Cyberattack shuts down unemployment, labor websites across the US
Software maker GSI took systems offline, affecting thousands of people in as many as 40 states
A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.
Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.
In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.
He said the company is working with third-party specialists to investigate the cyber-incident and ensure it doesn't happen again. Toomey said he hoped to bring the services back up before the July 4 holiday, though as of midday Friday, here on the US East Coast, GSI's website was still offline. Agencies in several states said they were notified of the problem by GSI on June 26.
According to the company's LinkedIn page, GSI develops software for such purposes as workforce development, labor market information, and unemployment insurance, and has created online offerings for state and local governments in more than 35 states. The vendor, which has more than 350 employees, also implements and manages websites for agencies such states as California, Florida, North Carolina, and Indiana.
The shutting down of the services is impacting tens of thousands of unemployed and job-seeking people across the country. The outage of the Louisiana Workforce Commission's HiRE website is affecting almost 11,000 people who are filing continues unemployment claims in that state.
- Zero Trust: What does it actually mean – and why would you want it?
- 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
- We're now truly in the era of ransomware as pure extortion without the encryption
- Contractor loses entire Japanese city's personal data in USB fail
GSI also operates Tennessee's Jobs4TN site, which includes the state's unemployment system and labor data exchange and which also went offline. About 12,000 Tennessee residents rely on the state's unemployment program and the workforce development programs, according to the state's Department of Labor and Workforce Development. California's Employment Development Department said in a notice [PDF] the GSI service shutdown caused its CalJOBS website to go offline.
Other states, ranging from New Hampshire to Texas, also were impacted by the GSI outage. The Nebraska Department of Labor, whose NEworks unemployment and jobs site went offline, said in a statement that "GSI has indicated this attack affected only access to GSI online systems and there is no evidence of any user data being compromised."
GSI has indicated this attack affected only access to GSI online systems and there is no evidence of any user data being compromised
While GSI isn't commenting on the kind of attack it was hit by, it has the feel of ransomware, according to Mike Parkin, senior technical engineer at Vulcan Cyber.
"Given how common ransomware is used, it wouldn't be surprising if that was the case here," Parkin told The Register. "While a threat actor could simply disrupt operations with a denial-of-service, distributed denial-of-service, or destructive malware, the profit motive, especially where personal information may be involved, favors a ransomware attack."
Looking at the volatile international situation and the nature of the target, it's possible that the attack is coming from a nation state or state-sponsored threat actor, he added.
John Bambenek, principal threat hunter at cybersecurity firm Netenrich, agreed that it was likely a ransomware attack given its disruptive nature, and told The Register "the more important question is what information is at risk for the users of those websites and what protection steps they should take. Too often, we focus on the corporate parts of incident response but forget the impact to those whose private information is stolen."
The outage is the latest in a growing trend of software supply chain attacks, where cybercriminals will attack one company with the goal of infecting the victim's partners and customers downstream, essentially expanding the blast radius of its malware. The 2020 attack on SolarWinds is an example, where the Russia-directed gang Nobelium was able to inject malicious code into an upgrade of the company's Orion infrastructure management software. When SolarWinds customers – which included many US government IT departments – downloaded and deployed the update, their systems were likewise infected.
Other examples include the ransomware attack on software vendor Kaseya a year ago that leveraged a vulnerability in the company's VSA software to infect organizations down the supply chain.
Supply chain attacks will get worse: Microsoft Security Response Center bossREAD MORE
In its 2022 Data Breach Investigations Report, Verizon reckoned supply-chain attacks account for about 10 percent of overall cybersecurity incidents every year. According to Deepen Desai, CISO and vice president of security research and operations at zero-trust vendor Zscaler, the supply-chain risk is evolving.
Traditionally they have been run by nation-states – such as the SolarWinds affair – for espionage purposes, Desai told The Register during Zscaler's recent Zenith Live conference. However, now financially motivated threat groups are seeing how they also can infect a company with malicious code "and proceed to thousands of organizations downstream that are customers."
"It indicates that the crimeware gangs – these financial gangs – have evolved in terms of their sophistication and are leveraging some of the playbooks of nation-states," he said. "It was expected, especially given the amount of success some of these [nation-state] gangs were having."
Desai also noted he expects to start seeing multi-tiered attacks, where it's not only a victim's downstream partners and customers that are targeted but also the victim's upstream vendors.
The GSI attack also highlights the need for organizations to develop third-party risk management programs, according to Tim Marley, field CISO and vice president of audit, risk and compliance at Cerberus Sentinel.
"We've witnessed a significant shift over the last decade from on-premises systems to cloud-hosted solutions," Marley told The Register. "We're trading the responsibility to directly control and manage these systems and trusting our vendors to do this for us. This shifting landscape has placed much greater emphasis on the need to validate that our third-party vendors are managing our systems and data responsibly and securely." ®