Duncannon, Pa., Bolsters Cybersecurity After Ransomware Attack

Officials are increasing the cybersecurity stance of the borough after it fell victim to a ransomware attack in April. Protections include an additional layer of security with an onsite backup of its computers.

by Jim T. Ryan, The Patriot-News / June 29, 2020
Shutterstock/NicoElNino

(TNS) — Duncannon officials will bulk up cybersecurity following a ransomware attack in April, which left many municipal computer systems inoperable and caused the borough to pay out more than $40,000 to the hackers to restore systems.  Borough officials initially did not disclose that their computer problems were caused by a ransomware attack, according to text communications that were secured in a right-to-know request.

Splashwire, the Cumberland County firm the borough hired two years ago for its information technology support, proposed a package of increased cybersecurity to prevent future attacks. But, some questions remain as to how the hackers were able to breach both the borough and the IT company. 

Council unanimously approved the increased security at its June 16 meeting. 

Borough treasurer Robert Kroboth said that the security proposal includes added reviews from Splashwire’s chief security officer, email secure archival and continuity measures, added security software, and cloud-based backup of all systems through Azure, a Microsoft-based system.

“Why wasn’t this done before?” asked Councilwoman Kim Conrad during the meeting.

“The borough believes it was,” Kroboth said.

Allegedly, the borough had backup systems, provided through Splashwire, but that server also was compromised in the attack, council President Jeffrey Kirkhoff said.

The added security will cost the borough about $1,700 up front, and not more than $14,000 annually, Kroboth said. The security software will cost about $83 per month and the cloud backup and storage will cost $135. With the added services, the borough would save a little money on routine access issues, like forgotten passwords or other support that was previously billed per call. 

The borough is looking at adding an additional layer of security with an on-site backup of its computers. The redundancy could make it easier to recover systems.

The borough is under contract with Splashwire until next year, Kroboth said. Putting IT services out for bid will be a lengthy process, but council could address that later. An attempt to reach the company for comment was unsuccessful.

In April, the borough was hit by ransomware, which made its computer systems inoperable. The hacker demanded $50,000, which the borough eventually paid because it couldn’t restore its systems from the backup that Splashwire was supposed to provide. 

At the time, the borough declined to give specifics about its IT problems, telling the public it was looking into it with Splashwire. Kirkhoff, when asked specifically about hackers and security breaches by the newspaper, said he couldn’t comment because the borough didn’t want to put out false information before officials knew what was happening.

However, text message communications among council members and staff immediately preceding the April council meeting showed they knew then that it was a ransomware attack and were already planning to pay the hackers because they knew their systems couldn’t be recovered.

Kraig Nace, the former council president, filed the right-to-know request last month asking for borough communications prior to the April 21 meeting regarding the security breach. 

In those messages, council members and staff questioned why Splashwire didn’t have a secure backup of borough systems. They also started setting in motion the plan to pay the ransomware sender to retrieve access codes that would unlock the borough systems. They conferred with borough solicitor Bill Dissinger and agreed not to discuss the attack at the meeting under the premise it was an executive session matter. 

Kirkhoff texted to everyone else just before the meeting: “All, I confirmed with Bill, the hacked financial information situation and payment will not be discussed at the meeting tonight. Until we have complete control of our files, this matter should be treated as something that would be discussed in an executive session.”

Last week, Kirkhoff defended that decision, saying not only was it a legal matter that wouldn’t normally be discussed in public, but the borough also didn’t want to complicate things before they had control of their systems.

“We didn’t want to make it public and have the hackers do something worse,” he said. 

Even being cautious, the hackers still pulled a fast one on the borough.

The attack occurred on April 10 and was noticed by Kroboth on April 11, when he went to the office to work on his treasurer’s report, according to the text messages. Splashwire contacted the borough about it Monday, April 13. 

The original ransom was $50,000. The hackers lowered it to $35,000, but demanded payment by April 23, according to the borough. 

The borough paid the ransom on April 21 before the meeting, according to the text messages. That same day, the hackers gave the borough the tools and key codes to unlock its systems, with the exception of certain files on a virtual server. It then demanded another $10,000, which it lowered to $5,780. The borough paid the sum and received access to the remaining files.

Splashwire hired a company called Coveware — specialists in ransomware attacks — to assist in the restoration after the ransom. The borough and companies are tracking the tech service costs for coverage by its insurance.

Kirkhoff also tried to calm fears that the borough wasn’t concerned about personal information of residents or employees. None was stored in the computers.

“The first thing we did when this happened was ask, ‘Do we have any personal info on the computers?’ even though we knew we didn’t,” Kirkhoff said.

Borough data, email and records involved in the breach included the electric supply, trash collection, water supply, and sewer service as well as the regular business of the municipality. 

The borough contacted Pennsylvania State Police, and Splashwire contacted the FBI, the borough said May 20 when it revealed the full extent of the attack.  

Kirkhoff advised the public not to make assumptions about who hacked the borough. The hacker’s identity and the pathway to breach the computers are unknown, he said. But it was a sophisticated operation, not a run-of-the-mill theft. Misinformation will not help matters.

“That’s some of my frustration as we’ve been dealing with this,” Kirkhoff said.

©2020 The Patriot-News (Harrisburg, Pa.) Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

Platforms & Programs