[BreachExchange] Delco details cyber attack, admits paying ransom

[Destry Winant]

https://www.delcotimes.com/news/delco-details-cyber-attack-admits-paying-ransom/article_ad004688-5131-11eb-b7de-9718a8745797.html

MEDIA — Delaware County Chief Information Officer Frank Bilotta
updated county council during its regular meeting Wednesday night on a
cybersecurity breach earlier this year.

And, for the first time, officials admitted the county paid a random
to have service restored.

“The initial attack occurred in the form of a phishing email to a
county employee from an external threat actor received on Sept. 10,
2020,” Bilotta said. “The email contained malware that was downloaded,
and once in the system captured credentials and infiltrated the
network. During the period between Sept. 10, 2020 and Nov. 21 2020,
the threat actor was most likely stealing credentials, identifying
sensitive data, and exfiltrating the information from the county’s
operating environment.”

Bilotta, who began his employment with the county a few days early to
deal with the threat, said the hacker activated a ransomware
application sometime between Sept. 10 and Nov. 21, when it was
detected by a member of the county’s Information Technology staff.
That staff member notified senior leadership and disconnected all
servers and computers, Bilotta said.

The county’s elected officials were made aware of the intrusion, as
was the Department of Homeland Security and the county’s insurance
agent, which provided contacts for a cyber-forensics team and outside
legal counsel with expertise in cybersecurity.

“Working with these resources, the county’s IT staff began claiming
back the system environment and credentials,” said Bilotta. “The team
installed software to protect each computer and to stop the threat
actor from communicating into or out from the environment. The focus
at this point was to contain the intrusion while evaluating the status
of data back-ups.”

Bilotta said the hacker made it known fairly early on that their
intent was to hold the county’s system for ransom, with a threat to
release data like personal identifying information should their
demands not be met.

It was previously reported that the sum sought was $500,000, but
Delaware County spokeswoman Adrienne Marofsky did not confirm that
figure Wednesday because it remains an ongoing investigation.

Delaware County Executive Director Howard Lazarus recommended that
council pay the ransom because working with the hacker would allow for
faster system restoration and prevent information from being
published. The county was insured for such acts and the deductible
would only be $25,000.

“Upon payment of the ransom, the threat actor provided the decryption
tool necessary to unlock the county’s systems, a list of the files
that were exfiltrated, and a general description of how the
cyberattack commenced,” said Bilotta.

Bilotta said all county systems have since been restored and IT staff
is pursuing various initiatives to build a more secure network in the
future. These include rebuilding server infrastructure, updating
operating systems and applying security patches, and removing
vulnerabilities identified by outside support agencies.

Bilotta said these actions would require continued use of outside
resources, including the cybersecurity firm, upgrading security
software, and engaging a third party project manager to supplement
existing staff.

To that end, council approved a $254,400 one-year contract with cyber
security firm Kroll Inc., paid for out of the general fund, and a
$150,000 professional services agreement with Judge Inc. to oversee
Kroll and manage other potential technology and security projects,
which will come from the IT budget.

Bilotta said the county should also pursue additional measures, such
as moving data storage to a more secure, off-site location;
continually evaluating back-up systems; ensuring all security
applications are systematically upgraded across the network; and
providing for cyclic upgrades to old software and hardware through the
Capital Improvement Program.

Council and Lazarus thanked Bilotta and IT staff for their work on the
issue, as well as the county Controller’s Office for continuing to put
out payroll and pay vendors during the attack. Councilwoman Christine
Reuther said council decided it could not put those payments at risk
in deciding to pay the ransom.

Council Chairman Brian Zidek also addressed concerns council had about
acquiescing to the hacker’s demands, such as what the costs might be
and what kind of message paying the ransom might send.

“I, for one, don’t welcome the idea of paying a ransom to anybody, but
we also have to balance that with the costs to the county if we didn’t
pay the ransom, and those costs were going to be significant both in
terms of manpower and womenpower and downtime for all departments,” he
said. “It’s tough to measure the economic consequence of that, but I
know that it would have been a profoundly – even more profoundly –
disturbing incident had we not taken the action that we had taken.”

Councilman Kevin Madden indicated council had inherited a “shell” of
IT infrastructure and applauded Bilotta and his team for working to
rectify that as quickly as possible.

“I think one might look at this and say, ‘Great! This only cost the
county $25,000!’ but how do we make sure it doesn’t happen again?”
asked Madden. “That’s really what our emphasis is on now.”