Cyberattacks may follow CrowdStrike outage, warns MS-ISAC
After working long hours over the weekend to help their organizations recover from last week’s CrowdStrike outage, many state and local government IT officials this week told StateScoop that the worst of the disruptions appear to be over.
Yet the confusion of the outage, initiated by a faulty configuration file CrowdStrike pushed out last Thursday to Microsoft Windows machines running its Falcon security software, is now being exploited by cybercriminals, said TJ Sayers, director of the intelligence and incident response at the nonprofit Center for Internet Security’s Multi-State Information Sharing and Analysis Center, which provides technology support to state and local governments.
“We pretty much immediately started seeing cyber threat actors spinning up infrastructure that was masquerading like legitimate CrowdStrike stuff,” Sayers said. “So things like typosquatted domains and phishing campaigns. … We were keeping an eye on that stuff because we knew that the cybercriminal, potentially state-affiliated, hacktivist communities, all those groups would be trying to exploit this window of urgency and chaos to try to gain a foothold into [state, local, tribal and territorial government] networks.”
The CrowdStrike incident grounded thousands of flights around the world, halted broadcasts and medical procedures and disrupted financial transactions. State and local government agencies, schools, libraries, 911 call centers and election offices are among the organizations where operations have been disrupted. Portland, Oregon, Mayor Ted Wheeler declared a state of emergency after the incident disabled more than half of the city’s nearly 500 IT systems.
Many state and local agencies are still working to restore servers, devices and services.
An “endpoint detection and response” program led by the MS-ISAC had distributed “thousands and thousands” of CrowdStrike’s Falcon devices to state and local government agencies, Sayers said, though when asked for a precise figure, he only said: “It’s not a small number.” His group is now providing “informational technical support” and pointing government entities to CrowdStrike’s official recommendations as they attempt to boot their systems back online, he said.
Some state and local IT agencies told StateScoop their offices don’t use CrowdStrike and that they didn’t notice any outages. Others said they worked nonstop over the weekend to patch software and restore servers.
A spokesperson from the Colorado Governor’s Office of Information Technology on Monday reported that 64% of affected workstations and 85% of servers had been restored, and that although services — such as at motor vehicle offices — were disrupted, “most public-facing systems remained operational.”
A spokesperson from Vermont’s Agency of Digital Services said 90% of systems had been restored by Sunday. Pennsylvania managed to get services restored even faster — by 11:30 a.m. on Friday, a spokesperson said.
Third-party services that rely on CrowdStrike software caused disruptions to 911 systems in Alaska, Arizona and Oregon. Brandon Abley, chief technology officer with the National Emergency Number Association, told StateScoop that his nonprofit is working with the Department of Homeland Security and the National Association of State 911 Administrators to measure the extent to which the CrowdStrike incident disrupted the nation’s emergency call systems.
“There are dozens of different systems,” he said. “You have justice look-ups, you have computer-aided dispatch, you have mapping services, you have all kinds of pieces of software that are used by different vendors and several of those were affected by the outage.”
Abley said that when the nation eventually upgrades to a digital 911 system, called next-generation 911, it will be easier to mitigate such disruptions because operational call centers will be able to receive calls that would have been routed to non-working ones.
Sayers, the MS-ISAC director, said an incident like this will happen again. He advised state and local government technology officials to take “a holistic look internally at their systems” in search of single points of failure.
“Even though this was not a cyberattack, from everything we have seen, it is exposing a potential soft underbelly in the global IT community … of how a single vendor or single IT security solution could be an inlet to attack organizations at scale,” he said.