Tyler Technologies: Ransomware Locked Our Network, But Election Info Not At Risk
In a late Friday afternoon update to the single page of attack information that now passes for Tyler Technologies’ website, the company admitted to being hit by ransomware, but insisted customers were safe.
Tyler Technologies has copped to the ransomware attack that still has the company’s phone lines and website off line.
In an update to its online statement, Plano, Texas-based Tyler confirmed that early Sept. 23 it was hit with ransomware. It did not specify which variant was used against its network.
The company -- No. 46 on the 2019 CRN Solution Provider 500 -- is sticking by its claims that the only portion of its system that was attacked was the internal network used by Tyler Technologies employees, as well as the telephone systems.
Tyler said addressing this with clients is the company’s “highest priority.”
“We are deploying every resource at our disposal, both internal and external, to take whatever steps are needed to return to business as usual,” the company said. “We are committed to doing that in a responsible, deliberate way, and we are laser-focused on those efforts.”
Tyler said it has been in contact with the FBI “and we are cooperating with them.”
The attack on Tyler Technologies is setting off alarm bells in the security community, not just because it is yet another ransomware attack this year against a massive solution provider, but because the company’s website and phone system remains down.
Kyle Hanslovan, CEO of Huntress Labs, said solution providers that are Tyler’s size typically have network redundancies built in, meaning the phone systems and website should be restorable quickly. The fact that the site has not yet come back online, likely means Tyler does not know the extent of the intrusion.
“It’s concerning. Redundancies are hard. Redundancies are expensive, but they should be part of any company’s resiliency plan,” he said. “They could be one of these companies that is very operationally mature when it comes to sales and products, but inside their network it is a house of cards.”
A call to Tyler’s spokeswoman could not be routed through the switchboard, an operator who picked up the phone yesterday said.
“We’re still having problems with the phones,” she said. In an email, a spokesperson directed CRN to an update on the website. Tyler’s website – which was offline following the attack – has been replaced by a single-page statement about the ransomware attack, a part of which insists that none of its clients’ systems were accessed.
“Based on all of the evidence gathered to date through our around-the-clock response efforts, all information available to us continues to indicate that this incident is limited to Tyler‘s internal corporate environment and does not impact the separate environment where we host client systems,” the statement reads. “ We have disconnected points of access between Tyler’s internal systems and our client systems to further protect our clients.”
The company also said its internal payroll systems are part of a separate system and were also not hit.
However, Hanslovan said it is very difficult for the best security forensics to determine how far-reaching an attack was, even weeks afterwards. At best, those reports will only indicate “high confidence” that an attack did not spread beyond the area that it impacted.
Tyler Technologies serves 15,000 customers around the world, but focuses primarily on state and local government customers. The company offers dozens of solutions for courts, police, EMS, fire department, probation, as well as resourced to pay parking tickets and water bills.
The company bought Socrata, an advanced AI platform in 2018, which extracts information from municipal systems giving decision makers actionable datasets used in urban planning. A part of that includes data from elections departments, raising the concern that ransomware actors could be attempting to tamper with elections.
The company said the Socrata system is housed on an AWS server and has not been touched.
“Based on all of the evidence gathered to date through our around-the-clock response efforts, all information available to us continues to indicate that this incident is limited to Tyler‘s internal corporate environment and does not impact the separate environment where we host client systems. In addition, our Socrata platform is hosted offsite on AWS (Amazon Web Services), and our Tyler Federal Entellitrak and Tyler Cybersecurity platforms are maintained in entirely separate environments. There is no evidence of any impact on those environments whatsoever.
The company also insisted that none of its products are used in voting. The Socrata system reads the information that is provided.
“None of our products is a system of record for voting or any other election- or voting-related activities. Users of our open data solution may use our platform to post aggregated information about election returns, or to provide information about polling stations and campaign finance, but Tyler does not store individual voting records. Our open data solution is hosted offsite on AWS, not on Tyler‘s internal network that was impacted.”
The company also disputed some online comments that its utility bill payment systems used by cities and towns was having trouble following the outage.
“Tyler‘s Online Services and Support teams have reviewed all the logs, monitoring, traffic reports, volume reports, and cases related to utility and court payments,” the company said. “There were no outages with any of our online payment systems and payment activity has functioned normally during this time.”
Brett Callows, a threat analyst at Emsisoft, said the looming U.S. election, and the danger posed by ransomware to municipal systems, regardless of vendor, is real.
“The threat ransomware groups present cannot be overstated,” he said. “They’re using APT-level tools and techniques to successfully attack - and extract data from - courts, government agencies, companies in the Defence Industrial Base sector, financial institutions and public and private entities in multiple other sectors. These incidents could potentially be a risk to national security, economic security and, of course, election security.”