Recent reports of malware scam attempts through Virginia's Freedom of Information Act have prompted Maryland state officials to warn county governments of similar attacks. Photo by Getty Images.
Maryland officials are warning county agencies and employees to be wary when handling requests under the state’s Public Information Act, after malware attacks using a similar scheme reportedly hit some county attorneys in Virginia.
Maryland Association of Counties (MACo) officials, who posted the warning last week, said they are not aware of any attempts against Maryland offices, but wanted to put local officials “on lookout mode.”
“We haven’t seen any instances of this happening in Maryland, but I just felt like it was a good opportunity to share this with our people,” said Karrington Anderson, associate policy director with MACo.
She posted the alert to the association’s blog last week urging county agencies and employees to “beware” malware scams that could come through links attached to PIA requests, after similar attempts were identified in Virginia using that state’s Freedom of Information Act (FOIA).
“Public Information Act (PIA) malware scams could target county governments,” Anderson warned in her Aug. 7 post. “In Virginia, counties are receiving FOIA requests as attachments that, once opened, contain malware.
“Not only is this malware capable of shutting down entire systems, but it also expends resources and require counties to spend significant amounts of money to repair the damage. The disruption caused by these attacks can lead to delays in government operations,” her post said.
The Maryland Department of Information Technology said that it has not identified any such attacks in the state yet.
“OSM (Office of Security Management) has not received any information regarding a malware attack directed at MACo. OSM has not been informed of malware attacks by any local agencies, counties, or municipalities we serve,” said a statement from Nathaniel Miller, a public information officer speaking on behalf of the Maryland Department of Information Technology.
Maryland’s PIA allows people to request information on the activities of state and local governments. The process to receive documents and information can be an arduous and time-consuming task, depending on the scope of the request. Generally, PIA requests are sent over email.
Anderson and other officials warn that malware disguised as links or attachments in PIA requests could compromise the security of county and state agencies if an employee mistakenly clicks on it, often known as a “phishing scam.”
Officials from the Virginia Association of Counties said they “did not have many details other than what Lancaster County Attorney James Cornwell said” in an article from a local newspaper, in which he was quoted as saying that “several” county attorneys had been hit by malware posing as a FOIA request. VACo said it alerted its members, and will monitor the situation.
That said, a successful malware attack could lead to multiple issues for county and state agencies, depending on the end goals of the attackers, according Dave Levin, an associate professor with the University of Maryland’s Department of Computer Science. He is also a core member of the university’s Maryland Cybersecurity Center.
Levin listed a variety of potential malware capabilities, such as turning on computer microphones and cameras, accessing private networks, looking through files within a network or computer, accessing private data and surveilling activities, among many others. He also noted malware can unleash ransomware, which is when data on a computer is locked until the attacker receives financial payment from the victim.
“The question is: What can software do? What sort of data is the malware able to gain access to? What permissions is it able to run as?” he said. “What can malware do? … Whatever a computer can do, whatever permissions they get – that’s what they can start doing.”
He also noted that malware can be stealthy and hard to identify if there is malware present on a computer system.
“Once you’re infected with malware, especially malware that was able to gain high levels of privilege, it can be really, really difficult to identify that malware is even there and to know that you’ve actually removed it,” Levin said.
In her post last week, Anderson urged state and county officials to “be aware that no system is infallible and all are vulnerable to malicious cyber attacks.”
“It is important to be vigilant of suspicious links or attachments that could contain … malware. If a PIA link or attachment is sent in an email, it is recommended to request that the sender resends the PIA request within the body of an email,” she said in last week’s post.
The increased scrutiny on PIA requests for the sake of cyber security could create additional hurdles for Marylanders to get their legitimate requests for information through, said Rebecca Snyder, executive director of the Maryland-Delaware-D.C. Press Association. She said that fears of phishing attempts could be used as a “loophole” to slow down the process of fulfilling PIA requests.
“It whittles out people who are legitimately looking for information,” she said. “So the risk there, they get disenfranchised, they get demoralized, they feel like no one is going to get back to them.
“When the recommendation is to resend the request in the body of the email instead of as an attachments … I think it just creates another loophole,” she said. “It just feels like it can be a tool, when there’s not always a lot of trust between (PIA) custodians and requesters to begin with.”
But Snyder conceded that she doesn’t think “there’s anything to be done about it.”
“We also do have to guard against phishing attacks and things like that,” she said. She believes cyber-security incidents are happening more frequently, and that protecting against malware scams in PIA requests is a valid concern.
“Internet and email are not as firmly trusted as they used to be, just because there are so many threats,” she said.
Most Popular
Comments / 0