Weeks before the election, the National Guard was called up to thwart cyberattacks in Louisiana
The Louisiana National Guard has been requested to stop a series of cyberattacks that have targeted small government offices across the state in the past few weeks. Two people who knew about the events reported and drew attention to the cyber threat.
The situation in Louisiana follows a similar case to that in Washington state, according to a cybersecurity officer familiar with the matter. A hacker infected some government offices there with a type of malware. She locks systems and demands a ransom to regain access.
Senior US security officials have been warning since 2019 that ransom poses a threat to the US election. An attack on certain government agencies could disrupt the systems required to administer the election.
It’s unclear whether the hackers were targeting systems tied to the Louisiana election or whether they were simply hoping for payment. However, the attacks raised the alarm as they could have caused potential damage and there is evidence that a sophisticated group of hackers was involved.
Experts investigating the incidents in Louisiana found a tool used by the hackers that was previously linked to a group affiliated with the North Korean government, according to a person familiar with the investigation.
This tool has been described as a remote access trojan (RAT) that can be used to infiltrate computer networks. However, cybersecurity analysts who investigated this RAT known as “KimJongRat” say that some of their code was posted to a computer virus repository where hackers could copy it, making the North Korean association less secure.
While officials in several government offices in northern Louisiana were successfully compromised as part of the campaign, the cyberattack was halted in its early stages before significant damage was done, according to two people familiar with responding to the incident.
The Louisiana National Guard declined to comment on the incidents. A spokesman for Louisiana State Police said they were called in to investigate the cyberattacks but declined to comment. The governor’s office said he had no comment on an ongoing investigation.
Tyler Brey, a spokesman for the Louisiana Secretary of State, said Louisiana is a “top-down state” with election data stored centrally in the Secretary of State’s office, which can make it easier for election officials to recover from cyberattacks.
One person familiar with the events stated that the hacker’s aim was to infect computers with ransom notes, but added that it was difficult to determine because the attack stopped in its earlier stages.
If so, Louisiana would not have been the first state. Over the past year, several U.S. cities have been victims of ransom demands, including:
Incidents in Baltimore, Maryland, Durham and North Carolina.
The big question
Jen Miller, deputy director of threat intelligence at US cybersecurity firm Palo Alto Networks, tracked a group of hackers using KimJongRat last year. She said it was “atypical” for the group she studied to conduct a cyber operation for financial gain.
A previous cybersecurity research report by Luxembourg-based company iTrust Consulting in 2013 found that KimJongRat was written using Korean computer code that contained references to the family members of the North Korean leader.
Emotet, an increasingly popular Trojan horse used against banks, was also used by the attackers and found on computers in Louisiana. When employees were hacked, their email accounts were sometimes captured by the hackers in order to send malware to other coworkers.
On October 6, the Department of Homeland Security’s cybersecurity division known as CISA issued a warning stating that Emotet had been used against numerous local government offices across the country.
In recent cases of cyber criminals targeting local government offices in the run-up to elections, such as in Washington, US officials are working with tech companies like Microsoft Group to try to understand whether the hackers have ties to foreign intelligence agencies in Russia, Iran, and China North Korea have.
“This is a very interesting question and something we are delving into and trying to find data, information and insights that would help us understand this better,” Microsoft Vice President Tom Burt said in a recent interview.
“There are a small number of criminal groups that are responsible for the majority of the ransom attacks and so we are working to understand who they are, how they are organized, who they work with and where they operate from,” added Burt.
Microsoft is among a select group of cybersecurity firms helping respond to the attacks in Washington, where, according to a person familiar with their response, they have been offering free cybersecurity software to local government officials until the election.
A Microsoft spokesman declined to comment on the company’s work there.