The "spear phishing" attack began about 9:55 a.m. Tuesday and was fully defeated by 11:15 a.m., County Administrator Nate Alger told commissioners Wednesday morning at the county board meeting.
"The email was a very unique kind of attack because of the way it was customized for the recipient," said Cliff DuPuy, director of information technology.
"For example, an email sent to the sheriff referenced a crime suspect in a drug case," he explained. "An email sent to a judge mentioned a [court] case number. Our county treasurer got an email asking for a hardship exemption, probably relating to overdue property taxes."
County IT teams were able to determine that the malicious emails originated from the same external server at a web address using the ".me" extension.
"They were trying to get a person's credentials — login and password information — so they could log into our network," DuPuy said. "We received more than 100 of those emails in the course of about 15 minutes."
The attack was halted by a cybersecurity software package the county board authorized on Oct. 5, 2022 at a cost of $57,600 to protect the hundreds of PCs, servers and mobile devices used by the county's 500-plus employees.
That software marks incoming messages to alert users that it may contain malicious content. It also strips away URLs (website addresses) that may be suspicious or harmful.
Today, the county IT department manages more than 1,500 "information assets" across 17 locations and 28 operating departments.
Protecting access to databases and internal files is just one part of DuPuy's job. His 12-person IT team also manages specialized software programs that run daily operations — from accounting and scheduling to health services and courts.
What is spear phishing?
A spear phishing attack is an attempt to acquire sensitive information or access to a computer system by sending counterfeit messages that appear to be legitimate, often targeting a specific person or group, according to an email statement from the Office of the Director of National Intelligence.
Such attacks often include information known to be of interest to the target, such as current events, legal cases or financial documents.
"Like other social engineering attacks, spear phishing takes advantage of our most basic human traits, such as a desire to be helpful, provide a positive response to those in authority, a desire to respond positively to someone who shares similar tastes or views, or simple curiosity about contemporary news and events," said the statement.
"These messages are delivered via e-mail and are designed to convince the user to open a malicious link or attachment, exposing the target to malicious software," they added.
Missouri county attacked
Jackson County, Missouri, experienced a similar attack Tuesday forcing the county government to close several departments, including systems that handle tax payments, marriage licenses, property data and inmate searches at the county's detention center.
That attack escalated into a more serious problem called "ransomware," according to a report in the Kansas City Star. In response to the attack, Jackson County Executive Frank White, Jr. issued an executive order declaring a state of emergency.
Ransomware is a type of computer malware which prevents a user (or organization) from accessing data stored on a device, usually by encrypting those files. Criminals then demand ransom payments in exchange for decrypting the data. In some cases, the computer itself may become locked and the data may be stolen or deleted.
Officials from the FBI, federal Department of Homeland Security, Missouri Highway Patrol and county sheriff's office were assisting in the investigation.
Counties team up
Defending against cyberattacks requires more than just up-to-date software, officials said. It also takes teamwork, employee training and coordination.
That's why county leaders across America are joining forces to strengthen their defenses against cybercrime and share best practices.
At the center of that effort is Rita Reynolds, chief information officer for the National Association of Counties in Washington, D.C. Her organization serves nearly 40,000 elected county officials and 3.6 million county employees.
"Every fall, we survey about 1,100 county IT leaders and ask them what their top tech priorities are for the coming year," Reynolds said. "The No. 1 priority now is information security."
About 91 percent of cyberattacks start with an email, she said. One way to fight against those deceptive messages is through end user testing.
Several companies offer specialized software tools that send "simulated" malicious emails to employees to test their level of understanding and resistance to scams.
"We encourage counties to test all of their employees regularly, and not just newer employees but also those who fail the tests," Reynolds said. "As these attacks evolve in their sophistication, we must also evolve in our response to them."
Because of the heightened threat level, NAC now offers specialized online training for county leaders that simulates various cybercrime scenarios. Using feedback from that training, county officials can determine if their existing IT platforms are sufficiently prepared.
Overall, the single best practice for defending against cybercrime is the use of "multi-factor authentication" by all county employees, Reynolds explained.
MFA is a multi-step account login process that requires more than just one password.
For example, a user might be asked to enter an additional temporary code number sent to them via email or text. They might be required to answer a secret question or even scan a fingerprint.
Going a step further for his own personal protection, DuPuy says he doesn't use social media at all.
"Social media opens up individuals and families to cyber threats in a different way," he said. "I urge everyone to be mindful of what their family members are doing online. Use multi-factor authentication and more complex passwords. Monitor what's going on with those devices."
Beyond 'script kittens'
In the past, many online threats were developed by so-called "script kittens" — amateur hackers who try to gain access to a computer system or network by using programs (scripts) that others have written.
Today, most cyber criminals are far more advanced, according to federal law enforcement studies.
"Now we're facing entire organizations of criminals, sometimes backed by a national government or regime," DuPuy said. "They can be incredibly sophisticated."
Even worse, cyber criminals are now using artificial intelligence tools to generate email messages that are carefully customized for each target user, Reynolds explained.
These AI systems sweep up data related to a particular person or job, then use it to make an email seem authentic, as happened during Tuesday's attack on Grand Traverse County.
The use of AI for criminal purposes is likely to increase over time, she said.
"We really have to work together with the FBI and other agencies to keep ahead of the threat."
New security officer
At Wednesday's county board meeting, commissioners approved a motion to put an unarmed security officer at the entrance to the governmental center. The cost will be shared with Traverse City government, which also occupies the building at 400 Boardman Ave.
Commissioner Scott Sieffert was the sole vote against the new position, saying "there may be better options" than having an unarmed guard near the building's front door.
"Without door locks or passcodes, it will be 30 seconds before he hits the ground ... and then the next person hitting the ground," Sieffert said. "I don't think it's going to help."
T.J. Andrews, who represents District 7, said adding a security officer was a good first step.
"We do owe our staff a safe work environment. There is more we should do and this is not enough, but it's not a waste of money."
Vice Chair Brad Jewett concurred, saying "this is not a final answer but it's definitely a step in the right direction."
The next regular meeting of the Grand Traverse County commission is scheduled for Wednesday, April 17, at 9 a.m. in the governmental center at 400 Boardman Ave. in downtown Traverse City.
© 2024 The Record-Eagle (Traverse City, Mich.). Distributed by Tribune Content Agency, LLC.