Wisconsin Governor Tony Evers' administration misled reporters about the severity of last month's SolarWinds government computer hack, internal emails from the Evers Administration show. When news broke on December 20th that hackers believed to be from Russia gained entry to federal government systems using security vulnerabilities in SolarWinds software, reporters from both the Associated Press and Bloomberg News contacted Evers spokeswoman Britt Cudaback as well as Wisconsin Department of Administration (DOA) spokeswoman Molly Vidal.
"Are you aware of anything in Wisconsin being targeted?" Associated Press reporter Scott Bauer asked in an email at 9:36 am on the 18th. Cudaback and Vidal forwarded this email to several other DOA administrators, who confirmed that the Wisconsin Department of Transportation (DOT) did indeed use a version of SolarWinds software.
Vidal indicated that all communication about the possible hack would be funneled through the DOA.
After a flurry of emails among staffers, Vidal put together a statement to Bauer that indicated that while the DOT did indeed use SolarWinds software, "they are not utilizing the specific versions that are vulnerable to this attack" and responded to his request at 11:33 am.
"We do not see any attempts to exploit our systems but remain vigilant," she said.
In reality, the DOA, DOT and Evers communications team were all aware that the hack was far more severe and potentially problematic than they were letting on. In an email to Cudaback at 10:24 am--a little more than an hour before Vidal responded to Bauer's request for a statement--DOT official Kristin McHugh emailed her to inform her that the hack "is something that will require a comprehensive review."
In that email, she forwarded communication from DOT Chief Information Officer Michael Kessenich, who indicated that he had asked the DOT's Chief Information Services Officer Omid Karbassi, who admitted that the DOT's Traffic Management Center uses an old version of SolarWinds "that is potentially impacted."
"They can not upgrade (SQL licensing issue) so have reviewed vendor recommended measurement to mitigate the risk," he added.
This directly contradicted the statement issued to Bauer indicating that no agency in Wisconsin used a version of SolarWinds that was vulnerable to the hack and calls into question whether DOT systems were indeed hacked since DOT officials privately concluded that it was "something that will require a comprehensive review."