kate brown.jpg
Oregon Secretary of State Kate Brown's office detected an intrusion into the agency's website on Feb. 4. New information and documents show that hackers, possibly from China or North Korea, broke into the website a week before they were detected.
(Michael Lloyd/The Oregonian)
UPDATE: Oregon website breach: Hackers got in 2 weeks before detection, officials now say
Hackers possibly from China or North Korea broke into the Oregon Secretary of State's website a week before state officials realized it, newly obtained documents and information show, prompting the agency to shut off international access last February.
The agency also forwarded three Internet Protocol addresses – which can be used to identify computers – to the FBI for investigation, The Oregonian has learned.
The new information sheds light on an incident in which the agency shut down all public access to two databases for weeks in February, saying at the time that a "foreign entity" had breached the system and that the agency was investigating.
Emails and other documents, obtained in a public records request, hold details on timing and possible suspects. They also show that as the incident unfolded -- once officials detected the breach Feb. 4 -- staffers worked to identify the source of the attack, repair the system and help affected users.
They also spent considerable energy trying to manage the agency's public image, documents show, discussing talking points and sharing detailed reports about posts on social media.
The office publicly disclosed the attack Feb. 5, a day after taking the state's campaign finance and business registry databases offline. The databases, which contain public information, were slowly restored starting about three weeks later as business attorneys and others expressed frustration over being unable to register businesses or report campaign transactions.
In a Feb. 15 email, Julie Pearson-Ruthven, then the office's chief information officer, said access from China, Taiwan and North Korea had been blocked.
"We do suspect that's where it's from, but we don't know, and the FBI is the one who is looking at the IP addresses, not us," Tony Green, a spokesman for the Secretary of State's Office, said Thursday. "We have not heard back from law enforcement about whether or not they have definitive information on where the attacks came from."
Green said later Thursday that the IP addresses were "pass-throughs," not the points of origin.
In a Feb. 18 email, Pearson-Ruthven wrote that traffic from all foreign countries was blocked. Officials began restoring access, while beefing up security, sometime after U.S. access to the databases was restored, Green said Thursday. He declined to disclose what controls remain in place.
He directed further questions about suspects to the FBI. FBI spokeswoman Beth Anne Steele, in an email Wednesday, said only: "The FBI cannot comment on what may or may not be an open investigation."
Officials previously said the hackers did not gain access to the office's voter registry or to credit card information. Thursday, Green declined to provide details on what damage the hackers did cause but signaled that it was minor.
"We caught them prior to them fully getting in and getting whatever they were looking for," he said. "Had they been able to fully get in and stay in longer and do more damage, we would probably know more about what they were up to."
On timing, Green downplayed the lag time before the breach was detected, saying the hackers broke into the website at night when staffers were away.
"We didn't discover it in real time because it was low-level activity, comparable to casing a store, and there were no indications of abnormal traffic," he wrote in an email Thursday.
Kathryn Ash, president of Portland cybersecurity firm IPCopper, said any delay involving days or even hours could be a problem.
"If you're looking at the standard, you want to be able to detect a breach within an hour," she said. "An hour, if a hacker is determined, is enough to install back doors for coming back later and getting access or, if their intent is malicious, to change data or erase data."
The Oregonian requested the records shortly after the breach was reported and recently received a thumb drive containing about 2,400 files. Many are emails in which top officials focus on public perception.
Green and Pearson-Ruthven joined Secretary of State Kate Brown, chief of staff Gina Zejdlik, and social media and web strategist Jacqueline Sowell in strategizing on messaging.
They group-edited press releases and elevated the situation to the top "Response Level 4" of their "Social Media Crisis Escalation Protocol."
Leaders also regularly received emails with media reports about the attack, along with 10-page social media reports that had relevant tweets color-coded to indicate whether they were positive, neutral or negative.
In an exchange Feb. 15, Green asked some colleagues to hide a critical comment on Brown's Facebook page. "It's jarring," Green wrote.
Policy adviser Josh Goldberg hid the post. About seven minutes later, Sowell replied that it would be better to post new items to bump the critical comment down the page. "It's our policy to leave posts visible so long as they are on topic and avoid prejudiced or profane language," she wrote. "Hiding it is stifling free speech."
Green reversed course five minutes later and said he agreed. "Let's unhide it and post something on top," he wrote.
"We had a lot going on, and I made a bad call, and we fixed it," Green said Thursday. "I read that email chain, and it seems like we got it right. We stumbled on our way there perhaps, but we did exactly as we should be doing. Nobody is error-free."
Jeff Manning and Dana Tims contributed to this story.
-- Yuxing Zheng