Texas Office of Court Administration (OCA) Director of Information Resources Casey Kennedy was on hand to discuss the May 2020 ransomware attack that hit Texas courts in early morning hours, while IT staff were asleep. It affected servers at each of the state’s two high courts and at its 14 intermediate appellate courts, Kennedy explained.
Hackers likely used a phishing campaign to take over a regular user email account, then used a zero-day exploit to grant the account administrator-level privileges. From there, they moved laterally to find a juicier target.
“We could watch them jump from server to server until they found our domain controller … the machine that stores all your usernames and all your passwords,” Kennedy said.
Attackers then attempted to introduce a variety of viruses, but the anti-virus thwarted most attempts — until perpetrators switched to a more subtle, living-off-the-land style attack.
Attackers opened the Notepad application and suspended the application from memory to stop it running. They next wrote a virus into Notepad in memory and then unsuspended it, Kennedy said. This tricked the system into thinking it was just running a legitimate program — Notepad — when in truth it was now running a virus. Perpetrators were able to then deploy the virus throughout computers on the network.
There was one silver lining, though. Following a cyber incident, the non-IT sides of government tend to become newly receptive to cybersecurity proposals, and abandon complaints about defense measures causing frictions. That mindset lasts about six months, Kennedy said, and is an opportunity to push through policies like strong password requirements, mandatory multifactor authentication (MFA) and automatic installations of new software updates.
Today the question isn’t if or even when organizations will be hit by a cyber attack, but how bad the damage will be, which makes planning for resilience essential, one state IT leader said during the panel.
A variety of measures can also help reduce the chances and severity of attacks, with Kennedy recommending layered defenses, network segmentation, mock phishing campaigns to raise staff’s alertness and moving toward zero trust.
Speakers also pointed to NCSC resources, including its Joint Technology Committee’s regularly scheduled cyber webinars.
This article is excerpted from a longer report in Government Technolgy, sister publication to Industry Insider — Texas.
