fb-pixel Skip to main content

How a cyberattack plunged a Long Island county into the 1990s

Emergency dispatchers taking down 911 calls by hand, unable to use their geolocation technology for callers. Police officers radioing in crime scene details, rather than e-mailing reports to headquarters. Office workers resorting to fax machines.

For weeks this fall, the government of New York’s Suffolk County was plunged back into the 1990s after a malicious ransomware attack forced it largely offline. A frantic push to counter the threat hobbled the county, as officials disabled e-mail for all 10,000 civil service workers and scrubbed infected hardware, seeking to stem fallout from compromised computer systems.

More than two months after the attack, some of the gears that run much of Long Island are still stubbornly mired in a cybermorass. It is a situation that experts say not only reveals the county’s vulnerability but presents an ominous warning for a nation unprepared for crippling online threats.

Advertisement



The full scope of the damage is still emerging: Just last week, the county announced that in addition to the data it had already believed had been stolen, more personal information, including driver’s license numbers linked to 470,000 moving violations, had potentially been exposed.

The crisis began on the morning of Sept. 8, when the county’s antivirus software — the systems that alert to cybersecurity threats — started “pinging,” said Lisa Black, the chief deputy county executive. This indicated that the online systems that thread through more than 20 county agencies — from the Police Department to the Department of Social Services to the division of soil and water conservation — were under attack. The incursions set in motion a shutdown to thwart whatever was worming its way through the county’s operating system.

“We train for these events, just the way we train for the pandemic,” Black said. “By 4 p.m. that day, we made a decision: We were just going to turn off the Internet to further contain this.”

Advertisement



Since 2017, more than 3,600 local, tribal, and state governments across the country were hit by ransomware hackers, according to the Multi-State Information Sharing and Analysis Center, an organization that seeks to improve the United States’ cybersecurity posture.

The measures taken to stem the attack in Suffolk County snarled the government’s most essential functions. Wire payments to some of its thousands of contractors were temporarily suspended, so financial information could not be cribbed as it flowed through the county’s computers. Binders of staff phone numbers, landline phones, and old fax machines were dusted off.

“We are going to revert to 1990,” Black said, describing the thinking at the time. “We are going to teach millennials what a fax machine was.”

Almost every corner of county government has had to pivot, in ways both cumbersome and retro:

— The police turned back to finicky radio transmission to call in incidents, rather than e-mailing reports from tablets at the scene, said Noel DiGerolamo, president of the Suffolk County Police Benevolent Association, which represents Suffolk County Police Department officers.

— Payments to contractors were made with paper checks, each signed personally by the comptroller and his senior staff.

— Title searches, recently made accessible online during the pandemic, were taken offline again. They remained inaccessible for almost a month, grinding some real estate transactions to a halt without access to essential records. At the county’s request, Governor Kathy Hochul, a former Erie County clerk, sent 125 computer terminals to the clerk’s office in Riverhead. There, a secure system for was set up for title searches in a corner of the employee cafeteria.

Advertisement



— Fearful that 911 response times would lag as dispatchers were left unable to use computer-aided dispatch systems that automatically locate and record callers, the county reached out to the state’s centralized emergency response center. New York City sent 10 of its dispatchers to the county call center in Yaphank to pitch in until the system could be restored. It was back online Sept. 22.

According to Steve Bellone, the Suffolk County executive, the attacks were carried out by BlackCat, a professional hacking outfit also known as ALPHV, which steals sensitive data and threatens to release it if a ransom is not paid. The organization has rampaged worldwide, penetrating a wide range of targets, from Italy’s state-run electric utility to a Florida university to a US defense contractor.

Officials said no ransom was paid but would not reveal any other details about the case, in part because of the ongoing criminal investigation by the Suffolk County district attorney and the FBI.

Some county officials had voiced concerns over the state of the county’s security well before the attack and said they had been rebuffed. In June, Judith Pascale, the outgoing county clerk, requested a separate firewall for her office, concerned her office’s data was vulnerable.

E-mails between Pascale and Scott Mastellon, the county’s information technology commissioner, appear to show the specific request was rejected. The e-mails were first reported by Newsday and obtained by The New York Times. (The county disputed the characterization and said it offered an equivalent technology but the clerk’s office did not use it.)

Advertisement



“I am not the boy that’s cried wolf,” said Pascale. “People, this is a global problem.”

Others defended the county’s response to the current crisis: “This is an attack by an adversary who wants to sow distrust and chaos to leverage that to steal taxpayer dollars,” said Michael A.L. Balboni, president and managing director of RedLand Strategies, which led a training exercise in 2019 for county leaders. In the wake of the hack, Balboni’s firm was rehired to provide guidance.

“At the local government level, you don’t have the resources or ability to respond to what amounts to nation-state style attack — and it’s unrealistic to expect them to,” Balboni said.