Court of Audit criticism:

Carinthian IT still inadequately secured

The attack by the "Black Cat" hackers on the IT of the state of Carinthia paralyzed numerous systems two years ago.

(Bild: jfhp - stock.adobe.com)

More than two years after a serious hacker attack on the IT system of the state of Carinthia, the Austrian Court of Audit (ACA) has identified further room for improvement. At the end of 2023, there was still a lack of "two-factor authentication for all IT workstations, complete documentation of the IT security measures implemented or, for example, a comprehensive IT emergency manual and increased IT security checks", according to a recent ACA report.

At the end of May 2022, the Carinthian state administration was completely paralyzed for days as a result of the hacker attack, resulting in months of restrictions. The hackers got into the system via a phishing email and gained access to a file server. The "Black Cat" group claimed responsibility for the attack, which resulted in at least 250 gigabytes of data being accessed. The data was mainly from the offices of members of the Carinthian provincial government. Around 80,000 master data sheets for settlement and residence permits, 4,000 contact details for event management and internal correspondence from government members and employees were affected.

Data sold on the darknet
It was not possible to say exactly how much of the data was copied. However, a 5.6 gigabyte portion of the data was published on the darknet. The hackers announced that they had sold the data on because the country did not want to pay the ransom demanded - five million dollars. It is still unclear whether the data was actually sold. A year ago, the public prosecutor's office in Klagenfurt announced that the investigation had been discontinued because there were no more leads to actively pursue - everything that had been available had come to nothing. Successful investigations into hacker attacks or online fraud are extremely rare, it was emphasized.

Since then, however, the investigation into the attack has been in full swing - the Court of Auditors has also devoted itself to this topic. In a report published on Friday, it was stated that although the state of Carinthia had already implemented IT security measures before the cyber attack, this had "neither detected nor prevented" the attack: "Overall IT security management was incomplete."

After the cyber attack, the state of Carinthia took further steps to increase security, for example, 5.75 million euros were made available for immediate and recovery measures. In addition, a rapid response team was set up and a new firewall and DDoS protection were installed. "At the time of the ACA audit, other technical measures had also been completed, such as securing the network or securing the necessary IT services," the ACA stated - but some measures were still missing.

As the state of Carinthia announced on Friday, comprehensive two-factor authentication has now been rolled out and is available on all devices. In addition, "the state IT was certified according to ISO 9001 and 27001 (information security)", and a valid certificate for 2024 was issued in February: "Of course, this also includes the up-to-dateness of all security-related documentation such as the restart or IT emergency manual."

In the report, the Court of Audit also drew a connection to the DDoS attacks on the websites of Austrian parties and public institutions in the context of the 2024 National Council elections: "In addition to increasing IT security, cooperation with federal authorities and cyber bodies is also essential in order to prevent or minimize the impact of cyber attacks."