Monroe County confirms ‘BlackSuit’ as intruder in cyberattack as investigation continues – The B Square

In a press release issued Monday afternoon, the Monroe County government confirmed a “break-in” into its computer network by a source known as “BlackSuit.”

Due to the cybersecurity breach, the district administration was paralyzed for the entire duration of last week – from Monday, July 1, to July 5.

A third-party contractor is assisting the county in investigating the incident.

Monroe County government offices were open on Monday, July 8, and network servers were fully operational, according to an email sent to employees by county engineering director Greg Crohn.

It is not yet clear whether any information has been compromised. The press release states: “Although we are actively investigating this matter with the help of external specialists, we do not yet know the extent to which data may have been affected.”

The press release goes on to say that the “evidence to date suggests that confidential employee information was not misused in any way.”

However, the press release also states: “Because the investigation is still in its early stages, we do not yet know whether personal information of vendors or public users has been accessed without authorization. If personal information has been accessed without authorization, we will provide the information necessary to protect those affected.”

The press release also provides credit reporting agency contact information for employees who want to “back up” their credit. The press release provides contact information for reporting fraud to the three largest credit reporting agencies in the United States – Equifax, Experian and TransUnion.

According to the press release, the county government has provided all information it can make available to the public: “We have shared all information that is currently available to us. The investigation is ongoing at this time, so we are limited in our communications.”

Monroe County’s confirmation Monday that there had been a break-in and the identification of BlackSuit as the intruder came as no surprise given the cybersecurity alert included in Indiana’s Department of Local Government Finance (DLGF) regular email newsletter last Wednesday – even though the DLGF did not name the local agency involved.

NOTICE ON CYBER THREATS

Alarm: A local government office in Indiana was the victim of a cyberattack that used the BlackSuit ransomware. The attack may be linked to the Royal Spider cybercriminal organization, which operates out of the Russian Federation. Royal Spider is known for developing and deploying this type of ransomware.

BlackSuit Ransomware: BlackSuit Ransomware is classified as Royal Ransomware. Royal Ransomware is often delivered via email as a .zip attachment and can affect servers, virtual servers, and workstations. For more information about Royal Ransomware, visit https://www.cisa.gov/newsevents/cybersecurity-advisories/aa23-061a

Responding to a question from The B Square, Jenny Banks, communications director for DLGF, responded via email last week: “We (DLGF) have not learned the name of the government agency that carried out the attack.” Banks added: “The Indiana Office of Technology is tracking the incidents and has provided us with the general information.”

Under state law, the Indiana Office of Technology (IOT) is the agency to which local entities must report cybersecurity incidents within 48 hours.

In response to B Square’s question about whether Monroe County government had reported a cybersecurity incident to the ITO, IOT communications director Graig Lubsen wrote last week, “The IOT does not comment on the status of local government IT operations.”

According to a joint cybersecurity advisory (CSA) issued in November 2023 by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), Royal – the ransomware class identified by the DLGF – has been used since September 2022 to attack over 350 known victims worldwide.

According to the joint CSA, Royal performs data exfiltration and extortion before encryption and then publishes victims’ data on a leak site if a ransom is not paid. According to the CSA, phishing emails are among the most common methods Royal uses to gain access to systems.