Editor’s note: Below is the full text of a statement released by Chatham County in regards to its Oct. 28 ransomware attacked — which county officials have, until recently, described as a “cyber incident.” This report contains information delivered to Chatham County Commissioners by County Manager Dan LaMontagne at the board’s meeting on Monday night.
The Incident
On October 28, 2020, Chatham County Management and Information Systems (MIS) staff identified a ransomware attack against the County network that resulted in the encryption of much of its network infrastructure and associated business systems. MIS staff quickly isolated the affected systems by stopping communication across the County network and externally. Staff immediately reported the crime to the Chatham County Sheriff’s Office as well as enlisted assistance from other local and state agencies with specialized ransomware experience.
Forensic analysis revealed that ransomware entered the County network through a Phishing email with a malicious attachment. The threat actor, identified as DoppelPaymer, acquired data from a limited number of County systems although the data that was acquired could not be specifically determined.
The Impact
As a result of the incident, the County lost the use of its computers, internet access, office phones and voicemail. The County acquired loaner laptops from other counties, towns and Chatham County Emergency Management.
“Securing these critical resources did not result in additional expenses being incurred by the County and were instrumental in the process of getting us back on our feet as quickly as possible,” said LaMontagne.
Emergency Management was able to provide temporary internet access points and phones. Staff set up temporary email addresses for internal communication and access to the public, and the County created a cyber incident web page to inform the public.
Recovery Efforts
Chatham County Emergency Management coordinated daily briefings with stakeholders during the initial weeks of the incident. MIS staff and agency partners conducted a full rebuild of County network infrastructure. The County worked with its existing software vendors to restore business systems. MIS staff wiped and reimaged the County servers and more than 550 employee computers.
“The commissioners and I are grateful for the work that all of the County staff has done across every department in dealing with the numerous challenges that resulted from this incident,” said Chatham County Board of Commissioners Chair Mike Dasher. “We appreciate their commitment to serve the public and their adaptability to ensure that our residents continue to receive the programs and services that they count on.”
The process of restoring business systems, phones, network connection and returning County computers to staff is nearly complete. Full system recovery efforts are estimated to continue through early 2021.
The County had the foresight to mitigate its exposure to such an incident through the procurement of cyber insurance. “We are collaboratively working with our cyber insurer on this incident and anticipate that the bulk of the direct costs associated with this incident will be covered,” said LaMontagne. “We are thankful for everyone’s dedication and efforts to minimize the impact of this incident.”
Breach Notification
On February 8th, the County discovered that the cyber actor(s) responsible for the October 2020 ransomware event against the County released certain data acquired by the cyber actor(s) from the County’s servers. The County’s investigation of this event remains ongoing. This includes efforts to identify and notify every individual whose personal information may have been impacted.
“Once the Sheriff’s Office received a tip off regarding the data breach, we acted quickly to notify all victims — mostly our own employees — whose sensitive information was copied from Sheriff’s Office files,” said Sheriff Mike Roberson. “All victims identified in our review of the stolen Sheriff’s Office data were notified and provided with Identity Theft guidance within 24 hours of confirming the contents of the appropriated files.”
The County will release information about any resources it assembles to assist individuals in protecting their information. In the meantime, the County encourages any individuals who believe they may have been impacted to remain vigilant and monitor their accounts for any suspicious activity. The County also encourages individuals who believe they may be at risk to consider placing a fraud alert and/or security freeze on their credit report. Information about these safeguards is available on the Federal Trade Commission’s website at: www.FTC.gov. The NC Department of Justice (NCDOJ) provides a free security freeze. More information can be found at: https://ncdoj.gov/protecting-consumers/protecting-your-identity/free-security-freeze.
“While I am disappointed that we are faced with this additional challenge during our recovery process, I know that our resilience will get us through this time,” said LaMontagne.
Improvements
Along with the extensive mitigation efforts taken by the County during the cyber incident, Chatham County MIS also evaluated the existing security protocols in an effort to further build upon the security of the County network. The County is evaluating and implementing additional security measures and reinforcing employee training.
“The threat from outside individuals is constant, and Chatham County aims to take all reasonable actions to secure our data and infrastructure,” added LaMontagne.
During this time, the County also took the opportunity to improve and update some of its software. These actions include upgrading to Office 365, changing from .org to .gov domain for emails, replacing CityView with OpenGov software for Chatham County Central Permitting and completing the Northwoods/Laserfiche upgrade at Chatham County Department of Social Services.
The cyber incident report can be viewed at www.chathamnc.org/cyberincident.