Monroe County confirms ‘BlackSuit’ as intruder in cyberattack, investigation continues
In a news release issued mid-afternoon on Monday, Monroe County government has confirmed an “intrusion” into its computer network from a source called “BlackSuit.”
The cybersecurity breach shut down the county government for the whole week last week—from Monday, July 1 through July 5.
A third-party vendor is helping the county investigate the incident.
Monroe County government was open for business on Monday July 8, with network servers fully operational, according to an email sent to employees by the county’s chief technology officer, Greg Crohn.
It’s still not clear if any information was compromised. The news release states: “While we are actively looking into this matter with the help of third-party specialists, we do not yet know the extent of data that may have been affected.”
The news release adds that so far, “the evidence suggests that no employee sensitive information has been misused in any way.”
But the news release also says, “As this is still early in the investigation, we yet do not know if vendor or public users personally identifiable information (PII) has been subject to unauthorized access. If PII has been subject to unauthorized access, we will provide the necessary notice required to protect those affected.”
The news release also provides contact information for credit reporting agencies for employees who want to “lock their credit down.” The news release gives contact information for reporting fraud to the three biggest credit reporting agencies in the U.S.—Equifax, Experian, and TransUnion.
According to the news release the county government has provided all the information that it is able to release to the public: “We have shared all the information we can now. This is an active investigation at this time, so we are limited in our communications.”
Monday’s confirmation from Monroe County that there was an intrusion, and the identification of BlackSuit as the intruder, was not a surprise, given the cybersecurity alert that was included in last Wednesday’s regular emailed newsletter from Indiana’s DLGF (Department of Local Government Finance)—even though the DLGF did not name the local government in question.
CYBER THREAT ADVISORY
Alert: An Indiana local government office experienced a cybersecurity attack that utilized BlackSuit ransomware and may be linked to the Royal Spider cybercriminal organization, which operates from the Russian Federation. Royal Spider is known for developing and deploying this type of ransomware.
BlackSuit Ransomware: BlackSuit Ransomware is categorized as a Royal Ransomware. Royal Ransomware is often delivered via email as a .zip attachment and can affect servers, virtual servers and workstations. For more detailed information on Royal Ransomware, please visit https://www.cisa.gov/newsevents/cybersecurity-advisories/aa23-061a
Responding to a question from The B Square, DLGF director of communications Jenny Banks emailed last week to say: “We [DLGF] were not provided with the name of the government unit that had the attack.” Banks added,“The Indiana Office of Technology tracks incidents, and provided us with the general information.”
Under state law, the Indiana Office of Technology (IOT) is the agency to which local units have to report cybersecurity incidents within 48-hours.
Responding last week to a B Square question about whether Monroe County government had reported a cybersecurity incident to the ITO, director of communications for the IOT, Graig Lubsen, wrote, “IOT doesn’t comment on the status of local government IT operations.”
According to a joint cybersecurity advisory (CSA) issued in November 2023 by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), since September 2022, Royal—the class of ransomware identified by the DLGF—has been used to target over 350 known victims worldwide.
According to the joint CSA, Royal conducts data exfiltration and extortion before encryption and then publishes victim data to a leak site, if a ransom is not paid. According to the CSA, phishing emails are among the most common ways that Royal gets access to systems.
