The weekend hacking of Idaho state treasurer websites was part of a much broader — and apparently continuing — “mischief” attack that probed websites for security holes to deface pages.
But the intruders who attacked the sites in Idaho and elsewhere did not otherwise compromise site security, and did not get access to databases with user information.
Nor would visitors to the four affected treasurer sites actually have seen the hacked pages unless they called them up by exact name. Those pages, intended to replace each site’s home page, were uploaded via a security exploit, but other security settings prevented users from being automatically redirected to them, the office said Tuesday.
The group known as Team System Dz hijacks webpages to post pro-Islamic State messages. It publicized its most recent successful hacks on a Facebook page, until the page was taken down Tuesday afternoon, and on a site that tracks website defacements.
Besides Idaho, government sites in Washington, Maryland, Ohio, California and New York have had their home pages hijacked. The defacements began over the weekend and new ones were still being reported Tuesday afternoon.
“It looks like it was a distributed attack. It wasn’t focused on one specific entity,” said Lance Wyatt, the state’s chief information security officer. The exploit used by the hackers “wasn’t specific to a weakness as it was to particular technology that is being used.”
Wyatt said threat intelligence services coordinated through the U.S. Department of Homeland Security notified the state Sunday of the hacker activity. That information was relayed to information technology personnel at the Treasurer’s Office, who removed the intruder pages Monday. One security patch has been applied and another is pending.
“This was considered a web defacement, which in itself is low-risk,” Wyatt said, describing it as the “digital equivalent of graffiti.”
“There was no information, no data that was exposed,” he said.
The Idaho Supreme Court’s website was similarly defaced in 2014.
More seriously, a hacker last August accessed personal data for 6.5 million users in Idaho and three other states via a third-party licensing system used to issue fishing and hunting permits. Idaho’s system was taken down for three months while security was strengthened. No one was charged in that data breach.
In March, another attack on an outside vendor contracted by the state resulted in 170,000 Department of Labor job-seeker accounts being compromised. That investigation is continuing.
Gov. Butch Otter named the state’s first information security director for cybersecurity earlier this month. The appointee, Jeffrey Weak, starts Aug. 1.