After cyberattack, stolen Chatham County data and sensitive documents posted online

Bill Horner III, Hannah McClellan and D. Lars Dolder
·8 min read

This story originally was published in The Chatham News + Record.

Sensitive data files stolen following Chatham County’s Oct. 28 governmental cyberattack have been posted online by a ransomware group, The Chatham News + Record has learned.

The files include personnel records of some county employees, medical evaluations of children who are the subjects of neglect cases, eviction notices and documents related to ongoing investigations within the Chatham County Sheriff’s Office.

The News + Record obtained access to websites containing the digital files using information provided by a source on the condition of anonymity. County officials later confirmed to The News + Record that sensitive data had been released by the ransomware group known as DoppelPaymer. The international criminal organization has carried out similar attacks on government and health care organizations worldwide, typically asking the victims to pay ransom or risk the release of sensitive information.

DoppelPaymer uploaded at least two batches of Chatham County’s data on both the Dark Web — encrypted online sites not found via conventional search engines — and the “light web,” making them accessible via certain search criteria.

A post on the DoppelPaymer site gives the URL for the county’s website and a one-sentence history of Chatham County. “The county was named for the Earl of Chatham in England, who was William Pitt … now you know how Pittsboro got its name.” It also provides links to “example files” uploaded to the site as a result of the theft. The file links contain names such as “deceased,” “insurance,” “Sheriff,” “Finance,” “other” and “HR.”

The folders under the link labeled “Sheriff” include folders labeled applications, benefits, disciplinary documents, personnel actions, employee evaluations and more.

The first data upload was made Nov. 4, a week after Chatham County officials announced the breach; it contained “mostly innocuous” files, Chatham County Manager Dan LaMontagne, told The News + Record on Monday, including files that fall under North Carolina’s public records laws.

But a second upload in late January contained more sensitive data, according to screenshots obtained by the newspaper and confirmed by LaMontagne. The page containing the files has been viewed more than 30,000 times, according to a counter on the site.

LaMontagne plans to release a report about the incident at the Chatham County Board of Commissioners’ regular meeting on Monday, as well as to the public.

But on Tuesday, he acknowledged the county is working to address the issue of the public posting of files.

“Chatham County staff has been engaged with staff from the N.C. Department of Health & Human Services (DHHS) and the N.C. Attorney General’s Office (AG) to ensure we meet the reporting requirements as it relates to protected health information (PHI) and/or personally identifiable information (PII) data,” LaMontagne told the News + Record.

“We will continue to engage in these conversations with our cyber insurance attorney(s), DHHS and the AG to ensure we respond in the most appropriate manner possible as it relates to the data accessed from our network during the event.”

LaMontagne said the county is going through the files to learn whose personal information or health information may have been exposed.

“Those individuals will be notified of the situation and a call center will be available to those individuals for questions,” he said.

LaMontagne would not comment on the specifics of a ransom or ransom amount, but said more information would be available in his report to commissioners.

“You’ve seen similar situations in other places,” he said. “It’ll be shared on the 15th exactly what it was.”

Ransomware is the deployment of malicious software — often through an email attachment opened by an unsuspecting recipient — to infect and lock computer networks or files until a ransom is paid. Upon payment, the victimized entity typically receives a decryption key to unlock its data. Those who don’t pay risk having sensitive information published, as happened in Chatham County’s case.

An accelerating trend

Chatham County’s network security breach is not an anomaly, said Brett Callow, a threat analyst at Emsisoft, in an interview with The News + Record. Emsisoft creates software to protect clients from malicious websites and malware.

In October, a computer hacker hijacked government networks in Hall County, Ga. When county officials refused to pay ransom, the hacker released election-related files online and escalated demands.

That same month, a cyberattack derailed operations at the University of Vermont’s medical center. Most hospital services shut down, and stayed down for weeks.

In March, Durham County’s government was blindsided by a malware attack. It was the second time in four years that the county’s network behaved suspiciously, the first coming on Election Day in 2016.

Each attack confirmed a troubling pattern: Cyber “incidents” are becoming commonplace in local governments, which make easy pickings for cyber criminals.

“Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments,” according to a 2019 study by the University of Maryland, Baltimore County, which Callow references on Emsisoft’s website. “Local governments as a whole do a poor job of managing their cybersecurity.”

The study cites data from a nationwide survey of local governments that had succumbed to cyberattacks. Almost two-thirds didn’t know how their networks were breached, and few had prevention systems in place to deter criminals.

In most ransomware cases, files obtained by hackers are posted online after the victim entity refuses to pay a ransom. For those breached, Callow estimates that 25% to 33% pay the ransom.

He said a well-designed computer network is segmented.

“In simple terms, that’s like having locks on the interior doors of a building,” Callow said. “It makes it much harder for an intruder. So, while somebody may be able to get into Fort Knox and perhaps even steal some toilet paper from a washroom, they’re probably not going to be able to get the gold, let alone walk away with it.”

He said studies and audits have demonstrated that local governments practice cybersecurity poorly. He cited a report issued by the State Auditor of Mississippi in October 2019 that stated there was a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them.”

The audit identified problems including not having a security policy plan or disaster recovery plan in place; not performing legally mandated risk assessments; and not encrypting sensitive information.

“To be clear, that’s not necessarily entirely their fault,” Callow said. “Local government insecurity is, at least in part, likely due to a lack of funding. They practice security poorly because they don’t have the budgets to practice it better. And this is why more than 200 local governments have been impacted by ransomware in the last two years. It’s a big problem and, unfortunately, one that is only likely to get worse unless strong action is taken.”

Emsisoft’s own survey of cyberattacks estimated that at least 2,354 US governments, healthcare facilities and schools were impacted by cyber events in 2020, including 113 federal, state and municipal governments and agencies. The company estimated the cost of those attacks on governments at $915 million.

Chatham working on recovery

Before learning about the worst of the stolen files, the damage was daunting enough, but LaMontagne said the county is “pretty close” to a full recovery.

Despite previously discussing the possibility of a security breach, the county never could have anticipated one to this extent, or the work it would take to recover, LaMontagne said.

Now, the hard drives of nearly all of the county’s desktop and laptop computers — more than 500 of them — are functional again. Phones and voicemail are working again, too. Employees, who improvised for weeks with hastily created Gmail addresses and worked from their own personal computers, tablets and cell phones, have working email accounts using the county’s new “chathamcountync.gov” domain.

Servers have been rebuilt. Fewer work tasks are being performed by hand or using what LaMontagne described as “’80s technology.”

The source of the breach, LaMontagne told the News + Record, wasn’t “super-secret” information. He just wanted the commissioners to hear it first.

LaMontagne said he would not discuss what security measures are being taken to prevent future breaches.

LaMontagne said his staff persevered throughout the last few months in extraordinary circumstances.

“That’s why I said our ‘Employee of the Year’ was every single, solitary employee we have,” he said. “You can’t pick one. There’s too many good people. And everybody went through a lot of tough things. Each individual, each individual department and each individual employee in those departments just stepped up in the way they needed to, and has been through a lot of adversity with the pandemic and this event. It’s been a big challenge.”

Callow and other experts said the only answer to ransomware is simple: Never pay the ransom.

“It’s always the wrong decision,” he said. “It simply incentivizes the criminals and in no way guarantees that you will get your data back. The only way to stop this is to make it unprofitable. It’s going to continue to be a problem as long as it’s profitable.”