Malware suspected on some Arizona legislators' computers

Posted: Updated:
When some state lawmakers clicked on the link in a fake email to change their passwords, they saw a message in Russian. (Source: KPHO/KTVK) When some state lawmakers clicked on the link in a fake email to change their passwords, they saw a message in Russian. (Source: KPHO/KTVK)
Investigators believe lawmakers weren't hacked but there were some computers that had malware on them. (Source: KPHO/KTVK) Investigators believe lawmakers weren't hacked but there were some computers that had malware on them. (Source: KPHO/KTVK)
Ken Colburn with the Data Doctors said sending an email to change a password is a big flaw in cybersecurity. (Source: KPHO/KTVK) Ken Colburn with the Data Doctors said sending an email to change a password is a big flaw in cybersecurity. (Source: KPHO/KTVK)

The Arizona Department of Administration said it has uncovered no evidence of tampering within a state employee timekeeping system after some legislators saw message prompts in Russian.

While no system-wide breach has been detected, state computer experts have now turned their attention to "a handful" of individual computers used by state lawmakers and their staff that may be infected with malware. 

Concerns about a potential hack surfaced last week after some lawmakers and legislative staff clicked on a link in an email asking them to change their password to the state's Human Resource Information System (HRIS). Some reported seeing a pop-up screen in Russian. About 40,000 state employees use HRIS to enter time worked and direct deposit information. 

State officials took HRIS offline for monitoring Friday night. They restored the system Monday morning after no unusual activity was detected.

State investigators now say the emails requesting the password change were legitimate -- not a phishing attempt -- and the wording in Russian may have been a symptom of malware already present on “a few” of the computers at the state Legislature.  

ADOA spokeswoman Megan Rose said state cyber experts "believe the incident is isolated to a few PCs." 

"One possibility we are looking into is that the PCs have malware on them, which has the ability to change browser language settings. We are running forensic analysis on those computers to find out further info," she said by email.

Malware, short for malicious software, can range in purpose and severity. In its most dangerous form, certain malware can quietly track a user's activity and steal usernames and passwords. Last year, the state took its voter registration system offline for monitoring after hackers used malware to steal a county election official's login information.

Other malware simply changes the look of icons or internet browser settings, like a user's preferred search engine, said cybersecurity expert Jamie Winterton of Arizona State University's Global Security Initiative.

"Finding out how long the malware has been on that system is the first question. Once you know how long that bad code has been operating on the system and what it's doing, [you can start] figuring out where those computers have touched other computers in the network and may have transmitted the malware," she said.

Winterton cautioned that the Russian text “does not necessarily mean that Russian hackers got into the system. Russian hackers are very popular these days, but not everything is a Russian state-sponsored attack.”

Ken Colburn of Data Doctors said the incident reveals an alarming flaw in the state’s cybersecurity protocols.

“Any IT department that is actually telling users to make a change to their credentials through email is just crazy,” he said. “If you're doing that, whether you're the state or a business, stop doing that today!”

Instead, Colburn said users should be prompted to change their passwords at the log-in page.

Using email reminders to prompt password changes only makes it harder for users to “decipher what's real and what's not” when faced with phishing emails, he said.

Colburn added that there is a growing body of research suggesting that requiring frequent password changes is ineffective. He said longer passphrases – like a simple sentence – are much harder to crack.

Copyright 2017 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.

Derek StaahlDerek Staahl is an Emmy Award-winning reporter and fill-in anchor who loves covering stories that matter most to Arizona families.

Click to learn more about Derek.

Derek Staahl

This once-uncompromising "California guy" got his first taste of Arizona in 2015 while covering spring training baseball for his former station. The trip spanned just three days, but Derek quickly decided Phoenix should be his next address. He joined CBS 5 and 3TV four months later, in August 2015. Before packing his bags for the Valley of the Sun, Derek spent nearly four years at XETV in San Diego, where he was promoted to Weekend Anchor and Investigative Reporter. Derek chaired the Saturday and Sunday 10 p.m. newscasts, which regularly earned the station's highest ratings for a news program each week. Derek’s investigative reporting efforts into the Mayor Bob Filner scandal in 2013 sparked a "governance crisis" for the city of San Diego and was profiled by the region’s top newspaper. Derek broke into the news business at WKOW-TV in Madison, WI. He wrote, shot, edited, and presented stories during the week, and produced newscasts on the weekends. By the end of his stint, he was promoted to part-time anchor on WKOW’s sister station, WMSN. Derek was born in Los Angeles and was named the “Undergraduate Broadcast Journalism Student of the Year” in his graduating class at USC. He also played quads in the school’s famous drumline. When not reporting the news, Derek enjoys playing drumset, sand volleyball, and baseball.

Hide bio

  • Social Connect

  • Contact

    AZ FamilyAZ Family ContactAZ Family FacebookAZ Family TwitterAZ Family InstagramAZ Family Haystack

Connect with CBS5AZ

 

Saw it on CBS 5 News