A photograph of a screencap that shows the dark web site of ransom group Brain Cipher. Pictured is a list of security measures the hackers claim were absent on the Deloitte-made network for the public benefits system. (Alexander Castro/Rhode Island Current)
A trove of personal data burgled from Rhode Island’s public benefits network in early December has finally made its way onto the dark web, Gov. Dan McKee announced Monday afternoon.
At around 7 a.m, the countdown timer on Brain Cipher’s dark web site was replaced with a download button for the now-published files, plus a note taunting the path not taken by the system’s architect and vendor, Deloitte: “It seems that it was easier to pay and fix everything.”
The international cybercriminal group had threatened to release the data stolen from RIBridges — the online infrastructure that determines eligibility for benefits like food stamps and Medicaid — if its ransom demand went unmet by a deadline that changed at least five times over the last two weeks.
The ransom group had moved the deadline to Monday if it didn’t receive an unspecified payment from Deloitte after extending the deadline from Dec. 24. That deadline was already elongated, with hackers giving the original cutoff date as Dec. 15, although the reasons for the extensions remain unclear. The data breach was first made public on Dec. 13.
McKee confirmed that “at least some” of the files thought to be part of the breach were part of the data dump during a State House press conference Monday afternoon.
The extent of havoc wrought by the cyberattack is still unclear, but state officials estimated on Dec. 23 that the personal information — like Social Security numbers, addresses and banking info — of up to 650,000 Rhode Islanders could be impacted. That number represents 59% of the state’s population.
“Identifying what is in those files is a complex process, but they’re working right now to make those identifications,” McKee told reporters, adding that Deloitte, not the state, has been negotiating with the hackers.
“This is the way that these processes happen,” McKee said. “Deloitte is the one who has the direct contact with cyber criminals, and we’re in contact with them on the IT issues, how quickly can we get the system back up and running.”
Deloitte representatives have been conspicuously absent from all five press conferences held since the breach was made public. A spokesperson for Deloitte did not immediately respond to a request for comment Monday night.
When a reporter asked about how the state would ensure the benefits system is safe once it’s back online, Brian Tardiff, the state’s chief digital officer, noted that a third-party would audit Deoitte’s system once it’s restored.
Tardiff reiterated that he expects a Deloitte representative will appear at a press conference, eventually.
“I think that we’re having significant progress in my conversations with Deloitte,” McKee said. But for now, the governor said the focus is on ensuring Rhode Islanders can get their benefits and take steps to protect their identities before the leaked information spreads.
HealthSource RI, the state’s health insurance marketplace, is partially linked to RIBridges and remains offline along with the rest of the system. The state has pushed back the open enrollment deadline, from Jan. 31 to Feb. 28.
Many more data strings left to untangle
Connor Goodwolf, a Columbus, Ohio-based cybersecurity expert and software engineer has already started to plumb some of the leaked data. He said he is conducting an independent analysis of approximately 576 gigabytes of files published Monday and has forwarded his results to the FBI.
So far, Goodwolf has been able to analyze one zipped folder about 900 megabytes in size, or less than 1% of the dump’s contents, he confirmed in a text Monday night. He’s using code written in Python, a programming language that helps automate tasks — in this case, checking the contents of the hacker’s bounty.
Goodwolf said his work has been slowed because the hacker’s dark web site “keeps going down.”
“I can tell you the file contains around 100k names of benefit recipients,” Goodwolf said. There are also addresses and phone numbers, as well as cross references to other databases. Several lines in one database, for example, seem to indicate data related to the Social Security Administration’s (SSA) “prisoner match,” which crosschecks an applicant’s incarceration status to determine eligibility for federal benefits.
“There are some data strings which look like they’re for processing an application,” Goodwolf said of his findings thus far.
Goodwolf is no stranger to whistleblowing, and dodged a legal challenge from his own city in September, after he approached the local press with information about a data breach downplayed by municipal officials.
Screencaps of the dark web site taken by Goodwolf show that the file folders advertised on the Brain Cipher blog are mostly in archival formats, meaning they contain large amounts of data that have been compressed. Several archives, each multiple gigabytes in size, are labeled “PRD,” suggesting they include data from production environments, or live software that administrators or service beneficiaries would have interacted with directly.
The screencaps also show what appear to be assorted backups, with dates as recent as July and November 2024. A set of folders marked as belonging to “UAT,” or user acceptance testing, are labeled as “masked,” meaning the data could be scrambled and not very useful to potential identity thieves.
Hackers overtook domain controller
Brain Cipher has exhibited little faith in Deloitte’s security measures.
“Let’s clarify some details right away,” Brain Cipher wrote in a Dec. 23 post that changed the ransom page’s listed victim from “Deloitte UK” to the “Rhode Island Department of Human Services.”
“The target of the attack was not the state sector,” the hackers wrote. “The only reason we did this is the fact that the time it took us to penetrate the infrastructure, and in particular to domain controller, was 5 minutes!”
A domain controller is a server responsible for authenticating access across an entire network. Overtaking a domain controller essentially gives a hacker carte blanche to a system’s data.
The Brain Cipher ransom posts alleges that Deloitte had virtually none of the requisite security measures in place, with “NONE!” written in red text alongside a list of necessities like software and operating system updates. The group first came to prominence with an attack on an Indonesian government data center, and security experts believe the group operates out of the country.
Brain Cipher alleges that the default administrative account for the RIBridges system was secured with an easily cracked password. Plugging the alleged eight-character password — achieved by typing the first two number or letter keys moving from top to bottom on the left side of a keyboard — into an online password security tool produces an estimate of how long it would take to crack:
1.39 seconds.
YOU MAKE OUR WORK POSSIBLE.