Q&A: As county recovers, LaMontagne provides additional info

Posted
Updated:

Chatham County Manager Dan LaMontagne provided an update on Chatham’s cyber attack to county commissioners last week. This week, he responded to questions from the News + Record as he and other officials continue to guide the county’s recovery from the breach.

What kind of training did county employees get about cyber attack prevention prior to the breach?

Chatham County employees receive security training as part of their employee orientation that includes information on what to look out for with regards to phishing emails and other social engineering tactics. Additionally, spoof phishing emails are periodically sent out to staff to test their awareness on phishing emails. Information about whether they click on the email, links, attachments, etc., can be documented and utilized to retrain staff, as necessary.

Do you know which employee opened the phishing email?

Like many local governments, Chatham County faces constant threats from such criminal activities that are increasingly sophisticated. Any employee(s) who opened malicious attachments have/will be addressed as a personnel matter.

Which agencies and law enforcement groups are assisting the county now with the incident and recovery?

Chatham County worked with N.C. Emergency Management and the FBI at the onset of the incident and have been in communication with the N.C. Dept. of Health and Human Services (NCDHHS) and the N.C. Attorney General’s (NCAG) office on notification requirements. Additionally, we received assistance in the form of loaner computers from municipal and county government partners.

Have the assisting agencies/law enforcement and/or the county seen the data that’s been posted online?

The county, Sheriff’s Office, and N.C. Emergency Management have seen the stolen information and we have been reviewing every file in an effort to identify and notify every individual who may have been impacted by this release of stolen information.

What communication have you had from DoppelPaymer, who has been identified as the culprit, from start until now?

None beyond the initial ransom note.

Do you have a sense of how long the threat actor had access to the county’s network before the ransomware request was communicated? And do you know the period of time which elapsed from the first intrusion to the data theft to the ransom request?

The first sign of malware intrusion on our network was on Oct. 26, 2020. Malicious activity was observed the day prior to the ransomware event and was mitigated based on our existing security protocols at the time. County staff became aware of the ransomware attack in the early morning hours of Oct. 28, within hours of the onset, and worked quickly to isolate our network from further attack.

Who was involved in the decision-making process to NOT pay the ransom?

We were informed by our agency partners, including the FBI, early in the response that the threat actor involved in this incident is tied to a group on a U.S. Treasury sanctions list. So, it would be illegal for any person subject to U.S. jurisdiction to pay such a ransom.

Has the county cut ties with any vendors as the result of the incident, or hired any new vendors?

No. We did switch vendors for our permitting software, but that was unrelated to the cyber incident and was underway prior.

We’re curious about the county’s computers and operating systems before the cyber incident. Were devices current, and what upgrades had been made prior to the breach?

We regularly keep our computers up to date on a computer replacement schedule, so we did not have a situation where old computers were being used.

Do you know what, if any, data the county lost as a result of the incident?

Due to the quick response of our staff to limit the attack, it appears that the only unrecoverable data of note will consist of the loss of emails from May 2020 to October 2020.