Malware suspected on some Arizona legislators' computers

Posted: Updated:
When some state lawmakers clicked on the link in a fake email to change their passwords, they saw a message in Russian. (Source: KPHO/KTVK) When some state lawmakers clicked on the link in a fake email to change their passwords, they saw a message in Russian. (Source: KPHO/KTVK)
Investigators believe lawmakers weren't hacked but there were some computers that had malware on them. (Source: KPHO/KTVK) Investigators believe lawmakers weren't hacked but there were some computers that had malware on them. (Source: KPHO/KTVK)
Ken Colburn with the Data Doctors said sending an email to change a password is a big flaw in cybersecurity. (Source: KPHO/KTVK) Ken Colburn with the Data Doctors said sending an email to change a password is a big flaw in cybersecurity. (Source: KPHO/KTVK)

The Arizona Department of Administration said it has uncovered no evidence of tampering within a state employee timekeeping system after some legislators saw message prompts in Russian.

While no system-wide breach has been detected, state computer experts have now turned their attention to "a handful" of individual computers used by state lawmakers and their staff that may be infected with malware. 

Concerns about a potential hack surfaced last week after some lawmakers and legislative staff clicked on a link in an email asking them to change their password to the state's Human Resource Information System (HRIS). Some reported seeing a pop-up screen in Russian. About 40,000 state employees use HRIS to enter time worked and direct deposit information. 

State officials took HRIS offline for monitoring Friday night. They restored the system Monday morning after no unusual activity was detected.

State investigators now say the emails requesting the password change were legitimate -- not a phishing attempt -- and the wording in Russian may have been a symptom of malware already present on “a few” of the computers at the state Legislature.  

ADOA spokeswoman Megan Rose said state cyber experts "believe the incident is isolated to a few PCs." 

"One possibility we are looking into is that the PCs have malware on them, which has the ability to change browser language settings. We are running forensic analysis on those computers to find out further info," she said by email.

Malware, short for malicious software, can range in purpose and severity. In its most dangerous form, certain malware can quietly track a user's activity and steal usernames and passwords. Last year, the state took its voter registration system offline for monitoring after hackers used malware to steal a county election official's login information.

Other malware simply changes the look of icons or internet browser settings, like a user's preferred search engine, said cybersecurity expert Jamie Winterton of Arizona State University's Global Security Initiative.

"Finding out how long the malware has been on that system is the first question. Once you know how long that bad code has been operating on the system and what it's doing, [you can start] figuring out where those computers have touched other computers in the network and may have transmitted the malware," she said.

Winterton cautioned that the Russian text “does not necessarily mean that Russian hackers got into the system. Russian hackers are very popular these days, but not everything is a Russian state-sponsored attack.”

Ken Colburn of Data Doctors said the incident reveals an alarming flaw in the state’s cybersecurity protocols.

“Any IT department that is actually telling users to make a change to their credentials through email is just crazy,” he said. “If you're doing that, whether you're the state or a business, stop doing that today!”

Instead, Colburn said users should be prompted to change their passwords at the log-in page.

Using email reminders to prompt password changes only makes it harder for users to “decipher what's real and what's not” when faced with phishing emails, he said.

Colburn added that there is a growing body of research suggesting that requiring frequent password changes is ineffective. He said longer passphrases – like a simple sentence – are much harder to crack.

Copyright 2017 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.

  • Social Connect

  • Contact

    AZ Family

Connect with CBS5AZ

 

Saw it on CBS 5 News