Nearly two months after a “cyber incident” shut down many of Chatham County’s government functions, the source of the Oct. 28 event is still unknown.
While most of the recovery of the county’s email and phone systems is complete, Chatham County Manager Dan LaMontagne said the specifics of the attack — what information, if any, was breached and who caused the incident and why — won’t be released until the investigation is complete.
“Once the incident was detected on October 28th, Chatham County went into incident-response mode. We quickly took services and systems offline to contain any impacts, and we activated key partners to help us navigate and respond,” LaMontagne said. “I continue to be blown away by the flexibility and positive attitudes of Chatham County staff. Every department sprang into action to adapt its processes to continue serving the public, and employees have also reached across departments to offer help and support for one another.”
While some details remain unknown, county officials say the shutdown — which they describe as an “incident,” and not an “attack” — didn’t cause any serious data breaches or impact the county’s 911 communications or early voting operations. The Oct. 28 event came just days before Election Day, while early voting was taking place, but voting operations took place over a statewide network and so were not affected.
“Everyone’s patience is greatly appreciated as we understand there have been some inconveniences and delays in service,” Public Information Officer Kara Dudley said in an email release days after the incident. “Thank you for your continued support as we continue to work through this situation.”
Once the county learned of the incident, it shifted many operations into manual mode and established workarounds to facilitate delivery of public services — though some were temporarily suspended.
The Register of Deeds, for example, temporarily recorded paper documents to process vital records and marriage licenses. Human Resources processed paper time sheets for more than 580 employees, and the Finance Department has completed payroll by hand to ensure that no employee missed a paycheck — both departments recently received new time keeping software. Currently Development Services, Veteran Services and the Utilities and Water Division are still working with paper.
LaMontagne said the Management and Information Systems (MIS) Department is leading the county’s efforts to repair and restore its services and systems. Emergency Management has also played a key role in managing the incident, he said, overseeing county staff’s access to temporary phones, email, computers and WiFi hotspots.
“Having our experienced Emergency Management team lead these efforts has allowed MIS to focus on its critical work to get systems repaired and operating again so that our departments could continue serving the public,” he said.
At this point, most of the county’s office phones are operating again, though the voicemail system is still being repaired. LaMontagne said that system is expected to be restored “in the coming days.” Chatham County employees are receiving their computers through a phased process, based on prioritization of departments and their employees’ responsibilities in serving the public. The county’s Geographic Information Systems rebuild is also complete, he said.
The county is transitioning to a .gov email domain for county employee email addresses, with emails sent to the previous .org domain to be forwarded for a period of time. Dudley said “the floodgates opened” on Monday, with some employees beginning to receive emails they’d been unable to view the last two months from their previous .org addresses. Staff members who used temporary email addresses during the intermediate time frame, began setting up automatic replies informing people of their new email address.
“We continue to adjust and refine the delivery of those services that were only partly interrupted and to pursue ways to reactivate any services that were completely affected,” LaMontagne said.
Now in the process of full restoration, the county has deployed enhanced monitoring tools to gain additional visibility throughout the network.
“A timeline has not been established for full service restoration at this point, but we continue making steady progress,” LaMontagne said. “We are doing everything we can to recover as swiftly and efficiently as possible. In fact, our state and federal partners have commented to us that we are recovering more quickly than some other municipalities that have experienced similar incidents.”
In the Triangle, Durham and Orange County governments were also recently hit by cyberattacks — Durham in early March by a malware attack that targeted its operation systems and information technology, and Orange County in March 2019.
That Orange County incident is possibly still under investigation, The News & Observer reported on Saturday, but the city and county of Durham are completely recovered.
In Chatham, LaMontagne said the county is cooperating with law enforcement on their investigation, with the expectation that the investigation will conclude in coming weeks.
County officials have not confirmed reports with the News + Record that the FBI was involved in the investigation of the incident, or addressed questions about whether that incident involved a request for a ransom or a payment of any kind.
“Chatham County government provides valuable and often life-saving services to the community, and nothing is more important than ensuring that we can still provide these services,” LaMontagne said. “I couldn’t be more proud of Chatham County’s adaptability and resiliency. Not only are we still addressing COVID-19 and operating with specific protocols related to the virus, our staff has juggled the handling of this cyber incident with positive attitudes and have continued to adapt to serve the public while also supporting one another.”
You can learn more about the cyber incident on the county’s website, at https://www.chathamnc.org/about-us/cyber-incident.
Reporter Hannah McClellan can be reached at hannah@chathamnr.com.