How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.
Author:
Updated:
Original:

A Minnesota state government server and Minnesota State University Moorhead were hacked over the weekend – the work of someone who goes by "Vigilance" on Twitter and said it was done as retaliation for the Jeronimo Yanez verdict.

The hack, which Vigilance first tweeted about on Saturday, exposed hundreds of email addresses, versions of encrypted passwords, and the names plus log-in info of students at MSUM. The culprit then posted all of the text online.

On Wednesday, Minnesota IT Services (aka MNIT) gave its first significant update about what its teams had uncovered so far.

In an email statement, MNIT said its forensics teams confirmed a server was compromised. The one that was accessed in the hack housed older state technology applications, MNIT said, calling the impact of the hack "small" and having only affected "legacy computer systems that are no longer in use."

The data posted online includes the emails and encrypted passwords of people who subscribed to old government newsletters, MNIT said, specifically for the state geographic information and energy programs. The hack didn't disrupt any "major business systems," MNIT said, and the vulnerabilities were addresses. They'll turn over their findings to the FBI soon.

MSU Moorhead said first and last names, plus StarID and Dragon ID numbers of 8,000 students and 800 staff were accessed without authorization. A "fraction" of them were posted online, the school added.

The server that was affected was taken offline, and everyone's StarID passwords will have to be reset at the end of the week, MSU Moorhead added, then apologized for any inconvenience.

Update: Vigilance later claimed to have found security issues in the University of Minnesota Twin Cities website. You can read Friday's update about that here.

So what could someone do with this information?

Bob Weiss has been blogging at WyzGuyz Cybersecurity for about a decade now, and currently works as a senior cybersecurity engineer for Computer Integration Technologies in the Twin Cities.

"The randomness of the hacks make me wonder if it was just that, these were systems that were easy," Weiss told GoMN Wednesday, while noting the state generally has pretty good cybersecurity. But that doesn't mean the information – even if it's just email addresses and encrypted passwords right now – isn't valuable.

If someone manages to solve the jumbled passwords (which are generally encrypted via hashing) with a "brute force" password cracking software, Weiss explained, then they've suddenly got complete, legitimate log-in information.

"That kind of information would be easy to sell online ... I mean there’s like a bazaar basically on what they call the dark web," Weiss said, noting government accounts could be especially valuable.

From there, a malicious actor could take a couple different routes.

One, they could attempt to use that email/password combination for other sites – think Amazon, where you credit card info is stored, or your Facebook account with lots of personal information, he said. (That's why people recommend using different passwords for different accounts.)

Two, someone could try to set up a spear phishing campaign. They could log in to an email account but not do anything to alert the user they're inside, Weiss said, instead just watching, reading, poking in your contacts. Doing "some really serious reconnaissance" on a target, he explained, until they have enough to make a very convincing spoof email.

"And then I can build that perfect email that is just going to be 100 percent ... convincing, and get them to do something that gets me deeper into my goal," Weiss said. "Or I can use their email account to impersonate them in order to get somebody else who may be more valuable to do something that would be more useful to me."

MNIT has asked for money for 24/7 monitoring

Vigilance's first tweet was sent at 11:25 p.m. on Saturday. And while MNIT didn't offer specifics about staffing during that specific time, it's worth noting the department had been asking state lawmakers for a significant boost in funding. One of their goals with new money was to get MNIT staffers working 24/7. The department says it fends off 3 million potential attacks every day.

"The way the internet works is these attacks don’t just come in during business hours … they come in all the time," Aaron Call, MNIT's director of information security, told GoMN in May. "We’re unable to react. We don’t have our eye on the ball at night."

MNIT did not get that additional funding they were hoping for, and on Wednesday said events like this one over the weekend "underscore the urgency of this increased investment."

Why Vigilance did this

The hacker first reached out to Vice's Motherboard, reiterating that this was in response to a 12-person jury acquitting Yanez of manslaughter charges in the shooting of Philando Castile. He also said the method he used to get the data – the vulnerability, as it's referred to – hadn't been patched.

He's since been retweeting stories about what he did, as well as pastebin links containing the usernames and info he took. He tweeted Monday:

"Sit back and watch the chaos unfold
Justice for #PilandoCastile
More leaks coming for more injustices."

And on Wednesday, he sent out a screengrab that included an "mn.us" URL that leads to some sort of printing page, writing: "Where am I? The clock is ticking."

Next Up

Sergio Romo

Twins decline 2021 option on Sergio Romo

The Twins begin a potential overhaul in the bullpen.

high school football

'Scalpel approach' gives MN schools chance to keep playing sports

County infection rates are no longer the only thing that matters.

CJ-AHyggeHoliday-Photo2

With the help of HVAC, Circus Juventas will host its first holiday shows

After months of canceled classes and shows, Circus Juventas is hosting its first ever holiday show, with safety precautions.

Cameron Dantzler

Vikings send Cameron Dantzler to COVID-19/reserve list

Dantzler's placement leaves the Vikings paper-thin at cornerback heading into Green Bay.

peterson fischbach

Elections 2020 preview: 7th Congressional District

Will Collin Peterson hang on for yet another term?

Zimmer and Hunter

Zimmer explains why he called Hunter's neck injury a 'tweak'

The coach also said Dalvin Cook should return from injury this week.

magazines

60 charged in magazine scam that netted $300M

It's being called the largest elder fraud scheme in the country.

Screen Shot 2020-10-28 at 10.30.23 AM

The Star Tribune is shutting down City Pages

The free newspaper was bought by the Star Tribune in 2015.

billy's on grand

Coronavirus: Billy's on Grand will close for winter

The restaurant is among a growing list of eateries to close for the winter months.

Related

How safe from a ransomware attack are Minnesota's government computers?

WannaCry ransomware has been detected across more than 200,000 computers in 100-plus countries. So how protected is Minnesota?

Update: Explore Minnesota's Facebook hack nightmare is over

But why was the tourism agency targeted? And how did someone take control?

5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

Russian hacker admits to helping infect thousands of servers – including in MN

Get ready to learn about Ebury malware, and how it was used to get millions of dollars.

Hacker continues to jab Minnesota institutions, this time going at the U of M

The hacker already accessed state government and MSU Moorhead data without authorization.

WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.