Computers at Minnesota's Tettegouche State Park were hit with malware

Anyone who used a credit card at the park in late August should be alert.

Tettegouche State Park: A place known for spectacular views of the Lake Superior shoreline, where you can hike through the picturesque forests along the winding river, or go see some of the state's marvelous birds.

It's not a place you'd consider as the possible target of a malware attack. But that's precisely what happened recently.

Malicious software was discovered on state-operated computers at the park on Aug. 25, according to a DNR news release

Exactly how many computers were infected at Tettegouche State Park (which has a gift shop, and rents out canoes and snowshoes) Minnesota IT Services (MNIT) wouldn't say. 

There is no evidence at this point that credit card numbers were taken. Forensic investigators with MNIT will be poring over the machines for weeks to determine exactly what happened, the agency says.

To be extra cautious, the DNR is suggesting anyone who visited Tettegouche from Aug. 22-25 and purchased anything with a card keep an eye on their bank account for weird purchases.

If you see anything, tell the card company. Also be wary of any email purporting to be from the DNR that asks for personal information.

How far did the malware get?

The scope right now seems fairly limited. 

The DNR says there were about 400 credit card transactions during the Aug. 22-25 period, and there's no evidence (at least right now) that the malware spread to other machines at state parks, DNR offices, or any of the other computers on Minnesota's IT network.

That could change though.

Aaron Call, director of information security with MNIT, told GoMN the malware framework they found is "fairly generic" and "can do a wide variety of things."

MNIT – which is in charge of every tech-related need for thousands of state computers and servers – was alerted to the malware around 4 p.m. on Aug. 25, after noticing a park computer reaching out to a command and control site Call said they knew was a "bad address." (It's a way for malware to get direction about what to do next.)

They isolated the machines so the infected computers couldn't communicate or spread the malware. And now it's all about digging into what happened through a full forensics investigation. 

MNIT employees will spend the upcoming weeks going through the computers – starting with those that have the most valuable data, such as credit card processing info – to see what the malware took, tried to take, or may have been attempting to do otherwise. 

It's possible investigators get through it "to find literally nothing was taken because that machine didn’t have the specific thing malware was looking for," Call said.

On the flip side, they could discover some new info down the line that forces investigators to re-evaluate everything up to that point. The scale and sophistication of possible attacks "means it’s hard to know until you do a full investigation," Call said.

Big cyber attacks recently

This is, of course, just the latest cybersecurity issue. There was the enormous Equifax breach, the also-enormous Yahoo hack, the company-crippling WannaCry ransomware that was "knocking on [Minnesota's] door," the lone vigilante hacker that took jabs at state universities ...

MNIT has said it fends off 3 million attempted cyber attacks every day. And forensics investigations take time – Call said the Tettegouche work is about 80 hours of people power each week, with the agency's top investigator dedicated to the task.

This past legislative session MNIT asked lawmakers for significantly more funding to make upgrades, including replacing outdated computers and making sure systems are monitored 24/7.

It's a request MNIT spokesperson Cambray Crozier reiterated Friday, saying this recent malware is "one clear example of how important it is to take this stuff seriously and be proactive."

The final budget bill that was ultimately passed by lawmakers and signed into law didn't include what MNIT wanted, and prompted Gov. Mark Dayton to mention the lack of new cybersecurity money as one of the "extremely disappointing" omissions.

Next Up