The state of Rhode Island has published the results of the investigation conducted by cybersecurity company CrowdStrike regarding the hacking incident involving RIBridges, Rhode Island’s state benefit system. The Brain Cipher threat group was behind the attack that accessed 28 of the 338 environments in the RIBridges system. Stolen sensitive information included names, addresses, dates of birth, health data, and Social Security numbers. The impacted people were those who opted to receive public benefits like food stamps or private medical insurance via the HealthSource RI portal. The state sent breach notification letters to about 657,000 people in January telling them about the potential compromise of their sensitive data because of the incident.
The forensic investigation confirmed that 114,879 individuals who received notification letters in January were not actually affected. However, another 107,757 individuals were impacted but did not get notifications in January. They include around 30,000 people whose information was obtained during employment assessments or verifications with the child support program and the Department of Children, Youth, and Families. The state is sending notification letters to those 107,757 people. There are a total of 644,401 impacted persons who received free 5-year credit monitoring and identity theft protection services.
The investigation began on December 16, 2024, and ended on January 31, 2025. State officials mentioned that Brain Cipher actors used the credentials of a Deloitte staff member to access the RIBridges system via the RIBridges Virtual Private Network (VPN). The state of Rhode Island works with the vendor Deloitte to manage the RIBridges system. CrowdStrike cannot figure out how Brain Cipher obtained the credentials, and if Deloitte had multifactor authentication set up.
On July 2, 2024, Brain Cipher first reached a non-production environment inside the RIBRidges system, which was not noticed until November 28, 2024. After the RIBridges VPN authentication, the threat actor executed initial reconnaissance and lateral movement from an app server to six different systems. It elevated privileges on two systems through Image File Execution Options (IFEO) injection and performed credential harvesting on six systems inside the RIBridges environment.
Brain Cipher used commercially accessible remote monitoring and management (RMM) applications and a reverse proxy tool to retain access to the system for five months. Brain Cipher completed data access, staging, and data transfers from 28 systems in the RIBridges system.
Deloitte did not detect the hack because of the huge data transfers. The hack was discovered because of a posting on the Brain Cipher data leak website on December 4, 2024, that mentioned the stolen data. Deloitte investigated the claim and discovered suspicious activity. On December 13, 2024, Deloitte confirmed the breach of RIBridges. Upon confirmation of the breach, the RIBridges systems were shut down and stayed off the internet for approximately one month. There was no proof found that the system was attacked by ransomware.
Based on the Crowdstrike investigation, on September 10, 2024, the RIBridges firewall rejected traffic from an outside cloud storage solution IP address to an internal IP address. From November 11, 2024 to November 28, 2024, the firewall management site created 397 warnings from 15 systems regarding big data transfers to an outside cloud storage provider. Deloitte failed to detect the problems for that period of time, which is unacceptable. Governor McKee mentioned that the state will exert all efforts to make Deloitte accountable.
There are plans that the state will select a provider to imprive the RIBridges system. However, it is probably take 18 to 24 months to get the new system ready. Meanwhile, Deloitte will keep the RIBridges system management. The state is likewise planning on hiring more IT employees who would need to undergo HIPAA training. Governor McKee has requested funds for an extra 15 employees, which include an RIBridges Technical Lead.
Image credit: mandritoiu, AdobeStock
