close
close

MACo warns district authorities about malware attacks in Public Information Act

MACo warns district authorities about malware attacks in Public Information Act
Posted on | Posted on Theodore

Maryland authorities are warning county agencies and employees to be cautious when processing requests under the state’s Public Information Act following reports of malware attacks using a similar scheme against some district attorneys in Virginia.

Representatives of the Maryland Association of Counties (MACo), which issued the warning last week, said they were not aware of any attacks on their offices in Maryland, but wanted to alert local authorities to “be vigilant.”

“We haven’t seen any cases like this in Maryland, but I just felt like this was a good opportunity to educate our people,” said Karrington Anderson, deputy policy director at MACo.

She posted the warning on the association’s blog last week, urging county agencies and employees to be wary of malware scams that could be launched via links in PIA requests. Previously, similar attempts were uncovered in Virginia that took advantage of the state’s Freedom of Information Act (FOIA).

“Public Information Act (PIA) malware scams could target county governments,” Anderson warned in her August 7 post. “In Virginia, counties are receiving FOIA requests as attachments that, once opened, contain malware.”

“Not only can this malware paralyze entire systems, it also consumes resources and requires municipalities to spend significant amounts of money to repair the damage. The disruptions caused by these attacks can lead to delays in government operations,” their post states.

The Maryland Department of Information Technology said it has not detected any such attacks in the state.

“OSM (Office of Security Management) has not received any information about a malware attack on MACo. OSM has not been notified of any malware attacks by any of the local agencies, counties or municipalities we serve,” said a statement from Nathaniel Miller, a press secretary for the Maryland Department of Information Technology.

Maryland’s PIA allows people to request information about the activities of state and local agencies. The process of obtaining documents and information can be a tedious and time-consuming task, depending on the scope of the request. Generally, PIA requests are sent via email.

Anderson and other officials warn that malware disguised as links or attachments in PIA requests can compromise the security of county and state agencies if an employee accidentally clicks on them, a practice often referred to as a “phishing scam.”

Representatives of the Virginia Association of Counties said they “don’t have many details other than what Lancaster County Attorney James Cornwell said in a local newspaper article” in which he was quoted as saying that “several” district attorneys had been affected by malware disguised as a FOIA request. VACo said it had alerted its members and would monitor the situation.

However, depending on the attackers’ goals, a successful malware attack could create numerous problems for county and state agencies, said Dave Levin, an associate professor in the Department of Computer Science at the University of Maryland and a core member of the university’s Maryland Cybersecurity Center.

Levin listed a number of possible malware capabilities, including turning on computer microphones and cameras, accessing private networks, browsing files within a network or computer, accessing private data, and monitoring activity, to name a few. He also noted that malware can trigger ransomware, which locks data on a computer until the attacker receives a financial payment from the victim.

“The question is: What can software do? What data can the malware access? What permissions can it run with?” he said. “What can malware do? … Whatever a computer can do, whatever permissions it is given – that is what it can do.”

He also pointed out that malware can be hidden and difficult to identify once it is present on a computer system.

“Once you’re infected with malware, especially malware that has managed to gain high privileges, it can be very, very difficult to even detect the existence of the malware and know if you’ve actually removed it,” Levin said.

In her post last week, Anderson urged state and county officials to be aware that no system is infallible and all are vulnerable to malicious cyberattacks.

“It is important to be vigilant about suspicious links or attachments that may contain… malware. If a PIA link or attachment is sent in an email, it is recommended to ask the sender to resend the PIA request in the body of the email,” she said in her post last week.

Increased scrutiny of PIA requests for cybersecurity reasons could create additional hurdles for Maryland residents in pursuing their legitimate requests for information, said Rebecca Snyder, executive director of the Maryland-Delaware-DC Press Association. She said fear of phishing attempts could be used as a “loophole” to slow down compliance with PIA requests.

“This excludes people who are genuinely seeking information,” she said. “The risk is that they become disempowered and demoralized and feel like no one is reaching out to them.”

“If it’s recommended that the request be resent in the body of the email rather than as an attachment … I think that just creates another loophole,” she said. “It just feels like it could be a tool when there’s not always a lot of trust between (PIA) administrators and applicants to begin with.”

But Snyder admitted that she does not believe there is “anything that can be done about it.”

“We also need to protect against phishing attacks and the like,” she said. She believes cybersecurity incidents are becoming more common and that protecting against malware scams in PIA requests is a legitimate concern.

“Trust in the Internet and email is not as high as it once was because there are so many threats,” she said.

Leave a Reply

Your email address will not be published. Required fields are marked *