When the FBI Calls to Say Your State Has Been Hacked By Iran
Indianapolis, Indiana Shutterstock
Indiana CIO Dewand Neely shares how his state came to be named in “one of the largest state-sponsored hacking campaigns ever prosecuted.”
BALTIMORE — One month ago, the Justice Department charged nine Iranians with hacking into hundreds of research institutions, public sector entities and private companies on behalf of the country’s Islamic Revolutionary Guard Corps. Among the organizations that the Justice Department ticked off in a statement that called it “one of the largest state-sponsored hacking campaigns ever prosecuted,” were two states: Hawaii and Indiana.
From Indiana’s standpoint, the March 2017 attack that would be named a year later by the Justice Department as the work of an agent of a foreign government didn’t stand out from thousands of other attacks against their network.
“It fit the description of your normal script kiddie that would just find all your email addresses somewhere and see if they could log in with them using some sort of a password list,” Indiana’s Chief Information Officer Dewand Neely told Route Fifty. “We’ve seen it many times before and so we have flags that look for that type of behavior and let us know.”
Indiana treated it as a “routine” cyber event, taking standard steps to ensure no email addresses had been compromised, and moved on.
They would only revisit the incident when a call came from the National Security Division of the FBI’s New York Southern District five months later to tell the state they believed a sophisticated actor was behind the attack as part of a larger campaign.
“At that time, nothing around Iran was mentioned,” Neely said.
The FBI was interested in the details of the attack, as well as how Indiana had addressed it. Similarly, Indiana looked to the FBI to learn more about the campaign and the tactics of the hackers who attempted to breach their system. Indiana also brought in outside experts after the notification from the FBI to ensure they had not missed anything in their initial remediation and continuing defense of their network.
Neely said his team has a “good working relationship” with the FBI, and the incident has made him reflect on some of their previous conversations.
“It’s something that they say every time we meet: ‘just make sure you let us know about every little thing no matter how minute you might think it be’ because you never know when it’s going to be a larger campaign like this ended up being.” Neely said.
The problem with that, though, is states are attacked thousands of times a day, and sharing information is not a straightforward process. Despite lots of organizations to share information among various public and private sector organizations, it is no simple task.
“There’s some ways to go, especially to make [sharing threat data] more automated,” Neely told me when we asked him what could be improved in the future. “I think the system today is still heavily manual, and so it takes someone being at the wheel at all times and making sure things go out.”
For Hawaii’s part, their state Chief Information Officer Todd Nacapuy and Chief Information Security Officer Vincent Hoang released a statement when the FBI announced the charges similarly stating they had noticed “unusual activity involving thirty-seven email accounts” and acted quickly to resolve the situation. They said the emails did not contain confidential information according to the departments, and “computer systems where confidential information is stored was not breached.”
Below is the full interview with Dewand Neely at NASCIO’s 2018 Midyear Conference:
Mitch Herckis is Senior Director of Programs at Government Executive’s Route Fifty and is based in Washington, D.C.
NEXT STORY: How Hackers Could Cause Chaos on America's Roads and Railways