Cyber Incident Victim: South Dakota Boards and Commissions

On or around June 28, 2023, the hacktivist group SiegedSec claimed responsibility for a coordinated cyberattack campaign targeting the online assets of several U.S. state governments. The group publicized these claims on the messaging platform Telegram, listing five specific state entities as their victims. Among these was the South Dakota Boards and Commissions (BAC) website. The group supported its claims by sharing photographic evidence, which included images of defaced websites and, in some cases, data they alleged to have stolen. For the South Dakota Boards and Commissions, the primary action claimed was website defacement.

The South Dakota Boards and Commissions website serves as a centralized public portal providing information on various industry-specific regulatory bodies within the state, such as the South Dakota Board of Technical Professions, the South Dakota Banking Commission, and the South Dakota Real Estate Commission. The website is public-facing and is not designed to house or provide access to sensitive or confidential data. Following the public claims made by SiegedSec, state officials initiated an investigation into the incident to verify the scope and impact of the intrusion.

The investigation into the South Dakota incident was confirmed by Dan Hoblick, a representative for the South Dakota Bureau of Information and Telecommunications. The state's review determined that one of its public-facing websites had indeed been compromised and subsequently defaced by the threat actors. The defacement involved altering the website's content to display a message or image as declared by the hacking group. However, the investigation concluded that due to the public nature of the website and the data it contains, no sensitive information was compromised in the attack. The website did not store or provide access to personally identifiable information, court case data, or other confidential records.

The incident was part of a broader campaign by SiegedSec, which simultaneously targeted government websites in four other states. The group claimed to have stolen data from the Nebraska Supreme Court intranet, the Texas Behavioral Health Executive Council, the Pennsylvania Provider Self-Service platform, and the South Carolina Criminal Justice Information Services website. In addition to the data theft claims, the group also stated it defaced websites in Pennsylvania alongside the one in South Dakota. The motive for this specific multi-state campaign was not explicitly stated by the group in their initial announcement. This contrasted with their previous attacks on government bodies in states like Texas, Kentucky, and Arkansas, where they had explicitly cited opposition to state-level bans on abortion and gender-affirming care as their motivation.

Responses from the other affected states varied. In Nebraska, officials from the Judicial Branch confirmed their intranet system was targeted and that a screenshot of their intranet site had been posted online by the attackers. However, they stated that a review found no compromise of sensitive data related to court cases or personally identifiable information. The Texas Behavioral Health Executive Council's executive director initially claimed his organization had not been hacked after consulting with IT staff and the state's Department of Information Resources, despite being listed as a victim. Officials in Pennsylvania acknowledged they were "looking into the claim" regarding their Provider Self-Service website but declined further comment. South Carolina authorities noted that the cited website, the Criminal Justice Information Services portal, was not under their control and referred inquiries to the South Carolina Law Enforcement Division, which did not respond to requests for comment.

The SiegedSec group was identified by a data leak researcher as having recently concluded an aggressive offensive campaign against the Colombian government, dubbed #OpColombia. The group's operations are characterized as hacktivist in nature, meaning their primary motive is ideological or political rather than financial. They do not seek ransom payments from their victims. The group's activities typically involve data theft and website defacement. Previous notable targets included various commercial and government organizations in Russia, as well as South American governments, software companies, and healthcare providers. The leader of the group, using the online alias YourAnonWolf, described SiegedSec as a "small tight-knit group" but provided no further identifying details.

The impact of the South Dakota Boards and Commissions incident was limited to the defacement of a single public website. The compromise did not result in a data breach involving sensitive or personal information, and no disruption to the underlying functions of the various boards and commissions was reported. The primary consequence was a temporary loss of integrity and availability of the public informational portal. The state's response involved an investigation to confirm the extent of the breach and to assess the vulnerabilities that were exploited to gain access. While specific technical security enhancements were not detailed publicly, the state indicated that safeguards and security posture improvements were being implemented in response to the attack to prevent future similar incidents. The incident highlighted the ongoing targeting of state and local government digital infrastructure by ideologically motivated threat actors, even when the immediate operational impact is minimal.