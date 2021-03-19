LIME CITY — The Perrysburg Township administration computer server was a victim of computer hackers who attacked Microsoft exchange servers with the “Hafnium Exploit.”
“Basically we were attacked because we’re a government agency,” said Walt Celley, township administrator. “That’s what they usually do. They go after government agencies, financial institutions, but they’re more into hacking the defense department, not us, necessarily. They are trying to hack defense contractors, but they’re out their looking for government IPs and email addresses,”
Celley reported on the hack at Wednesday’s trustees meeting, relaying information from a computer forensic researcher that is working with the township insurance company.
He said that the township was not the likely entity the hackers were searching for.
“We were affected, but he said there was a very low probability that anyone took anything or left anything else, because they just didn’t have any time, because it was closed so quickly. The things cleaned off, and probably if they looked at ours, they wouldn’t be very interested in our email anyway,” Celley said.
Perry ProTech applied a patch to the system on March 9.
“We continued to have incidents over the weekend. Perry ProTech worked all weekend on this. They’ve been working nights and days, pretty much around the clock. They’ve been doing a good job for us. They really got on it quick. They stopped it,” Celley said.
The data that could have been accessed was entirely public record and the server is not used for confidential purposes, he said.
He also spoke on the scope of the problem, which took place in computer servers worldwide.
“When they find a flaw like this, (hackers) attack machines around the world, hundreds of thousands of them. They don’t have very long to do it, because Microsoft, usually, very quickly reacts and patches the holes,” Celley said.
Microsoft and their cybersecurity firm, Volexity, identified the attack on their software, which was publicly announced on March 2 and began working with FBI and Cybersecurity and Infrastructure Security Agency. The company released patches for their software on March 3.
Microsoft has indicated that systems have been found with the Hafnium Exploit going back to January.
Celley explained that the hackers create a webshell that allows outside cyber actors to access the servers remotely. He compared it to someone illegally installing a door into your basement, but it may or may not be used.
The system was accessed by five different sources on four different dates: Feb. 28, March 2, 3 and 5. Two systems in New Jersey accessed the system eight times, a system in the Netherlands accessed it twice, one in Singapore accessed it six times and a system in Columbia did it once.
“Perry ProTech found four webshells and successfully removed them. I’m satisfied with that,” Celley said.
The township does have insurance coverage and a claim has been turned in. The insurance company has hired a law firm that is working with forensic computer specialists. All three firms are working with Perry ProTech in follow-up efforts.
“I was on a conference call Sunday afternoon and they were still having issues,” Celley said. “It’s kind of hard to defend against when it’s Microsoft’s own security that’s being breached.”
Celley reported that the forensic expert, who is a former FBI agent with 17 years of experience in cybercrime work, crossing both the public and private sector, was “very complimentary of Perry ProTech.”
The township servers were rebooted again on Wednesday evening.
The township is implementing several changes, including password changes, and adding new detection and response application. Complete removal of the current Microsoft software, in favor of another Microsoft product that is not vulnerable to the Hafnium Exploit is also being considered.