No evidence that mysterious hacks used maliciously
After a devastating cyber attack that paralyzed the county government for several days in January and took three weeks to completely remediate, Okanogan County is running 24/7 defensive security protection that flags any unusual network activity.
The cyber attack temporarily corrupted files on all the county’s computers and servers. Through its risk insurer, the county worked with the cyber-security firm Arete, which undertook full-scale decryption to restore the system and files, Okanogan County Central Services Director Karen Beatty said.
The county paid nothing for the remediation and investigation into the attack, since it was completely covered by its risk insurance, Beatty said.
Arete used technology called SentinelOne to resolve the attack and scan for further problems. The county doesn’t know if Arete identified the “threat actors” who hacked into the system, nor if they learned where the attackers were based. The insurance company didn’t pay any ransom to resolve the problems, Beatty said.
The county didn’t receive a formal written report of the investigation because the cyber firm worked with the risk-pool attorneys, meaning that much of the information fell under attorney/client privilege, Okanogan County Risk Manager Tanya Craig said. “They were adamant that they can’t discuss every detail,” she said.
Court cases opened
Beyond the corrupted files, the investigators detected that the attackers had opened some old District Court cases — going back as far as the 1990s — but not altered or compromised them in any way, Craig said. The county sent letters to the last-known address on the cases to notify people of the attack, but hasn’t heard from any of the individuals involved, Craig said.
In addition to the court cases, investigators found that some documents from the county’s Department of Public Works had been opened, including correspondence from the county commissioners directing Public Works to report on a road, Craig said.
Arete said there was no reason to believe that any of the information in the opened files had been used in a malicious way, and nothing was extracted or taken, Craig said. There was no pattern to the documents that had been opened, and the security firm wasn’t able to determine a motive, she said.
While the county had been using regular virus protection, it wasn’t adequate to present-day threats, Craig said. They don’t know how the attackers breached the county’s system. “It was busy, busy, busy here in Central Services. It’s any IT Department’s nightmare,” Beatty said.
The county is now using SentinelOne’s protection on every computer and server to monitor all activity, on top of ordinary virus protection, Craig said. SentinelOne learns “normal” patterns and notifies the county about any activity that seems suspicious. The county can exempt file formats that SentinelOne deems questionable but that are used regularly in county business.
The county signed a three-year contract with SentinelOne for the security service for $56,000. The program also performs nightly back-ups that will be stored on a system that’s separate from the county’s computer servers.
Training to spot attacks
The risk-pool insurer has also authorized training for county employees using KnowBe4, which sends fake, harmless phishing emails so employees learn to recognize suspicious activity. While the emails may appear to be from a trusted person, they could contain malicious attachments or links, and the training will give people techniques to determine if the sender may have been hacked or is otherwise not legitimate, Beatty said.
If someone clicks on a link or downloads an attachment in one of the training emails, KnowBe4 sends a note informing them that they have just “infected” the county’s computer system, and provides instructions about how to be more careful.
The KnowBe4 training hasn’t started yet because it may be combined with training for other counties covered by the risk pool, which could make it more economical, Beatty said.
“We were down about a week. That’s a long time for government. We learned important lessons. It could have been a lot worse,” Craig said.
