Luzerne County, Pa., Still Coping with Cyberattack a Year Later

The county has racked up nearly $590,000 in expenses recovering from the cyberattack to date. Most of the expense has been for experts required to unlock data and restore databases damaged by the attack.

by Jennifer Learn-Andes, The Times-Leader / May 26, 2020
Shutterstock

(TNS) — While the coronavirus is now front and center, Luzerne County government was battling a different virus on Memorial Day weekend a year ago — a computer cyberattack that also shut down many operations.

“It did a ton of damage in a very small amount of time,” county Information Technology Director Mauro DiMauro said of the cyberattack.

The county has racked up nearly $590,000 in expenses recovering from the cyberattack to date and has submitted those expenses to its cyberinsurance carrier, said Chief Solicitor Romilda Crocamo. She said the county has been working with the carrier and has received no indication any of its requests will be challenged or denied.

Most of the expense has been for experts required to unlock data and restore databases damaged by the attack, officials said.

The shutdown temporarily cut off worker and public access to records in some offices and required staffers to manually process paperwork.

Crocamo stressed no sensitive or confidential information was obtained or breached by hackers.

The most severe damage was to the county’s massive tax assessment database, which tracks the descriptions, ownership and other details about 168,000 real estate parcels countywide.

County Assessment Director Kristin Montgomery, who was hired in December, said some information on properties from 2018 and early 2019 will be lost forever due to the hack.

However, the office now has an activated system that is being maintained and kept current as changes are made to properties, Montgomery said. Workers also have access to information in a secondary system that will be merged with the live one this fall, she said.

Because office workers have been unable to perform measurements and other on-site work at properties for safety reasons during the coronavirus pandemic, they have been using the time to catch up on entering backlogged data and obtaining property photographs and other information to fill in some blanks from 2018 and early 2019, she said.

Infiltration source

DiMauro and other county officials said they never verified how the virus got into the county’s system, although an infected email attachment has been raised as a possibility.

County computer network monitoring systems started issuing warnings about unusual virus activity on Saturday afternoon during the holiday weekend, prompting the administration to shut down impacted systems to prevent it from spreading.

But DiMauro said there are indications the virus infiltrated the county as early as February and remained dormant as it gradually collected credentials allowing it to access more county servers.

When the virus was activated to attack on Memorial Day weekend, no message was ever sent to the county attempting to obtain a payment, or ransom, in exchange for the unlocking of data, DiMauro said.

Still, the virus behaved in a way that appeared to be ransomware, or malicious software intended to extract payment, DiMauro said.

“I can’t verify this, but my personal guess is that it was intended to be ransomware, but somebody hit go before they filled out a note or something to get payment to them,” he theorized. “Maybe they just wanted to disrupt government. We don’t really know.”

Beefed up

The anniversary of the cyberattack has been in DiMauro’s thoughts.

“When we were going through the recovery, we thought it would never end. Now here we are a year later with a lot more security measures in place,” he said.

More security software has been added, which means more incoming communications are blocked and logged for the county IT department to review.

“We’ve been upping our game, and that has created a lot more work for us,” he said.

Every system also is backed up at least daily and in some cases as often as every 15 minutes, he said. The back-up occurs in a location outside Wilkes-Barre as an added precaution, he said.

All workers must now undergo training on how to spot and handle malicious emails, including those disguised as professional-sounding and legitimate communications. DiMauro said employees have been paying attention and heeding the instruction.

“We feel we have a good handle on the most vulnerable point of entry, which is the user,” he said.

If something slips through, DiMauro said the security software and screening by his department is providing a “strong defense.”

Constant threat

Attempted attacks on the county are “constant,” DiMauro said, noting many government entities are facing a similar challenge.

Hackers are always coming up with new technology, and he’s seeing more approaches using the names of real employees or terminology associated with county government instead of generic language.

“They’re very specifically targeting Luzerne County,” he said. “There’s somebody somewhere trying to customize and personalize the attack instead of bots just trying to get in.”

As more entities increase their back-up so they don’t have to pay a ransom, hackers have increasingly turned to a technique of extracting and sorting through data seeking personal or sensitive information, threatening to publicly release it if they are not paid, DiMauro said.

“I know that’s out there, but we haven’t seen that attempting to get through our firewalls yet,” he said.

Malicious emails using the coronavirus and COVID-19 have skyrocketed during the pandemic, he said. Some are coming from companies or agencies that have been hacked amid decreased vigilance due to coronavirus-related shutdowns, he said.

The pandemic also has DiMauro’s department scrambling to accommodate remote working and virtual meetings, and the office will play a key role assisting with the tabulating of an unprecedented volume of mail-in ballots in the June 2 primary, he said.

“We haven’t had much of a break in the last year,” said DiMauro, who has a staff of six and one vacancy.

County Manager C. David Pedri credited DiMauro and his staff for their hard work responding to the cyberattack.

“They worked 20-hour days for weeks at a time without overtime to get us up and running,” Pedri said. “Most importantly, we faced the issue and now have emerged on the other side of it stronger than we were before.”

©2020 The Times Leader (Wilkes-Barre, Pa.) Distributed by Tribune Content Agency, LLC.

Platforms & Programs