Hall County’s ‘crippling’ cyberattack last year cost $1.7M. Here’s what else we’ve learned since then

Katie Greenway, planner I at the Hall County Planning Department, displays on Oct. 16, 2020, the manual process she must go through to fill out documents as the county worked to recover from a ransomware attack Oct. 7. - photo by Thomas Hartwell

101720 DEPARTMENTS 2.jpg — Katie Greenway, planner I at the Hall County Planning Department, displays on Oct. 16, 2020, the manual process she must go through to fill out documents as the county worked to recover from a ransomware attack Oct. 7. - photo by Thomas Hartwell

A Hall County public safety employee logged in early to his computer about 7 a.m. Oct 7, 2020, and saw something concerning. A message alerted him the county had been the victim of a cyberattack.

Within hours, IT employees were grabbing computers and dumping them into large carts, which were driven to the Emergency Operations Center for wiping. The U.S. Secret Service and Homeland Security were called to work the case.

It was two months, Dec. 15, 2020, to be precise, before the county’s major information technology services were back online and functional.

In the year since then, no arrests appear to have been made. The county has since spent $1.7 million in infrastructure, recovery, security monitoring and overtime. County officials did not pay a ransom, though they would not say what the attackers wanted.

Unanswered questions remain regarding a cyberattack that paralyzed nearly every division in county government for days.

About this story

On Oct. 7, 2020, a cyberattack crippled Hall County government. The Times reported extensively on that incident, which affected every department, and a year following the attack revisited the incident and the many remaining questions about what happened. The Times requested documents about the attack and following investigation, but citing security concerns and open record exclusions in state law, the county declined to comply with that request. After involvement by The Times’ attorney, including correspondence and verbal negotiations, county officials agreed to an interview on the incident.

Citing security concerns and open record exclusions in state law, the county declined to comply with a request from The Times for documents related to the ransomware incident. After involvement by The Times’ attorney, including correspondence and verbal negotiations, county officials agreed to an interview on the incident but declined to release actual copies of documents.

In that sitdown interview this week, county officials offered the most detailed information yet about the attack. Still, they did not say:

How the cyberattack happened and where the breach in the network occurred. Assistant county administrator Zach Propes, who is now serving as the interim financial services director, said they “will never know with 100% certainty” what happened.
What was demanded by the attackers.
What cybersecurity companies have been hired in the year since the attack.

Propes and Hall County spokeswoman Katie Crumley and County Attorney Van Stephens attended the interview with The Times.

Propes said they wanted to be transparent but were also managing “our ability to minimize this from happening again.”

“Depending on what secure information gets released, that helps people in this field (to) potentially hack us again,” he said.

A ‘crippling’ attack

Management Information Systems Director James Thomas, who is now retired, advised to disconnect from the internet soon after the attack. Propes and Assistant County Administrator Marty Nix were some of the first notified.

“Within a period of minutes, we went back to 1980, and I think you really realize how dependent you are … on technology to interact,” Propes said.

“He (Thomas) called Marty that morning when he sort of started to come to terms with what was going on, and he said, ‘I never wanted to make this phone call, and I’m having to make this phone call. We’re going to have to take the network down,’” Crumley said of Thomas.

As an added wrinkle, County Administrator Jock Connell was on vacation out West.

The assistant county administrators split up, with Nix keeping contact with Board of Commissioners Chairman Richard Higgins while heading to the Emergency Operations Center. Propes went to the Hall County Government Center and updated the department heads.

After learning that the public safety departments could still function, the real issue became the other government departments — finance, human resources, planning and development, etc. — that are reliant on software programs to function.

By the late morning, the U.S. Secret Service and Homeland Security were contacted.

“It was decided that we would not pay a ransom, that we would recover from our backups,” Propes said.

That meant a county of roughly 1,700 employees would need to have their roughly 2,000 devices wiped by the MIS employees before being redeployed.

The Emergency Operations Center, which is often the command center for a natural disaster such as a tornado or hurricane, was now being used for a man-made disaster.

Propes said the operations center became a “computer factory” with employees working in shifts 24/7 at the start. Some employees would live there, using the operations center’s bunk rooms and restroom facilities.

“One thing that I took away from the event is how much our employees care about providing services to the community,” Propes said.

With a possible threat to public safety under control, county officials turned their focus on public-facing departments such as the tax commissioner’s office, which reopened Oct. 12, 2020.

The office only had the basic software: Microsoft Office suite and a few other items, but no email.

County employees faced additional challenges as they attempted to recover from the cyberattack.

Hurricane Zeta washed out roads during the last week of October 2020.

“We didn’t have our emergency management software available to help manage that event,” Propes said.

The emergency operations center was still filled with people working long hours to wipe the computers, so county officials gathered in a conference room “managing the weather event on pen and paper and using radios and cellphones,” Propes said.

In a word, Crumley called the cyberattack experience “crippling.”

Working to rebuild

On Dec. 15, 2020, the county declared that “all major information technology services have been brought back online and are functional.”

Since the attack, Propes said they have invested in employee training on these issues and additional infrastructure for preventing repeat cyberattacks.

Multiple antivirus software programs are scanning the network, and a security firm is providing 24/7 monitoring, Propes said.

“Honestly, at the end of the day, I know for a fact that we are better and we’re more educated regarding cybersecurity than we’ve ever been,” Propes said.

The county provided a limited breakdown of the $1.7 million in costs following the cyberattack:

$1,134,197 for “infrastructure”
$478,128 for “recovery”
$85,222 for “security monitoring”
$30,590 for overtime

Propes and county officials declined to provide further information on the companies that have been paid as well as the additional infrastructure investments.

Months were spent recovering documents to rebuild records in judicial and financial services.

In the Hall County courthouse, documents filed between June 2019 and October 2020 were temporarily unavailable in the Comprehensive Justice Information System following the attack.

Court employees worked to rescan the documents, court administrator Jason Stephenson previously told The Times.

To Propes’ knowledge, all documents have been recovered.

“All of the files were there, but how we searched for the files and indexed the files was what was compromised in that situation,” Propes said.

Still, no one has been held responsible for the attack.

Propes said he did not know the status of investigations by the U.S. Secret Service and Homeland Security. To Propes’ knowledge, no one has been charged related to the attack.

The U.S. Secret Service and Homeland Security did not return messages from The Times regarding the status of their investigation.

A legal shield

A bill introduced and passed during the last legislative session allowed certain information about cybersecurity plans to be discussed in executive sessions instead of public meetings.

House Bill 134 provided an exemption for “meetings when discussing or deliberating upon cybersecurity plans, procedures, and contracts regarding the provision of cybersecurity services.”

The bill also exempted disclosing records that include “any document or plan for protection relating to the existence, nature, location, or function of cybersecurity devices, programs, or systems designed to protect” against these cyberattacks.

The Hall County Board of Commissioners sent a letter Dec. 2, 2020, to the Hall legislative delegation regarding certain issues the board “would like the Georgia General Assembly to address during the 2021 session.”

Below broadband deployment, election issues, annexation and short-term rental regulation, the commissioners wrote this regarding cybersecurity:

“As you may be aware, Hall County Government experienced a cyberattack in October 2020, significantly crippling operations countywide. Legislation allowing local boards of commissioners to discuss cybersecurity issues in executive session rather than during an open meeting could potentially protect other governments from experiencing what our organization experienced.”

Reps. Lee Hawkins and Matt Dubnik, R-Gainesville, were sponsors of the bill.

Hawkins said Hall and other local governments had been affected by cyberattacks prior to the legislation.

“They (Hall County officials) brought this to our attention right after they were targeted and said, ‘Hey, this is something the legislature might want to look at,’” Dubnik said.

Dubnik said there are a number of House representatives that are former city council members or county commissioners, who were supportive of the measure.