Emergency dispatchers taking down 911 calls by hand, unable to use their geolocation technology for callers. Police officers radioing in crime scene details, rather than emailing reports to headquarters. Office workers resorting to fax machines.
For weeks this fall, the government of Suffolk County was plunged back into the 1990s after a malicious ransomware attack forced it largely offline. A frantic push to counter the threat hobbled the county, as officials disabled email for all 10,000 civil service workers and scrubbed infected hardware, seeking to stem fallout from compromised computer systems.
More than two months after the attack, some of the gears that run much of Long Island are still stubbornly mired in a cybermorass. It is a situation that experts say not only reveals the county’s vulnerability but also presents an ominous warning for a nation unprepared for crippling online threats.
The full scope of the damage is still emerging: Just last week the county announced that in addition to the data it had already believed had been stolen, more personal information, including driver’s license numbers linked to 470,000 moving violations, had potentially been exposed.
The crisis began on the morning of Sept. 8, when the county’s antivirus software — the systems that alert to cybersecurity threats — started “pinging,” said Lisa Black, the chief deputy county executive. This indicated that the online systems that thread through more than 20 county agencies, from the police department to the Department of Social Services to the division of soil and water conservation, were under attack. The incursions set in motion a shutdown to thwart whatever was worming its way through the county’s operating system.
“We train for these events, just the way we train for the pandemic,” Ms. Black said. “By 4 p.m. that day, we made a decision: We were just going to turn off the internet to further contain this.”
Since 2017, more than 3,600 local, tribal and state governments across the country were hit by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, an organization that seeks to improve the United States’ cybersecurity posture.
The measures taken to stem the attack in Suffolk County snarled the government’s most essential functions. Wire payments to some of its thousands of contractors were temporarily suspended, so financial information could not be cribbed as it flowed through the county’s computers. Binders of staff phone numbers, landline phones and old fax machines were dusted off.
“We are going to revert to 1990,” Ms. Black said, describing the thinking at the time. “We are going to teach millennials what a fax machine was.”
Almost every corner of county government has had to pivot, in ways both cumbersome and retro:
The police turned back to finicky radio transmission to call in incidents, rather than emailing reports from tablets at the scene, said Noel DiGerolamo, president of the Suffolk County Police Benevolent Association, which represents Suffolk County Police Department officers.
Payments to contractors were made with paper checks, each signed personally by the comptroller and his senior staff.
Title searches, recently made accessible online during the pandemic, were taken offline again. They remained inaccessible for almost a month, grinding some real estate transactions to a halt without access to essential records. At the county’s request, Gov. Kathy Hochul, a former Erie County clerk, sent 125 computer terminals to the clerk’s office in Riverhead. There, a secure system for was set up for title searches in a corner of the employee cafeteria.
Fearful that 911 response times would lag as dispatchers were left unable to use computer-aided dispatch systems that automatically locate and record callers, the county reached out to the state’s centralized emergency response center. New York City sent 10 of its dispatchers to the county call center in Yaphank to pitch in until the system could be restored. It was back online Sept. 22.
According to Steve Bellone, the Suffolk County executive, the attacks were carried out by BlackCat, a professional hacking outfit also known as ALPHV, which steals sensitive data and threatens to release it if a ransom is not paid. The organization has rampaged worldwide, penetrating a wide range of targets, from Italy’s state-run electric utility to a Florida university to a United States defense contractor.
Officials said no ransom was paid but would not reveal any other details about the case, in part because of the ongoing criminal investigation by the Suffolk County district attorney and the Federal Bureau of Investigation.
Shortly after the hack, the attackers posted about their Suffolk spoils on the dark web, according to DataBreaches, a website that monitors such incidents. “Extracted files include Suffolk County Court records, sheriff’s office records, contracts with the State of New York and other personal data of Suffolk County citizens,” a poster purporting to be from BlackCat wrote, DataBreaches said.
Though the hackers claim to have made off with four terabytes of data, Ms. Black said that so far, officials know of only two individuals whose personal information has been publicly released. Just before Thanksgiving, the county said it would offer identity protection services like credit monitoring, free of charge to affected people.
The success of the attack revealed vulnerabilities in the way that the county conducted its business online, said Colin Ahern, New York State’s first chief cyber officer, who was appointed in June. But he praised the county’s readiness: Since 2019, it had poured $6.5 million into cybersecurity initiatives and conducted a simulation for hackings like this one.
But weaknesses remained: For example, two-factor authentication, an added layer of protection for online accounts that has become standard in the business world, was not in use. It is now in place.
Adding to its vulnerability, Suffolk, like many counties, was running on so-called legacy systems, outdated platforms that many municipalities do not know how to or cannot afford to modernize, said Benjamin Voce-Gardner, the director of the Office of Counter Terrorism for the New York State Division of Homeland Security and Emergency Services, which has been assisting with the response.
After the attack, Mr. Bellone increased the county’s 2023 operating budget by $9 million to fund cybersecurity measures. And last month, Kevin J. McCaffrey, the presiding officer of the Suffolk County Legislature, announced the creation of a committee with subpoena power to investigate the causes of the hack.
“They’ve tried to characterize this as just yet another kind of catastrophe they’ve had to confront, not unlike Hurricane Sandy or even Covid,” said Mr. McCaffrey. “Hurricane Sandy and Covid were acts of nature. This is a failure to go ahead and be proactive.”
Indeed, some county officials had voiced concerns over the state of the county’s security well before the attack and said they had been rebuffed. In June, Judith A. Pascale, the outgoing county clerk, requested a separate firewall for her office, concerned her office’s data was vulnerable.
Emails between Ms. Pascale and Scott Mastellon, the county’s information technology commissioner, appear to show the specific request was rejected. The emails were first reported by Newsday and obtained by The New York Times. (The county disputed the characterization and said that it offered an equivalent technology but the clerk’s office did not use it.)
“I am not the boy that’s cried wolf,” said Ms. Pascale. “People, this is a global problem.”
Others defended the county’s response to the current crisis: “This is an attack by an adversary who wants to sow distrust and chaos to leverage that to steal taxpayer dollars,” said Michael A.L. Balboni, president and managing director of RedLand Strategies, which led a training exercise in 2019 for county leaders. In the wake of the hack, Mr. Balboni’s firm was rehired to provide guidance.
“At the local government level you don’t have the resources or ability to respond to what amounts to nation-state style attack — and its unrealistic to expect them to,” Mr. Balboni said.
Today, some services in Suffolk County are still scrambled, with no real sense as to when they will be fixed. The county website is just a list of contacts. It is still not possible to pay parking tickets and most moving violations in person or online, and late fees have been waived. The last remaining email accounts for county employees were restored by early November, but several officials said all past correspondence has vanished. (Ms. Black said there are ways to access it.)
At his office in Riverhead, the county comptroller, John M. Kennedy Jr., still spends a chunk of many days signing checks by hand.
“It was a lesson learned, and a very expensive lesson,” he said. “And we learned very quickly of the investment that we had to make in cybersecurity all along.”