The Louisiana National Guard has been called in to stop a series of cyberattacks that have targeted small government offices across the state in recent weeks. Two people who knew about the events reported and drew attention to the cyber threat.
The situation in Louisiana follows a similar case to that in Washington state, according to a cybersecurity official familiar with the matter. A hacker infected some government offices there with a type of malware. It blocks systems and demands a ransom to regain access.
Senior US security officials have been warning since 2019 that ransom money poses a threat to the US election. An attack on certain state government entities could disrupt the systems necessary to administer the election.
It's unclear whether the hackers targeted systems tied to the Louisiana election or were simply hoping for a payment. However, the attacks raised alarm because of the potential damage they could have caused and evidence that a sophisticated hacking group was involved.
Experts investigating the Louisiana incidents found a tool used by the hackers that was previously linked to a group linked to the North Korean government, according to a person familiar with the investigation.
This tool has been described as a Remote Access Trojan (RAT) that can be used to infiltrate computer networks. However, cybersecurity analysts who have studied this RAT - known as "KimJongRat" - say some of its code was published in a computer virus repository where hackers could copy it, making its attribution to North Korea less certain.
While employees of several government offices in north Louisiana were successfully compromised as part of the campaign, the cyberattack was stopped in its early stages before significant damage was done, according to the two people familiar with the response to the incident.
The Louisiana National Guard declined to comment on the incidents. A Louisiana State Police spokesman said they were called in to investigate the cyberattacks but declined further comment. The governor's office said he could not comment on an ongoing investigation.
Tyler Brey, a spokesman for the Louisiana Secretary of State's Office, said Louisiana would be a "top-down state" where election data is stored centrally in the secretary of state's office, which can make it easier for election officials to recover from cyberattacks.
A person familiar with the events said the hacker's goal was to infect computers with ransom notes, but added that it was difficult to determine since the attack was stopped in its earlier stages.
If so, Louisiana would not have been the first state. Over the last year, several US cities have fallen victim to ransom demands, including:
Incidents in Baltimore, Maryland, Durham and North Carolina.
Jen Miller, deputy director of threat intelligence at US cybersecurity firm Palo Alto Networks, tracked a hacking group using KimJongRat last year. She said it was "out of character" for the group she studied to conduct a cyber operation for financial gain.
A previous cybersecurity research report from Luxembourg firm iTrust Consulting in 2013 found that KimJongRat was written using Korean computer code that contained references to the North Korean leader's family members.
Emotet, a Trojan horse increasingly used against banks, was also used by the attackers and found on computers in Louisiana. When employees were hacked, their email accounts were sometimes hijacked by the hackers to send malware to other colleagues.
On October 6, the Department of Homeland Security's cybersecurity division, known as CISA, released an alert saying that Emotet had been used against numerous local government offices across the country.
In recent cases of cybercriminals going after local government offices in the run-up to the election, like in Washington, U.S. officials, along with technology companies like Microsoft Group, are trying to understand whether the hackers have ties to foreign intelligence agencies from Russia, Iran, China and have North Korea.
“That's a very interesting question and something that we're digging into and trying to find data, information and insights that would help us understand this better,” Microsoft Vice President Tom Burt said in a recent interview.
“There are a small number of criminal groups that are responsible for the majority of ransomware attacks, and that is why we are working to understand who they are, how they are organized, who they work with and where they operate from,” Burt added.
Microsoft is among a select group of cybersecurity firms helping respond to the attacks in Washington, where they have offered free cybersecurity software to local government officials leading up to the election, according to a person familiar with their response.
A Microsoft spokesman declined to comment on the company's work there.
