A foreign hacker apparently gained access to a few Park County government email accounts last week, briefly using them to send out a slew of spam.
The spam landed the county’s email server on various blacklists, which has left county workers generally unable to send email from their accounts since Tuesday, April 10. (The county is still able to receive incoming email.)
Park County Chief Information Officer Mike Conners said Monday that it appears someone cracked the passwords of a handful of county employees.
“It’s pretty obvious that somebody hacked the accounts and probably sold them [the login information] on the dark web,” Conners said, citing evidence that multiple computers from around the globe tried logging in.
Conners and IT staffers required all county employees to change their passwords and were “making sure all the accounts are locked up and things like that — plugging holes” on Monday, he said.
Conners said there was no indication the hackers were interested in the information in the county’s email inboxes; they simply wanted to use Park County’s mail server to send spam.
The trouble started around 3:40 a.m. on Tuesday, April 10, when someone from an IP address located in the Netherlands logged into a county account.
The hack was discovered hours later, when county employees noticed a fresh stack of fraudulent phishing emails — purportedly sent by one of their co-workers — directing them to a website intended to steal their login credentials.
Beyond spamming county employees, the compromised account and computer “was sending this same message that it sent to all of us to anybody else it could think of on the planet,” Conners said.
Under the subject line “Important notice from help desk,” the one-line message read, “Your Mail Box Exceeded it storage limit CLICK HERE TO UNBLOCK Fill and click SUBMIT for more space or you wont be able to send Mail.”
The spam landed the county on roughly a half-dozen email “blacklists” and made it “hit and miss” as to who county employees could email, Conners said. Some systems like Google’s began rejecting all messages from @parkcounty.us addresses. That also left the Cody Police Department — which shares a server with the county — generally unable to email their colleagues at the City of Cody, which uses a version of Google’s Gmail.
Conners said he and his IT crew changed the password on the compromised account and blocked the IP addresses from the Netherlands to keep the hackers out. They then began the arduous process of having Park County’s domain removed from the various blacklists; in some cases, blacklist administrators told the county that getting off the blacklist would take seven to 10 days.
The IT crew was working through that process when, around noon on Wednesday, they realized another account had been compromised and had started spewing more spam, Conners said.
“It triggered us back on two of the blacklists we’d already gotten off of,” he said. “So now they’re not so apt to trust us.”
In the second incident, a hacker got in from an Australia-based IP address, Conner said. A third account was compromised later on Wednesday, but the IT staff shut it down before the hacker could spew any more spam.
Although the passwords were changed, Conners said hackers ranging from Brazil to Asia have been continuing to try logging in with the old, cracked passwords.
“They’re still banging away, trying to get at it,” he said Monday.
While the county waits to be removed from the blacklists, the IT department set up alternate accounts @parkcounty.online as a temporary fix for outgoing email.
The Park County Clerk’s Office turned to some older technology to send a legal notice to area newspapers last week.
“We are having email problems and not sure when or if they will be resolved ... so that is why I’m FAXing you,” First Deputy Park County Clerk Hans Odde wrote on a Thursday cover sheet. “Welcome back to 1995!”
The commissioners’ executive assistant, meanwhile, used her personal email account to send out a draft commission agenda on Friday.
It’s not the first time that hackers have caused trouble for the Park County government. The county’s website was hacked and infected with malicious code in 2014 while ransomware got onto the county’s network in early 2016, forcing the restoration of some files but not causing any serious damage.