TOPEKA — Cyberattacks crippled the websites of about a dozen Kansas counties in early August — replacing their homepages with cryptic messages and an image of Mecca.
One county, which was conducting an election during the assault, decided against posting results online. The attacks did not affect vote counting but meant citizens didn't have access to normal government information, such as contacts for local agencies, for several hours.
The hacks defaced websites, but did not affect other systems. It does not appear the hacker or hackers took data hostage, as has happened elsewhere in the country. State officials don't think the hacking was connected to the August primary election.
But the attacks — not widely known until now — showcased the cyber vulnerabilities of local governments in Kansas. And they took place as online threats are rising.
In Baltimore this spring, hackers took control of government data and demanded a ransom payment to release it. Similar attacks caused havoc in Colorado and Atlanta in 2018.
"In the last maybe year or so, there has been a significant increase in attacks against governments — not just websites, but systems as well," said Miloslava Plachkinova, interim director of the cybersecurity program at the University of Tampa.
The affected Kansas websites were all hosted by Thomson Reuters, a global company best known for the Reuters news service. At least one county is changing providers after the incident.
"It's rare for us. I would say beyond rare — unique," company spokesman Dave Moran said of the attack.
Emails obtained by The Eagle and The Star through a records request to the Kansas secretary of state's office reveal how officials scrambled to grasp the extent of the August attack. They show one county after another notifying Bryan Caskey, the state's elections director, that their sites had been compromised.
The attacks occurred on Saturday, Aug. 3, and again the following Tuesday, Aug. 6, which was also primary Election Day in some counties. During the attacks, the websites said "Hacked by AR-MRX" and "HACKED BY MUSLIM" with a picture of Mecca, the Islamic holy city in Saudi Arabia.
On Monday and Tuesday that week, Caskey received emails from officials in Nemaha, Ottawa, Haskell and Marion counties about website hacking. The secretary of state's office is notified of attacks because of a change in federal rules made after the 2016 election.
At 3:47 p.m. that Tuesday, Marion County Clerk Tina Spencer emailed Caskey, saying the county site was experiencing "malicious activity." Pam Carrion, the clerk in Haskell County, followed at 3:53 p.m. saying that site was also hacked.
That same minute, Caskey sent an email saying he thought that Sumner and Chautauqua counties may have also been compromised. The secretary of state's office redacted the recipient of the email.
At 3:59 p.m., Spencer emailed Caskey again. This time she said she had been told by Lloyd, whose contact information is redacted, that "there was something trying to infect the system" during the attack that day.
In Brown County, officials were winding down a primary election when they noticed their website was down. Sandy Carter, Brown County's information technology director, told a reporter that the county decided to not post the results to the website and instead notify local media of the results.
"This incident did not, in any way, interfere with the terms of conducting the election," Carter said in response to a reporter's questions. "The election staff was able to continue with the process of the election without interruption."
Secretary of state spokeswoman Katie Koupal said that only two of the 14 counties that held primary elections on Aug. 6 were hit in the attack. The counties were Brown and Chautauqua, Koupal said.
Defaced, but no data ransom
Thomson Reuters hosts the websites of more than 20 local governments in Kansas. Moran, the company spokesman, said in a phone call that about a dozen sites were compromised in the attacks. In a later call, he said customer confidentiality agreements prevent him from disclosing the exact number.
In an email on Friday, Aug. 6, someone apologized for the service interruption the counties experienced because of the attack. Although both the sender and recipient of the email were redacted, Thomson Reuters has acknowledged that it hosts the compromised sites.
"We value your business and understand how important it is for you to be able to rely on the services we provide," the email says.
In the wake of the attack, Brown County is moving to another website provider, according to Carter, the county's IT director. Spencer, the Marion County clerk, said officials are "looking at any and all options necessary to ensure the security of our website in the future."
Moran said the company doesn't know who is responsible for the attack or whether it was the work of one person or a group. Thomson Reuters took down the affected websites within 10 minutes of being alerted to the problem and restored the sites over the next several hours, he said.
In recent years, more governments have faced ransomware attacks, where hackers hold data hostage until payment is made. But Moran said that wasn't the case in the Kansas attack, adding that the websites had only been defaced. He compared it to graffiti on a building.
Moran said the company is confident the vulnerability that allowed the attack has been fixed.
"We brought in our internal experts to review this situation and take the appropriate steps to make sure this doesn't happen again," Moran said.
Hackers 'consistently' strike
The Kansas attacks come amid a bipartisan effort in Congress to increase the help available to cities and counties to combat cyber threats that include ransomware attacks where data is held hostage, phishing attacks where data is stolen and denial-of-service attacks that stop websites from functioning.
In June, Sen. Gary Peters, a Michigan Democrat, and Sen. Rob Portman, an Ohio Republican, introduced legislation that would increase cybersecurity coordination between the Department of Homeland Security and state and local governments.
The bill allows the National Cybersecurity and Communications Integration Center to provide guidance and training to state and local governments. It also allows the center to provide enhanced security tools to state and local governments and allows joint exercises to test cybersecurity systems.
Portman said state and local governments sometimes need extra help to deal with threats.
"Hackers with malicious intent can and do attack state and local cyber infrastructure consistently," he said at the time.
In addition to high-profile attacks in Baltimore, Atlanta and Colorado, Congress has also found that Russia targeted election systems in all 50 states in 2016.
"I think it definitely put that issue on the radar for everyone," said Jay Hall, legislative policy director and general counsel at the Kansas Association of Counties.
Governments are a common target for hackers because they often use outdated infrastructure, Plachkinova said. They often don't have the latest updates and technology.
"It doesn't matter if it's the government or any industry organization, I feel like we're always catching up to the hackers," Plachkinova said. "Because all they do is they spend all their time looking for vulnerabilities, for threats anywhere on these systems."