall.

But a firewall isn't necessarily a "silver bullet that would protect them from everything," said Richard Forno, assistant director of the University of Maryland-Baltimore County's Center for Cybersecurity.

"If the firewalls are not scanning for email, having a firewall is not protecting you against that type of threat," Forno said.

Gonzalez, founder of ERMProtect, added that "if firewalls were so awesome," she'd be out of a job and her company's services would not be needed.

"A firewall is as useful as a Swiss Army knife in a nuclear war," Gonzalez said.

Bucher also told the editorial board that the virus was "quickly contained" and caused two people to lose their work product.

Bucher added she did not inform anyone outside the elections office because the pertinent state official was a part-time worker who did not provide assistance when issues came up in weeks prior. Besides, Bucher said, they weren't aware of any election hacking threats at the time and did not feel, that as an isolated attack, the issue was grave enough to inform federal agencies.

Current elections chief Link disagrees.

"That isn't the way it happened," said Link, who was not in office at the time of the attack, but relied on corroboration from several current employees. "Numerous people from many different departments have said they lost files."

Cybersecurity officials say these days phishing attempts are not so much targeted as they are spread far and wide.

"It's usually very passive, meaning they're not targeting them specifically," Crowetz said, adding that the phishing attempt that plants the virus sends it to "tons and tons of people and see who nibbles the bait."

It's difficult to figure out who is behind the attacks, why they happen and where they come from, Forno said.

"The question of attribution in cyberspace is one of the perennial questions we have yet to answer," he said.

It's possible for attackers to mask their locations, he added, making it seem as if they're operating from somewhere they're not.

But even though this particular virus that reached the elections office was limited in what it could do — encrypting files and demanding ransom — "it is something that the public should know about," Debogorski said.

A similar misstep with a more dangerous virus could "open the proverbial floodgates," he said.

"This one itself couldn't really do much beyond encrypting the files and asking for the ransom, but there are scores of other viruses that transmit themselves (through phishing or a link)," Debogorski said. "They were lucky that it happened to be this one, where it didn't allow them to go in and make any sort of alterations."

Gonzalez called it "fortuitous" that the attack occurred weeks before an election, and likened the opportunity bad actors had to Yahoo data breaches that impacted all of its users accounts, which "had been hacked for several years without even knowing that their data was being passively stolen for years."

Crowetz said accountability is "a sign of IT maturity."

"No one wants to brag that they got a black eye," he said.

Notifying someone outside the impacted agency has at least one benefit, said Total Digital Security's Brad Deflin, but he isn't certain whether the office should have reported the incident.

"The reporting is very useful because we have to know the extent of this crime and where it's happening, and raise awareness so people are aware and more preemptive," Deflin said. "In many reported ransomware (cases) ... there was a huge lack of awareness all the way up to the top."

Forno also erred on the side of being more cautious — maybe there isn't a need for a press release or conference, but the incident could have been written up in a report.

"A lot of factors go into why they may or may not want to publish or disclose," he said, listing reasons like eroding public trust, embarrassment or political finger-pointing.

Ron Labasky, general counsel and executive director of Florida Supervisors of Elections, said Bucher wasn't necessarily in the wrong for not reporting the incident.

"It was apparently an assessment by the supervisor and her staff that this was not anything that compromised any security issue, didn't compromise any information that could cause any impact on the registration system and certainly not the voting," Labasky said.

"Should a police department or sheriff's office tell everybody every time they write a ticket?" he added.

The awareness of the potential for these types of attacks has gone up since 2016. The Florida Department of State has offered so-called cybernavigators to shore up security of all 67 supervisors of elections, and other resources are being made available ahead of the 2020 elections.

Today, the situation would likely be handled differently.

"I think probably at this point in time, you would have such a more coordinated understanding and effort of this issue that you would probably have a reporting of an incident of that nature," he said.

©2020 The Palm Beach Post (West Palm Beach, Fla.) Distributed by Tribune Content Agency, LLC.