“While the clerk’s I.T. director knew of the vulnerability,” Mr. Bellone said at the news conference on Wednesday, “he failed.”
The hackers exploited the decentralized Suffolk County structure, Mr. Bellone added, comparing the situation to having security cameras in every room inside a house except one. “What we have here is a bad structure meeting a bad-faith actor,” he said.
Since 2017, more than 3,600 local, state and tribal governments across the country have been targeted by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, an organization that seeks to improve the United States’ cybersecurity position. A November report from Tenable, a company that seeks to mitigate organizations’ exposure to hackings, found that in the months since the 2021 government warning, nearly three-quarters of organizations still remained vulnerable.
After penetrating the Suffolk County clerk’s system in December, the hackers appeared to spend months nosing through its nooks and crannies, according to investigators, who followed the “digital bread crumbs” the hackers left behind. The next month, several Bitcoin mining programs were installed in the clerk’s system, the investigators found, establishing what is known in cybercrime as “persistence” in the clerk’s network; the hackers, in other words, were testing the limits of the system’s penetrability.
In Suffolk, the hackers found a porous system, which they broached and explored for months undetected. According to the investigation:
By March 2022, the hackers had installed remote-management tools that enabled them to run county clerk’s office computers from afar.
By April, they had created their own account in the clerk’s system, “John,” the first of several fictional rogue users empowered with administrative permissions.
By July they were lifting whole files from computers, including on July 13, when they found and made off with one bearing the label “Passwords.”
By August they had installed scripts that collected login credentials, allowing them to capture the passwords of every employee in the clerk’s office.
By the end of the month, they had begun to jump from the clerk’s computer network to other, separate systems in the county, including the traffic and parking agency and the health department. There, the hackers encrypted files to make them inaccessible and hold them hostage.
Ms. Pascale’s office is no stranger to unlawful use of its computer systems. In September 2021, a few months before the cyberattacks, the police arrested one of her I.T. supervisors, Christopher Naples, who prosecutors say had hidden 46 specialized cryptocurrency mining devices in the Riverhead building where his office was located. He was charged with public corruption and grand larceny among other charges. If convicted of the top charge against him, Mr. Naples faces up to 15 years in prison.
Indeed, one of the rogue accounts that hackers created over the summer seemed to hint at knowledge of this incident; it is a play on Mr. Naples’s name.
Mr. Naples is on administrative leave, awaiting trial. He still draws a salary, according to the county spokeswoman, Marykate Guilfoyle. She said the county had no knowledge of any connection between Mr. Naples and the cyberattack.