The Massachusetts Executive Office of Labor and Workforce Development said a newly discovered variant of the Qakbot worm infected computers in its Unemployment Assistance and Career Services departments, as well as machines in its One-Stop Career centers across the state. Names, Social Security numbers, employer identification numbers, email addresses, residential or business addresses and bank information may have been compromised.
Qakbot, first identified in 2009, records a user's keystrokes, saves them to a file on the infected machine, then attempts to send the file back to attackers, John Glennon, CIO for the labor department, told SCMagazineUS.com on Wednesday. Its goal is to obtain personal and banking information.
The infection was first discovered on April 20 after the help desk began receiving calls from users who complained that their computers were acting strangely, Glennon said. Network managers immediately began working to eradicate the infection. It was subsequently learned, however, that initial efforts to remove the virus were not entirely successful and that data had left state systems.
Upon discovery of the leak, “the system was shut down and the breach is no longer active,” the labor department said in a statement.
The actual number of victims is unknown but, as a measure of precaution, the state is notifying all unemployment insurance claimants, Glennon said.
Those who have done business between April 19 and May 13 at the Unemployment Assistance or Career Services departments, or at a state career center, are possibly affected, the agency said. Additionally, approximately 1,200 Massachusetts businesses that file quarterly statements using agency computers may be at risk.
“I apologize to our customers and recognize that this is an unwanted problem,” Labor and Workforce Development Secretary Joanne Goldstein said in a statement. “We are hopeful that the actual impact on residents and businesses is minimal.”
Agency computers were infected with a variant of the worm that was not detected by the department's endpoint security product, from Symantec, Glennon said. Officials believe the virus made its way onto state systems after an employee or career center visitor clicked on a malicious link.
“I believe we did everything we could to keep virus signatures current and protect our environment against an infection like this,” he said. “But we were still infected and breached.”
The agency now plans to reassess its security defenses, Glennon added.
“We are going to work with the state security office and Symantec to ensure we are optimally configured and protected in the correct ways,” he said.
According to Symantec, Qakbot spreads through network shares and removable drives. The worm, which contains functionality that allows it to evade detection, attempts to steal information, open a backdoor on compromised computers and download additional files.
An investigation into the breach is ongoing, Glennon said. The agency has notified state and federal agencies, including the attorney general's office and FBI.