Stolen county files reveal severity of breach; manager briefs commissioners on $708K ransomware attack

Data includes personal info about local residents, current and former county employees

Posted
Updated:

Stolen Chatham County government files posted online following an Oct. 28 ransomware attack contain personal information — including data such as Social Security and bank account numbers — of some local residents, in addition to current and former county employees.

Meanwhile, the county is working to identify and notify every individual whose personal information may have been shared, Chatham County Manager Dan LaMontagne told commissioners as part of a report he made on the attack at the board’s regular meeting Monday evening.

The county is encouraging anyone who believes they may have been impacted to “remain vigilant and monitor their accounts for any suspicious activity,” and to consider placing a fraud alert and/or security freeze on their credit report.

The stolen data files were posted after Chatham County failed to pay a 50 bitcoin ransom — the cryptocurrency was worth roughly $708,000 on Nov. 4, a week after the attack — to DoppelPaymer, the “threat actor” responsible for the breach, LaMontagne told the News + Record after Monday’s meeting.

Cybersecurity experts routinely warn businesses and entities not to pay ransomware demands, saying it incentivizes cybercrime. But not paying the ransom poses the threat of stolen files being made public in retaliation, as happened in Chatham County’s case.

The News + Record reviewed many of the more than 14,000 documents posted by the international cyber criminal group, provided to the newspaper by a cybersecurity expert on the condition of anonymity. Some of the most sensitive data files discovered included statements provided by Chatham County children who were victims of sexual abuse, performance evaluations and healthcare documents of current and former county employees and folders of files from criminal investigations labeled “closed” and “open.”

Non-employees whose data was posted include disadvantaged Chatham residents who relied on county services and those served with eviction notices, subpoenas or arrest warrants.

A ‘phishing’ attack

In his report Monday, LaMontagne confirmed that the county’s network was breached through a “phishing” email — a fraudulent practice intended to induce the recipient to open the message — with a malicious attachment back in October. The attack meant the county lost its computers and network, email, telephone and voicemail systems.

As a result, the hard drives of nearly all of the county’s desktop and laptop computers — more than 550 of them — had to be wiped clean, stripped down and reimaged. Employees improvised for weeks with hastily-created gmail.com email addresses and worked from their own personal computers, tablets and cell phones. Many tasks were performed “by hand” or using what LaMontagne described as “’80s technology.”

But as more and more of county government work infrastructure came back online, it wasn’t until last week that the county realized sensitive data files had been uploaded to publicly accessible websites.

“On February 8th, the County discovered that the cyber actor(s) responsible for the October 2020 ransomware event against the County released certain data acquired by the cyber actor(s) from the County’s servers,” LaMontagne’s report said. “The County’s investigation of this event remains ongoing. This includes efforts to identify and notify every individual whose personal information may have been impacted.”

The News + Record first questioned county officials about those posted files on Feb. 8, inquiring by email about the county’s knowledge of the public postings and what efforts had been made “to identify and notify every individual whose personal information may have been impacted.” Those questions were posed to the county within an hour of confirming files and documents the newspaper saw were, in fact, Chatham County’s.

In a response a day later, LaMontagne said: “Currently we are going through the files on the server that were encrypted to collect the names and addresses of individuals whose (personally identifiable information) or (protected health information) may be at risk of exposure. Those individuals will be notified of the situation and a call center will be available to those individuals for questions.”

Chatham County has continued to work with state officials, including those from the Attorney General’s Office, on notifying employees and others, according to statements from LaMontagne, to safeguard those affected.

Cybersecurity experts warn that stolen data files containing personal information are sometimes sold to criminal entities which, in cases of failed ransomware, use them to apply for credit cards and run up thousands of dollars of unauthorized purchases. Making those affected aware of the theft as soon as possible, one cybersecurity specialist who reviewed the contents of some of the stolen files said, is paramount.

LaMontagne sent an email message to county staff regarding the stolen data and a News + Record story that was published on Feb. 9, according to a county employee who provided the email message to the newspaper. That message contained some of the same language used in an earlier statement provided to the newspaper about the posting of the stolen files.

In that email to employees, LaMontagne said the county was reviewing files on the impacted server to collect the names and addresses of people whose “protected health information” or “personally identifiable information” may be at risk of exposure.

“We are concerned about any sensitive files that may have been accessed and published, and we are working diligently to address the situation while continuing our recovery efforts,” the email said, adding that county staff has worked with state-level officials to meet notification/reporting requirements of such a breach.

State law requires businesses affected by “a security breach” to notify any “affected person” of the breach “without unreasonable delay, consistent with the legitimate needs of law enforcement … and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”

But the same law says the definition of business “shall not include any government or governmental subdivision or agency.”

Prior to Monday’s meeting, some county employees had expressed concerns about not being notified of the data breach before the News + Record’s Feb. 9 article was posted; a Feb. 14 follow-up story, posted online, conveyed those concerns. LaMontagne revealed publicly on Monday that the county did not learn about the breach until Feb. 8, the day the News + Record first inquired about the stolen data.

He had previously declined to answer the News + Record’s questions about timeline of discovery of stolen information, but maintains the county’s response has been proper.

“We will continue to engage in these conversations with our breach counsel, NCDHHS and the AG to ensure we respond in the most appropriate manner possible as it relates to the data accessed from our network during the ransomware incident,” he said in the email to employees. “In the meantime, individuals who are concerned about their personal information being accessed may utilize a free security freeze, provided by the NC Department of Justice (NCDOJ).”

(More information can be found at: https://ncdoj.gov/protecting-consumers/protecting-your-identity/free-security-freeze.)

Increasing attacks

“The extent of the breach does not surprise me at all,” said David Delaney, former senior cybersecurity attorney for the U.S. Dept. of Homeland Security who now lives in Chatham. “Ransomware is an increasingly common attack not just against government entities like Chatham County but also in the private sector.”

Via the Oct. 28 attack, DoppelPaymer gained access to Chatham County’s government network and “resulted in the encryption of much of our County network infrastructure and associated business systems,” LaMontagne wrote in a report on the breach by included in the agenda packet for Monday’s meeting.

Ransomware is the deployment of malicious software — often through an email attachment opened by an unsuspecting recipient — to infect and lock computer networks or files until a ransom is paid. Upon payment, the victimized entity typically receives a decryption key to unlock its data.

Brett Callow, a threat analyst at Emsisoft — a company which creates software to protect clients from malicious websites and malware — told the News + Record that the “only” answer to ransomware was simple: never, ever pay the ransom.

“It’s always the wrong decision,” he said. “It simply incentivizes the criminals and in no way guarantees that you will get your data back. The only way to stop this is to make it unprofitable. It’s going to continue to be a problem as long as it’s profitable.”

In the report, LaMontagne writes: “Ultimately, Chatham County took advice from all resources and proceeded with full system recovery” — which involved wiping the hard drives of those county-owner computers — “rather than paying the ransom demanded by the ransomware threat actors.”

There are no reporting requirements about ransomware attacks, Callow said. He estimated that between a quarter and a third of government entities and businesses subject to such attacks ultimately pay a ransom. He also estimated that fewer than 1% of ransomware cases are ever prosecuted.

On Nov. 4, a week after the breach and with the ransom not paid, DoppelPaymer released a selection of mostly innocuous county files on the “dark web” — encrypted online sites not found via conventional search engines — and the “clear web” via select key search criteria.

Almost three months later, DoppelPaymer demonstrated the extent of its acquisition, this time posting several hundred folders of files of compromising data on its site. The actual number of documents posted takes up more than six gigabytes of hard drive space.

A cyber expert who perused the data told the News + Record in response to the review, “This is … terrible. It’s as bad as I’ve ever seen.”

Cyber crime experts suspect that DoppelPaymer is operated in Russia, headed by 33-year-old Russian national Maksim Yakubets. The Ukrainian-born hacker employs dozens of cyber criminals who target governments and companies around the world, potentially working on behalf of the Russian government, according to Newsweek and National Public Radio reports.

“This kind of crime is something that very much looks like (what) these criminal actors do throughout the world,” Delaney said.

The cyber expert who provided the News + Record access to the stolen files said that a review of criminal elements’ upload sites indicated ransomware attacks all across North Carolina — observing data from entities in Shelby and Rocky Mount, as well as Guilford, Haywood, Duplin, Person, Surry and Mitchell counties, just to name a few, on sites of the criminal actors known for ransomware and hacking.

LaMontagne praised his staff again on Monday for the work they’ve done to recover from the attack; he’d previously told the News + Record that many staff were working nights and weekends to ensure services to county residences went uninterrupted.

Gomez Flores questions tax lien advertising

Prior to Monday’s board meeting, Chatham County commissioners had not commented publicly about the breach of stolen data. However, at Monday’s meeting, Commissioner Franklin Gomez Flores raised the issue of penalizing the News + Record for its coverage of the incident by not paying for the publication of a listing of the county’s tax liens in the newspaper, as is required by state law.

N.C. General Statute §105-369 — entitled “Advertisement of tax liens on real property for failure to pay taxes” — states that a county’s tax collector “shall advertise county tax liens by posting a notice of the liens at the county courthouse and by publishing each lien at least one time in one or more newspapers having general circulation in the taxing unit. The municipal tax collector shall advertise municipal tax liens by posting a notice of the liens at the city or town hall and by publishing each lien at least one time in one or more newspapers having general circulation in the taxing unit.”

As part of that process, commissioners must formally vote on a request to approve the tax lien advertisement; state statute requires the advertisement to appear between March 1 and June 30, with the cost of the advertising paid by the county.

Near the start of Monday’s meeting, Gomez Flores asked for the tax lien advertisement issue — which was on the board’s consent agenda — to be discussed separately. The consent agenda is a grouping of non-controversial items to be approved by a single vote as the start of the meeting; Gomez Flores wanted that issue to be decided separately.

After LaMontagne’s report, that question came before the board. Gomez Flores said community members had expressed concerns as to how “a statewide newspaper was able to get this information before they did,” referring to the Raleigh News & Observer’s publishing of the News + Record’s Feb. 9 story on its website.

“So it kind of falls off a domino effect,” he said. “Personally, me, I would much rather have been told, personally, approached before major news was released. With that being said, I feel very uncomfortable doing business with an entity that our community members feel like side-blinded them in a way.”

Commissioners inquired whether the publication of the tax liens was required by state law; county attorney Bob Hagemann confirmed it was.

“The governing board must order the tax collector to advertise the tax liens,’ he said, adding that there’s no discretion for the board on the matter.

The board ultimately passed the item by a 4-1 margin — with Gomez Flores casting the dissenting vote.

After the vote, Commissioner Karen Howard said she shared Gomez Flores’ concerns, but did not elaborate.