IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Illinois AG Office Hit by Ransomware After Security Warning

In February, a state audit indicated that the Illinois Attorney General's Office lacked proper cybersecurity protections. Three weeks ago, the office suffered a ransomware attack.

Illinois Attorney General Kwame Raoul
Illinois Attorney General Kwame Raoul speaks at a hearing on Sept. 23, 2019, at the Michael A. Bilandic Building in Chicago.
Erin Hooley/Chicago Tribune
(TNS) — A state audit released earlier this year warned that Illinois Attorney General Kwame Raoul’s office had a “weaknesses in cybersecurity” that potentially left sensitive information on the agency’s computer network “susceptible to cyber attacks and unauthorized disclosure.”

Three weeks ago, a hack resulted in data being stolen from the attorney’s office in a ransomware attack, Raoul acknowledged in a statement Thursday.

A ransomware gang known as DoppelPaymer is believed to be behind the attack, in which some data from the attorney general’s office was posted online.

Ransomware is malicious software that infects a computer system. Those behind ransomware then demand money to allow the system to work properly again.

“While we do not yet know with certainty what was compromised in the ransomware attack, we are working closely with federal law enforcement authorities and outside technology experts to determine what information was exposed, how this happened and what we can do to ensure that such a compromise does not happen again,” Raoul said in a statement.

The office said “work is taking place around the clock to rebuild” its computer network.

Gov. J.B. Pritzker said at an unrelated event in St. Clair County that the attorney general’s office operates on “a completely separate platform from the rest of state government” and sought to assure residents the issue is not more widespread.

“Nobody should be afraid that state government systems are under attack today,” Pritzker said.

A routine audit prepared last year and released in February noted that the attorney general’s office, which represents the state in court and is involved in consumer protection issues, “maintains computer systems that contain large volumes of confidential or personal information such as names, addresses and Social Security numbers of the citizens of the state.”

The audit, prepared for the state auditor general by accounting firm West & Co., found that the agency “had not performed a comprehensive formal risk assessment to identify and ensure adequate protection of information (i.e., confidential or personal information) most susceptible to attack” and “had not classified its data to establish the types of information most susceptible to attack to ensure adequate protection.”

The office told auditors its information technology department didn’t do a “comprehensive internal cybersecurity risk assessment ... due to competing priorities,” according to the report.

“In addition, the coronavirus pandemic further delayed IT initiatives since March 2020,” the report says.

The attorney general’s office didn’t dispute the findings but told auditors it “administers its cybersecurity system as though all data in its possession is at high risk and susceptible to attack.”

The office has not commented publicly on the effect the recent breach has had on day-to-day operations, but its civil rights division cited the attack this week in asking a federal judge for more time to file a response in a matter related to the ongoing consent decree governing operations at the Chicago Police Department.

“On April 10, 2021, the state learned that the computer network in the attorney general’s office had been compromised,” the court filing says. “As a result of this incident, counsel for the state have been unable to access work product and research.”

Brett Callow, a threat analyst with cybersecurity firm Emsisoft, said ransomware attacks on government agencies have become more common in the U.S. in recent years.

In each of the past two years, at least 113 government bodies, from the federal level down to municipalities, were hit with ransomware attacks, according to a report from Emsisoft.

In the past, hackers would encrypt data and demand that companies or governments pay to have it unlocked, Callow said. More recently, they’ve begun releasing data online to apply more pressure.

This is not the first time hackers have compromised state computer networks. In 2016, a breach of the state’s voter registration database by Russian hackers compromised the personal data of 76,000 Illinois residents. The incident was detailed in the special counsel Robert Mueller’s report on Russian interference in that year’s presidential election.

©2021 Chicago Tribune, Distributed by Tribune Content Agency, LLC.