North Carolina Continues Recovering from Fall Cyberattack

(TNS) — Chatham County, N.C., is slowly rebounding from a late October cyberattack that shut down most county functions and temporarily cut off public access to services.

But officials still don't know what caused the Oct. 28 attack that disrupted most of the county's computer network, email and office phones, County Manager  Dan LaMontagne  said. The specifics won't be released until an investigation is finished, he said.

The shutdown didn't cause any serious data breaches and didn't affect 911 communications or the county's early voting operations. The Oct. 28 cyberattack came just days before Election Day, while early voting was still occurring.

Like other governments, the county had a plan in place in case of an emergency, Montagne said.

"What would you do if you had to go seven days without any of your technology? How would you function?" he said. "That's nice and all, and it has absolutely nothing to do with reality, because you can't fathom how difficult it is until you really are without."

The county was forced to briefly suspend some services while employees had to turn to manual workarounds and paper records until new equipment and software were in place.

The day the cyberattack hit, staff responded as soon as they learned what was happening, hiring cybersecurity experts and posting new contacts and additional information online, LaMontagne said. Management and Information Systems staff started working with local, state and federal agencies to trace the attack and repair the damage.

The priority became ensuring minimal disruptions to public safety, public health and social services, Montagne said.

Regional and state partners, from Person, Wake and Durham counties to the UNC School of Government, responded by donating spare laptops and offers of help.

"We were getting laptops from everywhere," Montagne said "We had people from libraries drive to other counties to get laptops to bring back to emergency management. We've had people from other departments come to help the finance department enter timesheets, now that our financial software is back up."

Work in progress

Most services, including phones, have been restored, although Montagne said they can't always respond as quickly as they would like without the efficiency of technology. But email and voicemail is still in progress. Employees will have a .gov email domain when it's done, instead of the previous .org domain.

"We haven't heard a whole lot of frustration, but there's some frustration that we're not moving as quickly on things," he said. "But we still are moving. That's our main goal, is that the public is not impacted adversely by this, because this is our problem. It's not their problem."

There is no timeline for when the systems could be fully restored, he said, but there is progress.

Staff started getting new equipment last week, after relying on WiFi hotspots and personal laptops and email accounts for the last month. Human resources and finance staff, who had to pay bills and do payroll by hand for over 550 employees, just got new financial software.

Planning and the Register of Deeds office, which briefly suspended some services, is still rebuilding its online geographic information system after turning to paper records and manual procedures. A vendor provided an off-site system so the inspections staff could keep its busy schedule.

The county beefed up its security software and bought cybersecurity insurance a few years ago, because governments are "constantly under attack," he said.

The county also learned that some of its vendor contracts cover the cost of recovery. One such contract saved them $25,000 when a computer server had to be rebuilt, he said.

"It's just a matter of staying ahead of the bad guys on the technology," he said. "We think we've done pretty good, but the one thing I'm telling all of our IT staff and all of our staff is we will come out of this stronger than we went into it."

Durham malware attack

Chatham was not the only Triangle county to take a cyber hit during the COVID pandemic, which only added to the difficulties, Montagne said.

Durham city and county governments were hit in early March with a malware attack that targeted information technology and operating systems, including the public safety phone network. The local 911 network was not affected, but the attack halted real estate transactions at the Register of Deeds office for a few days and created lingering problems at the Department of Social Services.

The Ryuk malware, which is known to attack local government entities, gained access through an email attachment and spread through computer networks. It affected at least 2,000 computers and workstations and 180 servers across the city and county government networks.

Durham's government also relied on their "continuity of operations" plans in responding to the attack, spokeswoman  Deborah Craig-Ray  said.

"You don't know what's going to happen, but you anticipate something's going to happen, so you try to plan for it," she said. "Obviously, we couldn't have predicted a pandemic and a malware attack running together, but I think we did pretty good."

County government "services are fully functional" now and are no longer negatively affecting county business, Chief Information Officer  Greg Marrow  said Friday in an email. Marrow told county commissioners in October that the county has made changes to its computer and security system since the attack.

The city of Durham also has recovered from the attack, spokeswoman  Beverly Thompson  said in an email Friday.

Orange County government also suffered a cyberattack in March 2019 — its third or fourth ransomware attack in six years, according to  Jim Northrup , county information technology director. The attack infected more than 120 computers and briefly interrupted many services.

The FBI may still be investigating that attack, spokesman  Todd McGee  said in an interview Thursday. Orange County did not lose any data and systems are back to normal now, he said.

"We don't think it was ransomware," McGee said. "We got a ransom note, but we think that was because of the publicity around it. Somebody was trying to take advantage of the situation."

(c)2020 The Herald-Sun (Durham, N.C.). Distributed by Tribune Content Agency, LLC.