Anne Arundel County’s Office of Information Technology is working as quickly as possible to shut down online services that contain a software vulnerability that an unidentified group of hackers exploited over the weekend.
The hackers have targeted Ultimate Kronos Group, a multinational human resources management company that helps businesses keep track of hours worked, pay and time off. Experts suspect UKG was hacked using an Apache Log4J software vulnerability, but the company has not yet confirmed.
The company owns a software product called TeleStaff that Anne Arundel County’s Chief Digital Officer Rick Napolitano said is used in the county to help fire and police personnel track their hours. They are now tracking their hours on paper as the team decides the best course of action.
“We are falling back to a manual process instead of an automated process. But it’s not really deterring services,” Napolitano said.
The county is having to take cues from UKG, which is releasing limited data on the cyberattack, other than saying the nature of it is a ransomware attack and it could take weeks to resolve the issue.
“We are working with leading cybersecurity experts to assess and resolve the situation, and have notified the authorities. The investigation remains ongoing, as we work to determine the nature and scope of the incident,” UKG Executive Vice President Bob Hughes wrote in a statement on the company’s website, suggesting customers start looking for other comparable services to use in the meantime.
It’s not yet clear how the hackers are interacting with Anne Arundel County data.
“We don’t know whether the hacker just encrypted the data, so they can’t use it, or whether they’re accessing the data,” Napolitano said.
The Maryland Department of Health is also dealing with a cyberattack that started Dec. 3. Napolitano said he doesn’t know if the incidents are connected, but the hackers may be manipulating the same software vulnerability.
“The unfortunate thing is this particular set of code is used in hundreds of thousands of devices. It’s all over. In everything, everywhere — refrigerators, PCs, HVAC systems — it’s just everywhere,” he said.
However, not all devices that use Apache Log4J code are susceptible. Only devices that use a certain version of the code are, leaving the county’s Office of Information Technology scrambling to analyze everything they use that contains the code to see if it utilizes the susceptible version.
“The impact to the county right now is on a tool that we use, but the hack is not directly on the county,” Napolitano said. “My biggest fear is that they would use that same exploitation, so we went out and we’re doing scans of all of our networks to find out where this tool in this particular version is being used and we are in the process of shutting all of those down.”
UKG has not identified the hackers, but there are some likely culprits.
“It could be a nation state, a Russia, a China. It could be commercial hackers on a large scale. Exploiters are out there looking for things all the time, so they’re looking for people dedicated to investigating opportunities to exploit software. It’s a full-time job,” Napolitano said.
UKG hasn’t announced how it’s planning to approach the attack and whether it’s going to pay the ransom yet. But Napolitano said it may have limited choices.
The Morning Sun
“That’s always the question: Do I pay the ransom or do I not pay the ransom? Sometimes you’re not permitted to pay the ransom because a government agency has restricted payment to certain groups — China, etc. — so you don’t have a choice,” he said.
And while the federal government has many levels of protection against these kinds of attacks, state and county governments are more susceptible, especially as hackers become more sophisticated, Napolitano said.
“Anne Arundel County and the larger counties have more resources than some of the smaller counties do, but many times they just have a few people in their IT departments,” he said. “This is a battle that’s never-ending and, unfortunately, the attackers have more resources when you’re talking about a nation state. I would never say we’re OK and we’re safe. When you ask what keeps me up at night, this gives me nightmares.”
However, given the resources available to the county, Napolitano said it does the best it can to fight against these threats.
“We have a very strong cyber team, and we are investing. The county executive has really invested well to make sure we’re protected,” he said.
Anne Arundel County Executive Steuart Pittman on Thursday lauded the team’s efforts to protect the county’s data.
“Our Office of Information Technology has been working rapidly and efficiently to protect the county against cyberattacks,” Pittman said.