The attack, which occurred in January right as the state was on the verge of dealing with the COVID-19 outbreak, involved the exploitation of an unpatched vulnerability that has seen global use by an infamous Chinese hacking group.
Though officials became aware of the attack by Jan. 28, the issue went unreported until last week when it was disclosed in the Wall Street Journal.
Hackers took advantage of a widely known vulnerability in several Citrix netscalers, commonly used devices that expedite communications between computer users. Citrix originally reported the security hole in mid-December and issued a patch on Jan. 10, but New York apparently failed to or could not act on the information in time, according to the Albany Times Union.
Using the vulnerability, hackers tunneled their way into several servers at the State University of New York (SUNY) College of Nanoscale Science and Engineering (CNSE), which has served as New York's main server farm since its 2013 data consolidation project. Officials have said that no personal or employee data was exposed as a result of the incident, though a number of servers routinely used by the State Police and other state agencies were temporarily rendered inaccessible.
“With the review complete, there is no evidence that personal data of any New York resident, employee, or any other individuals were compromised or have been taken from our network,” Rich Azzopardi, a senior advisor to Gov. Andrew M. Cuomo, told reporters. “In the meantime, ITS (Office of Information Technology Services) has taken actions to further harden our network and protect the integrity of our system.”
This attack occurred at the same time that the China-backed hacking group APT41 was conducting a global intrusion campaign based on the same Citrix vulnerability, targeting unpatched industry and government organizations alike. While its unknown whether APT41 was the group responsible for the New York hack, the details of the incident and nature of the group's campaign do share a certain similarity. The Times Union described the incident as "part of a mass cyberattack on similar devices worldwide."
APT41 has used the vulnerability to conduct operations against businesses and governments alike, for unknown purposes, according to experts with cybersecurity firm FireEye.
Threat groups can be very mysterious and take careful analysis to understand, though the company's research has shown that APT41 is likely made up of contractors tasked by the state to conduct espionage and is one of the more capable groups that the firm tracks.
Since the attack, New York has taken a number of steps to investigate the incident, including hiring CrowdStrike to analyze how the attack occurred, while also teaming up with the FBI and other outside organizations to better understand what happened.
Albany has suffered through a number of debilitating cyberattacks over the past year, including a ransomware incident last March that cost the city $300,000, and a similar, more recent attack on its airport.
When reached by phone Monday, a communications representative for ITS declined to comment on the incident.