Cyber Incident Victim: Pennsylvania Provider Self-Service

On or around June 28, 2023, the hacktivist group SiegedSec claimed responsibility for a series of cyberattacks targeting five state-run websites across the United States. Among the listed targets was the Pennsylvania Provider Self-Service website. This platform is housed within the Pennsylvania Department of Human Services and serves as a resource for individuals and companies involved in the state’s childcare industry. The group publicly announced these actions on the messaging platform Telegram, where they also shared images as evidence of their intrusions. These images depicted website defacements and allegedly included samples of stolen data. The group's post did not specify a motive for this particular campaign, though it followed a pattern of previous attacks motivated by political issues.

According to claims made by SiegedSec, the incident involving the Pennsylvania Provider Self-Service website involved both a breach of data and the defacement of the site. The group asserted that they successfully exfiltrated information from the system. In addition to the data theft, they altered the website's content, a common tactic used by hacktivists to draw attention to an attack and embarrass the target organization. The public nature of the website, which is designed for external use by providers, meant it was a publicly accessible interface.

Officials from the Pennsylvania state government were made aware of the claims through media inquiries and the group's public postings. When contacted for comment, several officials from the Pennsylvania Office of Administration and the governor’s office declined to provide detailed statements on the incident. Their only confirmed response was that they were "looking into the claim." This indicates that the initial phase of the state's response involved an internal assessment to verify the authenticity of the hacking group's assertions. No further official details were provided regarding the immediate steps taken to contain the breach, such as taking the website offline for forensic analysis.

The broader context of the SiegedSec campaign provides insight into the group's methods and typical targets. The same series of attacks claimed by the group included the Nebraska Supreme Court intranet, the South Dakota Boards and Commissions portal, the Texas Behavioral Health Executive Council, and the South Carolina Criminal Justice Information Services (CJIS) website. In the cases of South Dakota and Pennsylvania, the attacks involved confirmed website defacements. For the other states, SiegedSec claimed to have stolen data. An expert tracking the group noted that SiegedSec had recently concluded an aggressive offensive campaign against the Colombian government and that their operations typically involve leaking stolen data and defacing the resources of their targets. The group is characterized as hacktivist in nature, lacking a financial motive, and its leader has cited non-financial reasons like ‘fun’ as a driving force behind their activities.

The impact of the incident on the Pennsylvania Provider Self-S-Service system was not fully detailed by state officials. The public-facing nature of the compromised website suggests that, by its design, it may not have housed highly sensitive internal data. However, the exact scope and nature of any information that was potentially accessed or exfiltrated were not disclosed by the Pennsylvania authorities. The primary confirmed consequence was the defacement of the website, which can disrupt public access to services and damage public trust in the security of state systems. The potential compromise of data from the provider portal remains a point of concern, though its specific impact on individuals or childcare providers was not elaborated upon by the state.

The response from other states targeted in the same campaign varied, offering a comparative view of incident handling. In Nebraska, officials confirmed their intranet was targeted and that a screenshot of it was posted online by the attackers. However, they stated there was no compromise of sensitive data related to court cases or personally identifiable information. They immediately began a review of system logs to determine the nature and scope of the attack and pledged to implement safeguards and enhancements to their security posture. South Dakota officials confirmed a website was compromised and defaced but stated that because it was public-facing, no sensitive information was compromised. In contrast, Texas officials from the targeted Behavioral Health Executive Council claimed that based on information from their IT staff and the state Department of Information Resources, their system had not been hacked, despite the group's claims.

The investigation into the broader SiegedSec campaign was acknowledged by officials in multiple states. The coordinated nature of the attacks suggests a systematic effort by the group to target government digital infrastructure. The lack of a consistent public response from all affected entities highlights the challenges in managing the public disclosure of security incidents. For the Pennsylvania incident, the official response concluded with the statement that the claim was being investigated, with no subsequent public release of findings regarding the confirmed extent of the breach, the specific vulnerabilities exploited, or the final determination of what data, if any, was taken. The incident remains a part of a larger pattern of hacktivist activity targeting U.S. state government systems during this period.