LIME CITY — The Perrysburg Township administration computer server was a victim of computer hackers who
attacked Microsoft exchange servers with the “Hafnium Exploit.”
“Basically we were attacked because we’re a government agency,” said Walt Celley, township administrator.
“That’s what they usually do. They go after government agencies, financial institutions, but they’re
more into hacking the defense department, not us, necessarily. They are trying to hack defense
contractors, but they’re out their looking for government IPs and email addresses,”
Celley reported on the hack at Wednesday’s trustees meeting, relaying information from a computer
forensic researcher that is working with the township insurance company.
He said that the township was not the likely entity the hackers were searching for.
“We were affected, but he said there was a very low probability that anyone took anything or left
anything else, because they just didn’t have any time, because it was closed so quickly. The things
cleaned off, and probably if they looked at ours, they wouldn’t be very interested in our email anyway,”
Celley said.
Perry ProTech applied a patch to the system on March 9.
“We continued to have incidents over the weekend. Perry ProTech worked all weekend on this. They’ve been
working nights and days, pretty much around the clock. They’ve been doing a good job for us. They really
got on it quick. They stopped it,” Celley said.
The data that could have been accessed was entirely public record and the server is not used for
confidential purposes, he said.
He also spoke on the scope of the problem, which took place in computer servers worldwide.
“When they find a flaw like this, (hackers) attack machines around the world, hundreds of thousands of
them. They don’t have very long to do it, because Microsoft, usually, very quickly reacts and patches
the holes,” Celley said.
Microsoft and their cybersecurity firm, Volexity, identified the attack on their software, which was
publicly announced on March 2 and began working with FBI and Cybersecurity and Infrastructure Security
Agency. The company released patches for their software on March 3.
Microsoft has indicated that systems have been found with the Hafnium Exploit going back to January.
Celley explained that the hackers create a webshell that allows outside cyber actors to access the
servers remotely. He compared it to someone illegally installing a door into your basement, but it may
or may not be used.
The system was accessed by five different sources on four different dates: Feb. 28, March 2, 3 and 5. Two
systems in New Jersey accessed the system eight times, a system in the Netherlands accessed it twice,
one in Singapore accessed it six times and a system in Columbia did it once.
“Perry ProTech found four webshells and successfully removed them. I’m satisfied with that,” Celley said.
The township does have insurance coverage and a claim has been turned in. The insurance company has hired
a law firm that is working with forensic computer specialists. All three firms are working with Perry
ProTech in follow-up efforts.
“I was on a conference call Sunday afternoon and they were still having issues,” Celley said. “It’s kind
of hard to defend against when it’s Microsoft’s own security that’s being breached.”
Celley reported that the forensic expert, who is a former FBI agent with 17 years of experience in
cybercrime work, crossing both the public and private sector, was “very complimentary of Perry ProTech.”
The township servers were rebooted again on Wednesday evening.
The township is implementing several changes, including password changes, and adding new detection and
response application. Complete removal of the current Microsoft software, in favor of another Microsoft
product that is not vulnerable to the Hafnium Exploit is also being considered.
