Friday, June 21, 2024

City of Granbury computer network hacked

Posted

The city of Granbury’s computer network was hacked on July 30, prompting the city to hold an emergency meeting on Aug. 8 to discuss approval of a budget that would fund consulting servers to mitigate the impact of the attack.

“The initial infection started from something being clicked that activated the malicious software. That software used that user’s credentials to traverse the network. Anywhere that user logged into previously automatically infected those machines because the hacker had the credentials. Because that user was logged into our net motion system, it allowed that to travel from the police department side to city side,” Director of IT Services for the City of Granbury and Patrol Officer, Chris Collins said during the meeting. “Immediately, I identified it as being something of malicious nature and disconnected those systems that the user had logged into.”

Collins and his staff further investigated the activity and after eight hours, the team was able to contain the activity. Monday and Tuesday of last week, systems that weren’t powered on, were powered on, which caused the same type of activity to occur but were contained.

After those containments new suspicious activity began to occur on Aug. 7 at around 2 a.m.

“What was concerning about this activity is that they were using native communications that run normal processes in the Windows environment, so this would not be detected by your traditional security measures,” he said.

Collins then instructed the team to power down the servers that they had previously restored to prevent further infection.

In order for Collins and his team to use their insurance for these types of situations, they have to use a third-party response organization, which is what the money requested would be used for.

“Due to this incident, obviously our tool needs to be augmented and that’s why I initiated the IRP engage in a third-party vendor,” Collins said. “So, prior to me taking this position last July, I did request the city provide a full vulnerability scan of our network and it identified vulnerabilities within our network and majority of those vulnerabilities were attributed to lack of patching, lack of updating of equipment and so since I’ve taken this position and brought Buchanan, one of the biggest gaps was lack of patching of systems and endpoint management. We were able to do the initial containment because some of the tools that were in play. However, a lot of the inherit legacy system configurations can’t automatically be changed without user impact. We are slowly working through the network and working through systems that we could, to update.”

Collins also noted that the previous network provider told the city that they were segmenting the network, but Collins noted that had never happened. Segmentation of a network will divide the network into parts to improve security.

“Because our network is not segmented, it spread a lot quicker than it should,” Collins added. “They replaced switches that were end of life, with layer two switches which don’t have security built into them. The switches that I purchased which I hadn’t been able to deploy yet had layer three capability where you could set up segmentation. I signed a contract before this incident to start that implantation, but with everything going on, starting one step at a time, that’s how my department has been trying to keep city services going while implementing the security. It’s a lot harder to implement security after without interrupting operations.”

Collins and his team are trying to classify if the initial attack on July 30 and the second on Aug. 7 were done by the same hacker.

As of Aug. 7, Collins and his team executed the contract with the third-party response team, and they began remediation.

Collins requested funding from the city to fund the services to partner with the third-party response team as well as a Cyber Specialist Attorney at an estimated cost of around $300,000. The attorney required a flat fee of $15,000 with the remaining amount going towards the response team.

The city approved the budget with a 5-0 vote and will utilize its general fund balance. The city believes that the $300,000 will not be fully needed and expects to be reimbursed if the damage isn’t worse than what is seen at this time. By taking this action the city hopes to restore the city’s network sooner rather than later.

At this time there is no evidence of personal data of city customers being compromised.

The city noted that residents who use the online utility bull payment system may find it difficult to pay their bills online so the city utility customers, payment of bills due on Aug. 5, 2023, will not be charged a Late Fee no matter how you pay. The payment due date has been extended. No service will be disconnected at this time.

The following payment methods including mail, in person and over the phone are available. Mail a check to: Utility Billing Payment, 116 W Bridge Street, Granbury, TX 76048. Visit Granbury City Hall, 116 W Bridge Street: Use the green drive-through box (checks only-- no cash, please) or pay inside the building during regular business hours, or by phone at 682-205-1731.

For more information visit city hall, or call during business hours Monday through Thursday 7:30 a.m. to 5:30 p.m. and Friday’s from 8 a.m. to 5 p.m.