CHATHAM’S CYBER INCIDENT

County ‘pretty close’ to recovering from attack; manager to present details to board on Feb. 15

Posted
Updated:

PITTSBORO — There was a point at the beginning of Chatham County government’s recovery from a devastating Oct. 28 cyber incident that Dan LaMontagne found himself relegated to performing his job as county manager using an unconventional piece of technology: a discarded laptop computer pulled from his daughter’s room.

“She had an old HP that we’d put in the closet, because she had gotten a new computer,” he said. “I was like, ‘Well, I need a computer. I’ve got an old one. Let me get it.’ And that was what I used for a long time.”

It was an unconventional — but at the time, absolutely necessary — scenario for LaMontagne and many of the county’s 580 employees.

And one that LaMontagne and county staff, despite having previously discussed the possibility of a security breach, never could have fully anticipated.

As of today, more than three months removed from the attack that took down not just the county’s computers, but its telephone system, voice mail, email and business systems, the man who’s overseen the rebuilding of that system says the county is “pretty close” to a full recovery.

“I can’t say ‘completely,’ but we think every staff person has a computer back,” LaMontagne said.

Now that things are almost back to normal, LaMontagne will provide a full report on the incident at the Chatham County Board of Commissioners’ Feb. 15 meeting. He plans to include a written report to go along with a visual presentation, and to address a number of specifics about the events that — until now — he hasn’t commented on publicly.

For now, a summary to date: the hard drives of nearly all of the county’s desktop and laptop computers — more than 500 of them — have been wiped clean, stripped down and reimaged, and are back working. Phones and voice mail are functioning. Employees, who improvised for weeks with hastily-created gmail.com email addresses, and worked from their own personal computers and tablets and cell phones, have working email accounts using the county’s new “chathamcountync.gov” domain extension. Servers have been rebuilt. Fewer and fewer work tasks are being performed “by hand” or using what LaMontagne described as “’80s technology.”

And while there is some unfinished business — customization of some computers, accessibility to some parts of the county’s website, and final fixes within the county’s permitting and inspections offices and within some county library systems — LaMontagne and his team see a light at the end of what, at times, has been a very dark tunnel.

The breach

The breach — the county has characterized it as an “incident,” but has been silent about how it occurred — happened a week before the Nov. 3 election. It did not affect the county’s early voting process or 911 emergency communication, Public Information Officer Kara Dudley said at the time, but hampered just about everything else.

Weeks into the repair, Dudley would not confirm a report that the State Bureau of Investigation was involved in an ongoing investigation; occasional update reports would simply say that the county was “partnering with law enforcement and support agencies to recover from this incident as soon as possible.”

Despite the loss of technological tools and all but face-to-face communication for a period, LaMontagne — who’s coming up on his second anniversary as county manager — points out that at no time did the county stop providing any of its core services to Chatham residents.

“We just weren’t doing it as well,” he said. “We provided the services, but not nearly as efficiently as we do with technology. And, you know, thankfully, we have technology to help us with efficiency — but it sure hurts when it goes away.”

The situation necessitated seven-day workweeks for some staff, complicated by the COVID-19 pandemic and some mid-fix operational decisions — such as moving away from the county’s “chathamnc.org” domain and transitioning from Microsoft Office software programs to the cloud-based Office 365 system — that ultimately created even more work for LaMontagne and his team.

“I said, ‘You know, when you’re in the middle of a lot of stink, a little bit of stink doesn’t hurt so bad,’” he said. “When you’re in the middle of a lot of pain, that little bit of pain really didn’t mean anything to us. So when these decisions had to be made, I said, ‘Let’s just do it.”

LaMontagne credits the work of Chatham’s MIS (management information systems) staff, including Director Nicholas Haffele, for their diligence during the recovery period. He lauded the entirety of the county’s staff for their good humor and spirit and resilience during the recovery process — not to mention the many small acts of kindness done by and on behalf of his employees.

He also recounted the early days after the Oct. 28 breach, when staff telephones “were basically paperweights” and communication required going by foot from one office to another trying to locate the co-worker you were searching for — who may have actually been working from home during the pandemic.

“We did a lot of walking,” he said.

The cost

LaMontagne said it’s been hard to measure the exact cost, in dollars and time and lost productivity, of the breach. He says his focus, and the focus of his staff, has been on “getting it up and running.”

“It’s taken a lot of effort, of course, in the middle of the pandemic and the vaccination effort,” he said. “That’s monumental. We haven’t really taken the time to evaluate that just yet. We will evaluate that. Financially, we were able to work through a lot of this within our contracts. We had to rebuild some of our servers, but we fortunately had stipulations in our contracts that if in some way this happened, they’d rebuild them for us. We also had insurance against this.”

So how did “this” happen? Was it just a matter of someone clicking on an attachment in an email, or was it something similar to the “Ryuk” ransonware which attacked the City of Durham’s last March?

“You’ll hear about that on the 15th,” LaMontagne said.

According to a report in the Raleigh News & Observer, ransomware viruses are known to attack local government entities, gaining access to a system and then demands large payments. Durham County Manager Wendell Davis told the newspaper the malware has collected $3 billion in ransoms in past attacks.

And did the culprits indeed ask for $500,000 Bitcoin ransom in Chatham County, as has been conjectured by at least one person claiming knowledge of the attack?

“They don’t know what they’re talking about,” LaMontagne said in response to that claim. “They were speculating if they did say that, because there’s some inaccuracy there for sure. But you know, this has happened in other places. You’ve seen similar situations in other places. It’ll be shared on the 15th exactly what it was. I really don’t want to talk about it until I let the board know.”

It’s not “super-secret” information. LaMontagne says he just wants the commissioners to hear it first.

What will remain secretive is how the county is ensuring such breaches don’t occur again.

“We did quite a bit to enhance security,” LaMontagne said.

Did he want to say specifically what those changes were?

“No.”

Pause. Then a laugh. 

“I’m not going to tell you,” he said, “where the alarms are set.”

What LaMontagne did reveal, though, is the value he placed on seeing his staff persevere throughout the last few months in extraordinary circumstances.

“That’s why I said our ‘Employee of the Year’ was every single, solitary employee we have,” he said. “You can’t pick one. There’s too many good people. And everybody went through a lot of tough things. Each individual, each individual department and each individual employee in those departments just stepped up in the way they needed to, and has been through a lot of adversity with the pandemic and this event. It’s been a big challenge.”

Chatham commissioners will meet on Feb. 15 at the Chatham County Agriculture & Conference Center in Pittsboro, beginning with a work session at 2 p.m.

chatham LaMontagne cyber attack ransom ransomware Pittsboro Siler City Dudley