Cyberattacks: A quiet threat to municipalities

Matt Kelly
Tim Groth, director of Information Technology for Yates County, and his staff keep a close eye on the computer systems within each of the county's departments.

Tim Groth is the director of Information Technology for Yates County. He’s also a member of the Farmington volunteer fire department. Groth says there are two things that will get his heart pounding with the same level of adrenaline: a call for a fully-involved structure fire with people trapped inside and an alert that the computer network he’s responsible for could be under attack.

These network alerts, like structure fire calls, don’t come often. But when they do, Groth and his team of four IT specialists have to respond. He says there have been times the team has had to act quickly to isolate a compromised computer before trouble spread to the entire county system. The IT Department is on call 24 hours a day, seven days a week to ensure the network remains safe.

Because in today’s world, it’s no longer a matter of “if” a small town will be hit with a cyberattack – it’s a matter of “when.”

“Each county throughout every state is going be touched by this at some point,” says Groth. “Are you prepared enough to deal with it? Are you prepared enough to bring yourself back from it?”

A cyberattack is any attempt by an individual or organization to steal, destroy, disable, alter or otherwise gain unauthorized access to information stored on someone else’s computer. These attacks come in different forms and are carried out for different reasons. Targets include hospitals, schools, public libraries, law enforcement and municipalities.

This past August, over 20 entities in Texas, mostly smaller local governments, were hit by ransomware in what Texas state officials have described as a coordinated attack by an outside actor. Ransomware is a specific kind of cyberattack that prevents legitimate users from accessing their computers by locking up the information with strong encryption and then demanding payment for the key. Some forms of ransomware will gradually destroy the information, file by file, until the ransom is paid. These different varieties have names like Petya, RobbinHood, Ryuk, and SamSam. The New York Times recently reported that 40 municipalities have been the victims of such cyberattacks this year. Here in western and central New York, recent targets of ransomware have included:

• Syracuse City School District, July 2019

• Onondaga County library, July 2019

• Olean Medical Group, June 2019

• Seneca National Health System, June 2019

• Watertown Daily Times newspaper, April 2019

• City of Albany government, April 2019

• Hamilton College, March 2019

• Finger Lakes Health, March 2018

• Schuyler County government, August 2017

• Erie County Medical Center, April 2017

Tim O’Hearn, the Schuyler County administrator, can tell you exactly what it’s like to come under attack and recover from it. On August 29, 2017 – just a few days before the Labor Day weekend – the computers in the county office building started shutting down all on their own, the monitors filled with illegible graphics and “fuzz.” The email system was compromised, so O’Hearn had to fall back on the emergency notification system of sending text messages to all department heads and the legislature.

“We knew pretty quickly there was something wrong,” he says.

At the request of the county, the New York State Office of Information Technology Services responded to the attack by deploying resources from the New York State Cyber Command Center. According to O’Hearn, ITS had a team on the ground within hours to take charge of the on-site investigation and to work with the county’s IT department. When they returned to Albany, the state team took all of the county’s servers with them for continued forensic analysis.

Several days later, O’Hearn learned what had happened: the county network had been hit by the SamSam ransomware.

O’Hearn was told that the ransom being asked was six Bitcoins as a single payment or one Bitcoin per computer. Bitcoins at the time were valued at around $4,500 each. The ransom, then, would have been between $27,000 in one lump sum or several million dollars to unlock each computer, one by one.

The decision was made not to pay the ransom. That was the advice O’Hearn was given by experts at the time, and it’s still the advice given by experts like the Federal Bureau of Investigation.

“Number one, you don’t know that you’ll get your data back,” says O’Hearn. “And number two, (you don’t know) if you’ll still be vulnerable as a result of that.”

So the county bought brand new servers and started the process of rebuilding their systems from the backups that were regularly stored at BOCES. Recovering from the attack, becoming “largely functional” again according to O’Hearn, took six months to a year because the process varied by department.

Departments that primarily relied on the county’s local computer system, such as Mental Health Services, were hit the hardest and took the longest to rebuild. The most recent backup for Mental Health Services was 30 days old at the time of the attack, so a month’s worth of data was completely lost and had to be re-entered from paper records.

“In 90 percent of the cases that was the case,” says O’Hearn. “There was some data that was just flat out lost. Never being able to recover it.”

However, departments that predominantly use state computer systems based in the cloud were largely unaffected. The Department of Motor Vehicles, for example, never lost the ability to do what most people need it to do: process registrations and drivers licenses.

Both the Schuyler County Board of Elections and Emergency Dispatch use computer systems separate from the county network. However, even they were not immune to the attack. The mapping software used by dispatchers was based on local servers and was knocked out of action; it took three months to rebuild.

While 911 never stopped taking calls and sending out responders, the loss of the mapping software meant dispatchers were unable to pull up specific location details like street coordinates or a map of a residence.

O’Hearn says the recovery process cost Schuyler County about $100,000. Insurance covered direct recovery efforts, which was nearly half of the total amount.

“Thankfully, we elected to take cybersecurity insurance, which turned out to be a God-send in this case,” he said. Through its insurance company, the county was also able to engage the services of a data breach coach: a third-party that worked with the state’s ITS team to certify that no data had been stolen as part of the attack.

“They were able to certify to the best of anyone’s knowledge there was no data breach,” says O’Hearn. “And we haven’t experienced any issues as a result of breaches.”

O’Hearn says the county also learned that their insurance coverage would not have been nearly enough to cover an actual breach. “We had $100,000 coverage when we would have needed at least a million (dollars), even as a small county, for notifications and the required responses,” he says.

The greatest inconvenience for the county as a result of this attack was the loss of capacity to serve the community. O’Hearn says the county government remained functional during the recovery process but had to rely on the “old fashion way”of doing things: pen, paper and physical records. This made providing services less efficient than they should have been. And, he says, “We would not have been able to sustain that level of effort for an extended period of time.”

Ransomware is commonly delivered through an email that contains an attached file or a link to a website that will download the malicious software to your computer. The recipient is convinced they need to open the file or click on the link because the email will often appear to be from legitimate and trusted sources such as UPS, FedEx, other vendors or marketers.

But other types of ransomware, like SamSam, will find their way onto your computer through brute force attacks: looking for weak spots in your digital defenses. Back in 2017, at the time of the Schuyler County attack, a weakness could have been something like a guest account on the network with a default password that was never changed; these default settings can be learned or guessed by would-be attackers.

When asked how Schuyler County’s computers became infected, O’Hearn says it was not “employee related” but declined to share any specific details. “They found a weak spot,” he says of the attackers.

When asked who carried out the attack, O’Hearn says, “They were never able to identify a responsible party for this.”

However, in November 2018, the U.S. Department of Justice announced that two Iranian men had been indicted by a federal grand jury for creating and deploying the SamSam ransomware against 200 different victims in the United States, including hospitals, municipalities and public institutions. (SamSam is the same malware that locked down the Erie County Medical Center network in 2017.)

Over the course of three years, the men allegedly collected more than $6 million in ransom payments and caused over $30 million in losses to the victims.

It’s strange — almost impossible — to believe that Iranians or Russians or any other foreign actor would be interested in attacking local governments here in the Finger Lakes. But attackers don’t really care about Schuyler County or Yates County in particular; it’s just business, impersonal and transactional.

And any entity with a presence on the internet is a potential target.

This is the first story in a two-part series about cyberattacks that have occurred in our region of New York and the potential for future attacks. 

Next week: Who is behind these attacks? And what is Yates County doing to prepare for such an event?