OKANOGAN COUNTY – System administrators for the county’s Central Services were alerted to an attack or intrusion at around 2am on Saturday, January 16th. The situation was determined to be over and above the county IT employees knowledge and experience, and out of the scope that they normally work within. So all county systems were immediately shut down over that weekend to halt the progress of the attack and preserve data.
According to Okanogan County HR director and Risk Manager Tanya Craig, the county pays for cyber-insurance coverage, a specialty insurance product which may provide coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks, as well as related liability for such attacks. She says that, as part of the county’s coverage, the insurance company immediately sent a forensic investigation team with the requisite skills to help the local technicians investigate and recover from the attack.
Since about Monday the 18th, a forensic discovery program provided by the insurance company’s team, has been running on the county’s systems, looking for and preserving details of the attack. It is still running at this time.
It is still too early for a determination of whether the attack was a “ransomware” type attack which seeks to encrypt and deny access to files until a ransom payment is made to the attacker for the unlock key. Last month, the city of Ellensburg, WA fell victim to such an attack, which rendered most city data and network drives inaccessible, paralyzing all city departments for the duration.
Currently, about 85% of the county’s systems are back online and running. County systems include 356 office computers, 48 servers, and 200 laptops. The county government telephone system is VOIP-based and hence, runs on internal servers and communicates via the county network, which is why it also went down when all internal systems were shut down.
So far, Craig says there hasn’t been signs of corruption or damage to the county’s files and data. Checking and confirming data will continue as the investigation proceeds.
At this stage, the hands-on work is still proceeding for getting login credentials reset and county employee access restored to various third party service providers – who have already been notified of the attack. Those service providers temporarily shut off access to their own systems by the county users as a precaution.
A report will be issued with the details that are discovered at the end of the investigation.