Minnesota must prioritize cybersecurity after recent attacks

This is a guest post from Caleb Larson, a member of American Experiment’s Young Leaders Council.

If something is connected to the internet, it is simply a question of when, not if, it will be hacked. This is the unfortunate reality that Minnesotans must accept if they are going to address the potentially countless cyber threats adequately. Importantly, key institutions most vulnerable to debilitating hacks must be prioritized in efforts to improve cybersecurity across the state. As the fallout of cybersecurity incidents are felt across Minnesota, more attention must be paid to the approach the state is taking to cybersecurity and its improvement.

Starting on February 20, Minneapolis Public Schools (MPS) encountered issues with their computer systems. Misclassified as an “encryption event” by the district, this attack by the Medusa threat group involved ransomware and a double extortion scheme. Encryption is used in such an attack to disable IT systems and remove access to data. The sensitive data is also stolen by the threat actor and threatened to be leaked to add extra pressure on the targeted victim to pay the ransom. The direct impact on MPS students may have been minimal due to parent-teacher conferences and precautions taken for a winter storm leaving classrooms mostly empty, but the totality of the attack is hard to overstate.

MPS restored their systems from unaffected backups — a hollow victory considering the theft of data. According to Medusa, the trove of data goes back to 1995 and includes everything from student health records to building layouts. In its initial update, the district stated it found no evidence that personal identifiable information was stolen. As with most breaches wherein victims realize they need cybersecurity controls after being attacked, MPS is now deploying an endpoint detection and response tool along with multi-factor authentication. Both controls are vital if an organization hopes to prevent and detect cyberattacks. MPS was totally unprepared for this attack, evidenced by the lack of basic security controls beforehand and proper breach communication afterward.

Additionally, MPS suffered a social engineering attack in April 2020 that nearly cost the district $500,000. The payment, meant for the independent contractor Stahl Construction Company, was sent instead to the bank account of a fraudster in New York. This fraudster tricked the MPS finance department by appearing to be from Stahl Construction in an email and telling them to update the bank account information for the contractor. Thankfully, the bank could reverse the transfer because they had been notified within five days. The district’s response to its mistake is concerning. It blamed pandemic working conditions for the lapse in intra-organization payment verification. But working conditions should have no impact on the effectiveness of processes put in place for preventing social engineering attacks. MPS says they have put in place “additional protocols” to prevent similar payments from being made, but once again, it should not take a cybersecurity incident like this to spur the implementation of necessary processes and procedures.

Other vulnerable Minnesota organizations besides schools are prime targets for cyber threat actors. A Russian cybercrime gang called Trickbot was recently named in a press release announcing the sanctioning of seven of its members. The notice explicitly identified the gang’s operations against three Minnesota-based medical facilities. Trickbot had used ransomware against them, resulting in similar effects as those seen in the MPS network, but with much more serious consequences, as evidenced by the diversion of ambulances” that happened. Unfortunately, these medical facilities were easy prey as the members of Trickbot “gloated” about how easy it was to compromise them and obtain the ransom payments. Foreign cyber criminals easily putting the medical resources of Minnesotans in jeopardy is dangerous and unacceptable.

These harrowing accounts of cyber intrusions against Minnesota schools and medical facilities should be a wake-up call to lawmakers and citizens alike. The response should be an improvement in cybersecurity controls, processes, and personnel to combat these cyber threats. If our state government is going to throw money at public schools, then at least some of it should go to preparing their cyber defenses. State agencies must assist our most vulnerable and sensitive organizations with resources to help them update their security posture. If we do not act with sufficient urgency, we will continue to endure debilitating cyberattacks resulting in loss of learning, funds, and maybe even life.