5 Things To Know About The Preliminary Exam Of The Suffolk Cyberattack

HAUPPAUGE, NY — The Sept. 8 cyberattack that all but crippled Suffolk government, forcing officials to shut down web services, began last holiday season with hackers breaching the clerk's office's network, where they perused eight months undetected before creating credentials to the county's IT department in late August, according to County Executive Steve Bellone.

However, there were numerous opportunities to thwart the attack if the clerk's IT department, which bypasses the county's main firewall, was centralized with the county's, and if its director implemented key security features and critical information was not withheld, Bellone told reporters Wednesday, citing a preliminary forensic examination of what led to the cyberattack.

Bellone didn't name the clerk's IT director, but he was later confirmed by an aide as Peter Schlussler. Schlussler has since been placed on paid leave and denied doing anything wrong, according to published reports.

He told The Wall Street Journal in an emailed statement that the warnings from the FBI about attack indicators were sent to Suffolk but were not acted on, and that his office attempted to buy a firewall from Palo Alto Networks in June, but the request was blocked.

“No one is perfect with decision-making in the highly complex technological world … however, I do know I did my absolute best by trying to bring awareness to the cyber issues that me and my team witnessed over the course of the year,” he said.

Neither Clerk Judith Pascale's office, nor Schlussler responded to a request for comment.

Here's five takeaways from Bellone's news conference:

1. The cyberattack happened a year to the day an IT supervisor in Pascale's office was arrested on governmental corruption charges that he ran a Bitcoin operation from the clerk's office in Riverhead. Chris Naples, a Mattituck resident who has been on paid leave since his arrest, has been accused of using 46 separate media hardware devices to support equipment hidden in the walls. The operation took up a massive amount of electricity, raising the temperature in the clerk's office by 20 degrees, and disrupted the computer connectivity of staff, Bellone said.

2. The Bitcoin operation might explain why a $1.4 million VxRail upgrade, allowing IT centralization and purchased in 2019, was not implemented, according to Bellone. But, although the county IT department designated the upgrade a priority, one year later it was not in place, Bellone said. "So why would this security hardware not be installed? " Bellone asked. "The most obvious explanation — if you're Chris Naples, the architect of the clerk's IT environment running an illegal Bitcoin mining operation, you're not going to want outside vendors and other internal IT folks moving things around." In January 2022, the hackers installed Bitcoin-mining software in the clerk's office that went undetected, Bellone also said. The VxRail upgrade is still not installed, according to Bellone.

3. The U.S. Department of Homeland Security also warned of a Log 4J or Java vulnerability in December 2021, and it was not acted on, Bellone said, adding the vulnerability is what allowed hackers to enter the county's system.

4. On July 13, the hackers got into a digital folder called "Iron Key" that contained sensitive information, including passwords, and moved to the "domain controller" using the name of Naples, Bellone said. County officials "cannot be certain" what was on the "Iron Key" folder because it was deleted 21 days after the cyberattack on Sept. 29, according to Bellone. At that point, the hackers were shut out of the system and the county's IT department did not have access to it either, Bellone said, adding, "So, who deleted the "Iron Key" folder and why?"

5. On Sept. 2, Schlussler asked the county's IT department and again on Sept. 7 to the executive branch, if there had been any activity on the bogus account set up in Naples' name, Bellone said. "The question now is how far back did the clerk IT director know this and who else in the county?" Bellone said. "The account was created on July 12, and the first time this issue was raised with the county is the Friday of Labor Day weekend, just days before the attack."

County spokeswoman Marykate Guilfoyle told The New York Times that officials do not know of a connection between Naples and the cyberattack.

Patch has reached out to Naples' attorney, Bill Keahon of Hauppauge, for comment.

District Attorney Ray Tierney said his office has received the results of the county’s "examination of the events relating to the cyberattack" and investigators will continue to work with the Federal Bureau of Investigation and Suffolk police in "the ongoing criminal investigation."

"Thankfully, my office had additional internet technology defenses in place, so that no criminal prosecutions were compromised," Tierney said. "I thank the county, the legislature and the various department heads for their ongoing remediation efforts."

Bellone's full news conference can be viewed below.

Suffolk government's web-based applications were breached in what officials later described as a ransomware attack on Sept. 8. Officials announced in late November that the driver’s license numbers of nearly 500,000 people, who were issued violations in the county's police district, meaning the area patrolled by Suffolk police outside villages, were possibly exposed.

The area of exposure dates back to 2013.

Current and former county employee information was also compromised in the attack.

RELATED STORIES:

• Suffolk Cyberattack Hackers Demanded $2.5M: Bellone
• 'Zombie House' Demos Stalled In Brookhaven Over Cyberattack: Officials
• Suffolk Traffic Court Back Online After Cyberattack: Report
• Suffolk Property Tax Refunds Backlogged Since Cyberattack: Report
• Suffolk Offers Free Credit Monitoring To People Exposed In Cyberattack
• Suffolk Pols Give Subpoena Power To Panel In Cyberattack Probe: Report
• Funding Questioned As Suffolk IT Head Plans To Boost Staff, Equipment
• Suffolk Officials Warned Of Possible Cyberattack Months Ago: Report
• Suffolk Cyberattack: Title Searches Return As Property Sales Delayed
• Suffolk Hack: Residents Told Obtain Credit Report, Look Over With Care
• 'Threat Actor' Claims Responsibility For Suffolk Hack On Dark Web
• Suffolk Exec Says 'Cyber Intrusion' Has Hallmarks Of Ransomware
• After Possible Cyberattack, Suffolk Deploys Manual Record-Keeping