In Monday’s meeting, The Clarke County Board of Supervisors voted to NOT pay the ransom demands of the foreign entity that compromised the 911 communications server last week.
The Federal Bureau of Investigations was called in to investigate after the Clarke County 911 Communications server was compromised on July 12. All information stored on the server from the past eight years was encrypted and wiped clean.
According to Sheriff Todd Kemp, the FBI arrived July 15 to investigate the 911 server being encrypted, along with a ransom website requesting $10,000 within seven days to get the information back. If the money was not paid within seven days, the ransom would increase to $20,000.
Sheriff Kemp requested an emergency meeting with the Board of Supervisors on July 15 to discuss the matter at hand.
“I reached out to the attorney general’s office,” said Sheriff Kemp. “The attorney general referred me to the FBI cybercrime unit. They (the FBI) examined the servers this morning and the servers were compromised by a foreign entity. I’m not at liberty to say exactly what it is.”
Sheriff Kemp also expressed concern to the supervisors after a miscommunication. A deputy was sent to the courthouse to retrieve and secure the computer servers until the FBI could arrive to investigate, and was met with opposition.
“We came to get the servers Monday, and individuals with a company that you do business with tried to hide that information from us,” said Kemp to the Supervisors. “They took it (the hardware) out to a van and refused to give it to us. I’ve got a problem with that. I was asked to do a job. My job is to ensure the safety and integrity of the people of this county, and that is what I’m going to do. I will not be questioned about that. The information that is compromised belongs to the people of this county. There are 911 calls; that’s evidence. So it’s my job to ensure this information doesn’t get into foreign hands. That’s why I called this meeting.”
Board President Lorenzo Carter stated he was out of town when all this happened.
“In the beginning, I wasn’t aware of what was going on,” said Carter. When I was contacted about what to do and what to tell them (ComSouth), I asked the county administrator, Elisa Mayo, to take care of it and communicate with them, and she did that. At that point, I’m out of the loop. Being the president, I didn’t know what was going on. I wasn’t contacted. So that’s maybe why some of what happened was a misunderstanding – a lack of communication. Elisa asked me what to do and I told her let’s go ahead and make sure everything is safe and secure.”
Greg Tate with ComSouth stated to the board in the emergency meeting on July 15 that they were in the process of replacing the hard drives to get them going again. “Had we known anything about an FBI investigation, we wouldn’t have touched it,” said Tate. “That’s why we moved them out, to take them to our shop and replace the hard drives.”
Scott Evans, Information Technology Coordinator contracted with the county, assured the board that the 911 server was the only one compromised. Two companies have access to the servers according to Evans, and that is EForce who provides the computer aided dispatch software, and ComSouth who maintains the hardware.
“What we know is that one of two accounts were compromised,” stated Evans. “We don’t know if ComSouth’s or EForce’s credentials were compromised. Normally someone hacks or cracks the password or either buys is on the dark web. They gain access to the server, download what they want and cover their tracks, then they execute the virus.”
“In this case, antivirus or anti-spyware would not have stopped what happened to the CAD server,” said Evans. “The FBI investigation of the server on Wednesday morning revealed that the attackers gained access to the server via bought login credentials from the dark web. That is a part of the internet that most people never see, and aren't aware exists. It is yet to be determined how the credentials were obtained. The FBI is working on that. The county will also work, to the extent we are allowed, to make sure that these same mistakes are not made with the new 911 Dispatch system.
Information stored on the server would include eight years of 911 calls, driver’s license information, tag numbers, and any information a 911 dispatcher logged into the system including addresses, phone numbers and possibly social security information.
The paging system for fire departments was also stored on these servers. All fire department pagers were inoperable. Emergency Director Eddie Ivy immediately went to work devising a plan.
“Right now dispatch is paging by radio because pagers are not working,” stated Ivy. “We contacted every chief immediately and they contacted members to monitor their radios and to set up a call list.”
On Monday, the Board of Supervisors opted to not provide any identity theft protection to those whose information was taken. “You can’t prove that that information come from the county or another source,” stated Supervisor Mickey Long. “The source of the information is where they run into problems with the actual legalities of it, proving where the information came from.”
As of Monday’s meeting, the fire paging system is now back up and running. New 911 servers are being reinstalled into the computers. Dispatchers have been recording information with paper and pen since the hack. Supervisors recently accepted an $847,000 bid from ComSouth for new 911 equipment. The county, who is over the 911 operations, is in the process of moving dispatch out of the courthouse to the Clarke County Emergency Management Building and installing the new equipment.
According to Sheriff Kemp, the investigation is still ongoing by the FBI Cybercrime Unit.