The hackers who breached the Oregon Secretary of State’s website in February probably exploited software that cybersecurity websites had identified as vulnerable but that state IT officials had not patched, documents and information obtained by The Oregonian show. On Friday, agency spokesman Tony Green said the hackers first gained access to the site Jan. 21. That’s one week earlier than previously disclosed and two weeks before the breach was detected Feb. 4. The attack, possibly from China or North Korea, prompted officials to take the state’s campaign finance and business registry databases offline for about three weeks. State officials also closed international access to the entire website for weeks, and this week declined to say what controls on foreign traffic remain.
Agency emails obtained through a public records request indicate that the hackers probably exploited a weakness in a free open-source software program. State officials confirmed that suspicion Friday but asked The Oregonian not to name the program out of security concerns. While the Secretary of State’s website is secure, Green said, hackers could target other agencies. Alerts about a vulnerability in the software circulated on cybersecurity websites months before the Oregon breach.
… Responding to a question about whether any information was stolen, he wrote: “Some data was taken, but any personally identifiable information was encrypted. No credit card data was stored on our systems and neither internal or external reviews have uncovered any evidence that the intruders were able to use any information to compromise the security of those who use our applications.”