Cyberattack shuts down US unemployment and labor websites • The Register


A cyberattack on a software company nearly a week ago continues to ripple through labor and manpower agencies in a number of US states, cutting people off from services such as benefits unemployment and job search programs.

Labor departments and related agencies in at least nine states have been affected. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and up to 40 states and Washington DC, all of which depend on the services. of GSI, may be affected.

In a statement to the media, GSI President Paul Toomey said the Palm Harbor, Fla.-based company “identified abnormal activity on our network” and took its services offline. Toomey did not say whether GSI had been hit by ransomware or another type of malware.

He said the company was working with third-party specialists to investigate the cyber incident and ensure it doesn’t happen again. Toomey said he hopes to restore services before the July 4 holiday, although by midday Friday here on the US East Coast, GSI’s website was still offline. Agencies in several states said they were notified of the issue by GSI on June 26.

According to the company’s LinkedIn page, GSI develops software for purposes such as workforce development, labor market information and unemployment insurance, and has created online offerings for state and local governments in over 35 states. The provider, which has more than 350 employees, also implements and maintains websites for agencies such as California, Florida, North Carolina and Indiana.

The closure of services affects tens of thousands of unemployed and job seekers across the country. The Louisiana Workforce Commission’s HiRE website outage affects nearly 11,000 people filing continuing unemployment claims in that state.

GSI also operates Tennessee’s Jobs4TN site, which includes the state’s unemployment system and labor data exchange and which has also been taken offline. About 12,000 Tennessee residents rely on the state’s unemployment program and workforce development programs, according to the state’s Department of Labor and Workforce Development. The California Department of Employment Development said in a notice [PDF] the GSI service shutdown caused its CalJOBS website to go offline.

Other states, ranging from New Hampshire to Texas, were also affected by the GSI outage. The Nebraska Department of Labor, whose unemployment and job site NEworks has been taken offline, said in a statement that “GSI has indicated that this attack only affects access to GSI’s online systems and that there is no evidence that user data has been compromised”.

GSI said this attack only affected access to GSI’s online systems and there is no evidence that any user data was compromised.

According to Mike Parkin, senior technical engineer at Vulcan Cyber, although GSI does not comment on the type of attack that hit it, it looks like ransomware.

“Given how often ransomware is used, it wouldn’t be surprising if that were the case here,” Parkin said. The register. “While a threat actor might simply disrupt operations with denial of service, distributed denial of service, or destructive malware, the profit motive, especially where personal information may be involved, favors a ransomware attack. “

Given the unstable international situation and the nature of the target, it is possible that the attack came from a nation-state or a state-sponsored threat actor, he added.

John Bambenek, principal threat hunter at cybersecurity firm Netenrich, agreed that it was likely a ransomware attack given its disruptive nature, and said The register “The most important question is what information is at risk to users of these websites and what protective measures they should take. Too often we focus on the professional parts of incident response, but forget the impact on those whose private information is stolen.”

The outage is the latest in a growing trend of software supply chain attacks, where cybercriminals will attack a company with the aim of infecting the victim’s downstream partners and customers, essentially widening the blast radius. of its malware. One example is the 2020 attack on SolarWinds, where the Russian-led Nobelium gang was able to inject malicious code into an upgrade to the company’s Orion infrastructure management software. When SolarWinds customers, including many US government IT departments, downloaded and deployed the update, their systems were also infected.

Other examples include the ransomware attack on software vendor Kaseya a year ago, which exploited a vulnerability in the company’s VSA software to infect organizations down the supply chain.


Supply chain attacks will get worse: Microsoft Security Response Center boss


In its 2022 Data Breach Investigations Report, Verizon estimated that supply chain attacks accounted for approximately 10% of overall cybersecurity incidents each year. According to Deepen Desai, CISO and vice president of security research and operations at zero-trust provider Zscaler, supply chain risk is changing.

Traditionally, they’ve been run by nation states — like the SolarWinds case — for espionage purposes, Desai said. The register at Zscaler’s recent Zenith Live conference. However, financially motivated threat groups are now seeing how they can also infect a company with malicious code “and travel to thousands of downstream organizations that are customers”.

“It indicates that crimeware gangs – these financial gangs – have evolved in terms of sophistication and are taking advantage of some of the playbooks of nation states,” he said. “It was expected, especially given the success of some of these [nation-state] the gangs had.”

Desai also noted that he expects to see multi-layered attacks, where it’s not just the victim’s downstream partners and customers who are targeted, but the victim’s upstream vendors as well.

The GSI attack also highlights the need for organizations to develop third-party risk management programs, according to Tim Marley, field CISO and vice president of audit, risk and compliance at Cerberus Sentinel.

“We’ve seen a significant shift over the past decade from on-premises systems to cloud-hosted solutions,” Marley said. The register. “We are trading the responsibility of directly controlling and managing these systems and trusting our vendors to do it for us. This changing landscape has placed much greater emphasis on the need to validate that our third-party vendors are managing our systems and data. responsibly and safely.” ®


Comments are closed.