Taos County Hacked, Here's What Happened

On approximately June 6th, Taos County detected unusual activity in their computer systems. The county immediately shut down their systems as a precautionary measure. Since then, county departments have either ceased operations entirely or are functioning with severely limited capabilities, leaving residents frustrated and without answers about when normal services will resume. The county for some reason has not made any public statements and has been pretty tight lipped about the entire matter.

I have continually been asked what was going on as the shutdown is affecting real estate transactions, today I decided to find out. Here is what I learned.

Shortly after the intrusion was discovered by Taos County, a hacking group that goes by the name of Kairos took responsibility for the hack. Unlike most hacker ransom situations where the hacker encrypts the data so it is no longer accessible by the rightful owner, Kairos stated that they copied and downloaded 1.94 terabytes of data from the county, apparently leaving the original files intact. By all indications, Kairos is a Russian-based group and their business model is to release all the data on a public server unless the ransom is paid.

As proof of possession of Taos County's data, Kairos published a data sample which contained very graphic photos of a local sex abuse case along with excerpts from the associated police report and an employment application.

As of 6 days ago, Taos County did appear on the Kairos web page as an entity that was a victim of stolen data and a ransom was demanded. I was not able to obtain the ransom amount as that was not published. Each entity listed on the page has an indicator stating their current status, either showing a countdown timer of when the ransom is due or, if they did not pay, indicating that their data was published. (see graphic). It appears that if the ransom was paid, the entity is removed entirely from the website.

As of this writing, Taos County has been removed from the Kairos web page, the assumption being that a ransom was paid.

So how did Kairos get access to begin with? It appears that a breach was made by an Initial Access Broker (IAB) and the access data was purchased by Kairos on an online auction. In researching how these IABs operate, they appear to gain access through actually obtaining valid access credentials; this could be done through phishing or passwords being reused by employees that have been breached elsewhere. Access credentials appear to sell at auction for as little as $500.

In reviewing the Kairos web page, they list a very strict set of rules which include that the ransom amount must be paid in Bitcoin and the ransom is non-negotiable; however, if the ransom is paid within 5 days, a 20% discount will be applied. Kairos also guarantees that within 24 hours, the deletion of the victim's data will begin.

In my opinion, if a ransom was paid, it was the lesser of two difficult choices. Based on the sample data that Kairos released, a breach of this nature would have caused significant harm and humiliation to those affected and would most likely have resulted in multiple lawsuits against the county. I hope the county will see this as a wake-up call and strengthen their cybersecurity systems to prevent this from ever happening again.

-Rob Swan

Swan Realty