Empty Threats

Most of our security tips are pulled directly from the security attacks or incidents we encounter with the state network. This tip is no exception. Recently our security teams encountered a threat that attempted to extort money. This particular threat “came from” a well-known threat actor (I.E. – malicious group) who had been in the news several over the last few years for bringing down websites. The threat said that unless the targeted agencies paid a ransom, their websites would be taken offline in a Denial of Service (DoS) attack.

After digging into the facts and working through our incident response procedures, this was found to be an empty threat. The email was likely not sent from the well-known threat actor. The group that sent this email had sent similar ransom emails in the past few years, without ever performing a DoS attack. This specific message was also found to have been sent to numerous agencies and private companies worldwide making it even more unlikely this group could take down who they were threatening.

When your agency first gets these messages, it is easy to think the worst case scenario. “Oh No! We’re going to be attacked!” Don’t’ forget, that is the fear the attacker wants you to have! By taking a deep breath, working with the internal and external resource, and addressing the situation methodically, the situation is often better than you first thought. Large or small, this this process is the best way to handle the security incident quickly and efficiently.

OK, but where do I start?

First, notify your security team so they can take appropriate actions. If you are the point of contact for the security team, we recommend you notify the SOC (soc@watech.wa.gov) so they can work the issue with you. Many times there are multiple agencies dealing with the same security issue and it is much more effective to share knowledge and resources to solve the problem. The SOC also has resources they can pull on from WaTech and external sources. From there, we can work as team to gather all the information, evaluate if this a real or empty threat, perform the necessary preparations, and work through the incident as needed.