Chippewa County Wisconsin Sheriffs Office Patch Logo
(image source: Chippewa County Sheriff’s Office (WEAU), 2023)
One-sentence summary:
In February 2023, a Chippewa County HR employee accidentally downloaded a remote access tool, allowing an attacker to potentially breach the sensitive data of over 800+ Wisconsin residents.
Who was involved?
Chippewa County Human Resources Department employee, Chippewa County Human Resources Department, 842 potential Wisconsin (current or former) residents, and a threat actor.
What was the timeline?
February 28, 2023: Threat actor gains initial access to Chippewa County Human Resources Department employee’s computer via remote access tool
March 1, 2023: Breach is detected by the same Chippewa County Human Resources Department employee. The IT department rapidly responds.
April 4, 2023: Chippewa County reports the breach to HHS
What occurred?
In February 2023, a Chippewa County HR employee accidentally downloaded a remote access tool through an unknown method, giving a threat actor access to their county endpoint. The same employee noticed potential UI interaction from the threat actor and notified the county IT department that limited their actual access to five minutes (GovernmentTechnology, 2023). Unfortunately, up to 35 MB of data may have been exfiltrated and potentially included “medical history number, client name, drug prescribed, date signed and the doctor’s initials” belonging to over 842 potential Wisconsin residents (GovernmentTechnology, 2023; HHS, 2023).
Estimated costs:
Associated incident response costs, breach notification costs
Involved laws:
Federal: HIPAA and HITECH
State: Wisconsin: Wis. Stat. § 134.98
Root cause:
Remote access tool installed by unknown method (potential phishing or drive-by download)
Lessons learned:
User awareness includes non-IT user post-breach awareness to recognize indicators of compromise. Network segmentation also pays off.
Further improvements:
This incident is a great opportunity for EDR (endpoint detection and response) technologies. EDR could potentially detect the malicious download (i.e., remote access tool) and quarantine it before any access attempts took place.
Example Solutions
CrowdStrike: https://www.crowdstrike.com/products/endpoint-security/falcon-insight-edr/
SentinelOne: https://www.sentinelone.com/blog/active-edr-feature-spotlight/
Additionally, the is also an opportunity to train employees on cybersecurity user awareness to prevent similar attacks from manifesting from common human methods, such as phishing or drive-by downloads.
Example Solutions
Knowbe4 https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Proofpoint https://www.proofpoint.com/us/products/security-awareness-training
Finally, one cannot underestimate the value of 24/7 MDR (managed detection and response) services, such as a SOC. A SOC could potentially receive and correlate EDR alerts, network logs, as well as email alerts via a SIEM in order to piece together a potential, successful phishing attempt.
Example Solution
CyberConvoy MDR (managed detection and response): https://cyberconvoy.com/
Sources:
Chippewa County Sheriff’s Office (WEAU). (2023, February 6). 43UKWCKDKVHLPAN7BQVE2ZHGCM.jpg. WEAU 13 News. https://cloudfront-us-east-1.images.arcpublishing.com/gray/43UKWCKDKVHLPAN7BQVE2ZHGCM.jpg
GovernmentTechnology. (2023, April 6). Chippewa County, Wis., Officials Report Data Breach. GovTech. Retrieved April 9, 2023, from https://www.govtech.com/security/chippewa-county-wis-officials-report-data-breach
HHS. (2023, April 4). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health & Human Services – Office For Civil Rights. Retrieved April 9, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Commentary:
This attack is a great example of where a victim can turn around a breach by notifying their employer or IT department of a potential incident. Sure, it is embarrassing to fall victim to a phishing attempt. But so much more damage can be prevented by reporting it. This awareness and responsiveness should be included in user awareness training for end-users (not just preventing breaches). Chippewa County also appears to have a good network segmentation in place to confine the breach to just that employee’s endpoint. Additionally, this is a great example of government transparency.
