Cyber Incident Victim: Texas Behavioral Health Executive Council

On or around June 28, 2023, the hacktivist group SiegedSec claimed responsibility for a series of cyberattacks targeting government websites across multiple U.S. states. Among the five entities listed in their public Telegram post was the Texas Behavioral Health Executive Council (BHEC). The group asserted they had stolen data from the BHEC, sharing images as evidence of their intrusion. This incident marked the second attack claimed by SiegedSec in Texas within a single week, following a separate incident involving the government of Fort Worth. The Texas Behavioral Health Executive Council serves a central regulatory function for behavioral health services and social work practice throughout the state, indicating the potential sensitivity of the information it manages.

The initial public disclosure of the incident came not from the organization itself but from external media inquiries. Darrel Spinks, the Executive Director of the Texas Behavioral Health Executive Council, was notified of the potential breach after receiving questions from Recorded Future News. Upon learning of the claims, Spinks stated that he immediately notified his internal IT staff and escalated the matter to the Texas Department of Information Resources (DIR). The DIR is a state agency responsible for information technology leadership and oversight, suggesting the incident was treated with a significant level of concern and coordinated at a state level.

Following the internal notifications, an investigation was initiated involving both the council's IT personnel and the state's Department of Information Resources. The nature of this investigation would typically involve a forensic analysis of system logs, access records, and the specific systems mentioned by the attackers to verify the claims and determine the scope of any potential compromise. Despite the claims made by SiegedSec and the evidence they presented, the official stance from the council's leadership was one of denial. Based on the information and response provided by the IT staff and the DIR, Executive Director Darrel Spinks claimed that the Texas Behavioral Health Executive Council had not been hacked. He declined to answer further questions regarding the investigation's specifics, the findings that led to this conclusion, or any potential impacts.

The attack on the BHEC was part of a broader campaign by SiegedSec that simultaneously targeted state agencies in Nebraska, South Dakota, Pennsylvania, and South Carolina. The group's methods across these incidents included both data theft and website defacement. In the case of Texas, the primary claim was the exfiltration of data, though the specific type and volume of data allegedly stolen were not detailed in the public claims beyond the reference to "Personal Information" in their announcement. Other states in the campaign provided more detailed assessments. For example, officials in Nebraska confirmed their judicial branch intranet was targeted but stated no sensitive case or personally identifiable information was compromised. South Dakota officials confirmed a website was defaced but noted it was public-facing and contained no sensitive data.

SiegedSec is identified as a hacktivist group, meaning their operations are typically motivated by political or social causes rather than financial gain. In previous attacks on government bodies in states like Texas, Kentucky, and Arkansas, the group had explicitly referenced state-level bans on abortion and gender-affirming care as their motivation. However, for this particular wave of attacks in late June 2023, no specific motive was listed in their initial post. Some security experts cautioned that the stated reasoning of such groups should be viewed warily due to a general lack of verifiable information about the individuals behind the operations. The group had just concluded an aggressive campaign targeting the Colombian government, known as #OpColombia, prior to launching these attacks on U.S. state entities.

The leader of SiegedSec, using the alias YourAnonWolf, characterized the group as a "small tight-knit group" in communications with media but offered little additional information about its composition or objectives. The group's typical modus operandi involves leaking stolen data and defacing the digital resources of its targets. Their historical targets have included a variety of commercial and government organizations, with notable campaigns against Russian entities, South American governments, software companies, and healthcare providers. The lack of a financial motive distinguishes their activities from ransomware groups or other cybercriminal enterprises.

The immediate impact of the incident on the Texas Behavioral Health Executive Council remains unclear from available public information. The council's executive director publicly disputed the claim of a successful breach, creating a discrepancy between the attacker's assertions and the official government statement. No acknowledgment of any data disclosure or system downtime was provided by the council. The longer-term consequences would depend on the actual findings of the digital forensic investigation conducted by the council's IT team and the Texas DIR. If the investigation confirmed a breach, the council would be obligated to assess the type of data involved and comply with any relevant state data breach notification laws. The potential compromise of personal information could have significant implications for the individuals whose data is managed by the regulatory council.

The response actions confirmed were the notification of IT staff and the state's central information resources department, followed by an investigation. The outcome of that investigation, as publicly stated by Executive Director Spinks, was a determination that no hack had occurred. It is not known what specific safeguards or enhancements, if any, were implemented by the BHEC or the Texas DIR in direct response to this incident. Other states targeted in the same campaign described their response efforts; Nebraska's judicial branch noted it was assessing the breach’s extent, identifying vulnerabilities, and strengthening its security posture by implementing new safeguards and enhancements. The public and contradictory nature of the event, with a hacktivist group claiming a success and a state agency denying it, highlights the challenges in accurately assessing the scope and severity of such incidents based solely on initial claims and statements. The full technical details and findings of the investigation by the Texas Department of Information Resources were not made public.