A Minnesota state government server and Minnesota State University Moorhead were hacked over the weekend – the work of someone who goes by "Vigilance" on Twitter and said it was done as retaliation for the Jeronimo Yanez verdict.
The hack, which Vigilance first tweeted about on Saturday, exposed hundreds of email addresses, versions of encrypted passwords, and the names plus log-in info of students at MSUM. The culprit then posted all of the text online.
On Wednesday, Minnesota IT Services (aka MNIT) gave its first significant update about what its teams had uncovered so far.
In an email statement, MNIT said its forensics teams confirmed a server was compromised. The one that was accessed in the hack housed older state technology applications, MNIT said, calling the impact of the hack "small" and having only affected "legacy computer systems that are no longer in use."
The data posted online includes the emails and encrypted passwords of people who subscribed to old government newsletters, MNIT said, specifically for the state geographic information and energy programs. The hack didn't disrupt any "major business systems," MNIT said, and the vulnerabilities were addresses. They'll turn over their findings to the FBI soon.
MSU Moorhead said first and last names, plus StarID and Dragon ID numbers of 8,000 students and 800 staff were accessed without authorization. A "fraction" of them were posted online, the school added.
The server that was affected was taken offline, and everyone's StarID passwords will have to be reset at the end of the week, MSU Moorhead added, then apologized for any inconvenience.
Update: Vigilance later claimed to have found security issues in the University of Minnesota Twin Cities website. You can read Friday's update about that here.
So what could someone do with this information?
"The randomness of the hacks make me wonder if it was just that, these were systems that were easy," Weiss told GoMN Wednesday, while noting the state generally has pretty good cybersecurity. But that doesn't mean the information – even if it's just email addresses and encrypted passwords right now – isn't valuable.
If someone manages to solve the jumbled passwords (which are generally encrypted via hashing) with a "brute force" password cracking software, Weiss explained, then they've suddenly got complete, legitimate log-in information.
"That kind of information would be easy to sell online ... I mean there’s like a bazaar basically on what they call the dark web," Weiss said, noting government accounts could be especially valuable.
From there, a malicious actor could take a couple different routes.
One, they could attempt to use that email/password combination for other sites – think Amazon, where you credit card info is stored, or your Facebook account with lots of personal information, he said. (That's why people recommend using different passwords for different accounts.)
Two, someone could try to set up a spear phishing campaign. They could log in to an email account but not do anything to alert the user they're inside, Weiss said, instead just watching, reading, poking in your contacts. Doing "some really serious reconnaissance" on a target, he explained, until they have enough to make a very convincing spoof email.
"And then I can build that perfect email that is just going to be 100 percent ... convincing, and get them to do something that gets me deeper into my goal," Weiss said. "Or I can use their email account to impersonate them in order to get somebody else who may be more valuable to do something that would be more useful to me."
MNIT has asked for money for 24/7 monitoring
Vigilance's first tweet was sent at 11:25 p.m. on Saturday. And while MNIT didn't offer specifics about staffing during that specific time, it's worth noting the department had been asking state lawmakers for a significant boost in funding. One of their goals with new money was to get MNIT staffers working 24/7. The department says it fends off 3 million potential attacks every day.
"The way the internet works is these attacks don’t just come in during business hours … they come in all the time," Aaron Call, MNIT's director of information security, told GoMN in May. "We’re unable to react. We don’t have our eye on the ball at night."
MNIT did not get that additional funding they were hoping for, and on Wednesday said events like this one over the weekend "underscore the urgency of this increased investment."
Why Vigilance did this
The hacker first reached out to Vice's Motherboard, reiterating that this was in response to a 12-person jury acquitting Yanez of manslaughter charges in the shooting of Philando Castile. He also said the method he used to get the data – the vulnerability, as it's referred to – hadn't been patched.
He's since been retweeting stories about what he did, as well as pastebin links containing the usernames and info he took. He tweeted Monday:
"Sit back and watch the chaos unfold
Justice for #PilandoCastile
More leaks coming for more injustices."
And on Wednesday, he sent out a screengrab that included an "mn.us" URL that leads to some sort of printing page, writing: "Where am I? The clock is ticking."