Cyber Incident Victim: Hennepin County
Date:
Jun 2018
Location:
United States of America
Summary
Hennepin County experienced a cybersecurity incident where attackers successfully compromised numerous employee email accounts through a sophisticated phishing campaign impersonating pay-raise notifications. Employees were tricked into surrendering login credentials, enabling attackers to misuse their official email accounts and signatures to propagate the attack internally. This breach potentially exposed sensitive personal information belonging to individuals utilizing county services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late June 2018, Hennepin County, Minnesota, experienced a cybersecurity incident involving unauthorized access to approximately 20 employee email accounts. Attackers executed a phishing campaign by sending deceptive emails disguised as pay-raise notifications, which successfully tricked targeted employees into surrendering their login credentials. The compromised accounts were subsequently exploited to propagate the attack further, with attackers leveraging the legitimate email signatures and trusted relationships of the breached accounts to send additional phishing messages to other contacts within the organization. This lateral movement tactic amplified the incident's scope beyond the initial compromises. County officials publicly disclosed the breach on August 9, 2018, confirming the intrusion had persisted for several weeks since its inception in late June. The attack methodology demonstrated notable sophistication in its use of social engineering and impersonation techniques to bypass security measures.
The incident potentially exposed sensitive personal information belonging to individuals who interacted with Hennepin County's services, though specific data types or affected records weren't quantified in available disclosures. County representatives indicated the breach investigation remained ongoing at the time of public notification, without confirming whether attackers exfiltrated data or merely accessed communication systems. Response efforts focused on containing the compromised accounts and preventing further unauthorized access, though technical remediation details weren't publicly specified. The county's disclosure emphasized the attackers' operational sophistication in maintaining persistence within email systems and exploiting organizational trust dynamics through authentic-seeming communications. No ransomware deployment or financial motive was explicitly cited in initial reports, distinguishing this incident from contemporaneous attacks focusing on monetary extortion.