Multi-County Cyber Attack Sparks Wi-Fi Policy Change
In response to a statewide cybersecurity attack in late May and early June, the Geauga Automatic Data Processing board has changed public Wi-Fi policies for county employees, ADP Chief Deputy Administrator Frank Antenucci said June 11.
In response to a statewide cybersecurity attack in late May and early June, the Geauga Automatic Data Processing board has changed public Wi-Fi policies for county employees, ADP Chief Deputy Administrator Frank Antenucci said June 11.
A May 27 email from ADP to county IT stakeholders marked the start of a long chain of replies, each detailing a new county that had been compromised.
“Today, we received a critical phishing alert from one of our team members regarding an invoice email originating from belmontcountyengineer[.]com,” Antenucci said in an email. “Thanks to her prompt action in identifying and reporting this suspicious email, we swiftly initiated an investigation.”
Breach Spreads Across State
The compromise extended farther than the Belmont County Engineer’s Office, Antenucci confirmed in a reply June 5.
“We have received official confirmation from the County Engineers Association of Ohio that their domain has also been compromised,” he said, relaying a communication from the association about an employee’s email being hacked and sending out fake invoices.
Multiple Geauga County users had machines compromised in the attack, Antenucci said, noting the entire Belmont domain may also be compromised, as well.
The situation worsened from there, with attacks identified from the Coshocton County domain, Antenucci updated June 6.
“This alarming situation appears to be spreading statewide via the CEAO distribution list, placing numerous government entities at significant risk,” he said, adding his thanks to Geauga County Commissioners clerk Christine Blair, who reported the original attempt.
“Coupled with our advanced endpoint protection software, CrowdStrike, her proactive response significantly mitigated potential damage,” Antenucci said. “Without these safeguards and quick actions, Geauga County could be experiencing the severe consequences that other counties are currently enduring.”
Having spent extensive time engaged with IT directors and public officials across the county, Antenucci said it was becoming increasingly clear to him how uniquely prepared Geauga has been to face threats like these.
“It has never been more evident to me than this year how close of a partnership we (IT stakeholders) all have,” he said. “It is evident when speaking to representatives from other counties that they envy our proactive collaboration, strong cybersecurity posture and the exceptional dedication of our coworkers.”
Antenucci said all potentially compromised counties have been blocked from communicating with Geauga County’s network.
“In our zero trust cybersecurity posture, any domain associated with or affiliated to a known compromised domain is subject to immediate precautionary blocking,” he explained June 9. “This ensures containment and limits the risk of lateral movement of threats into Geauga County systems. Our practice is to apply broad domain blocks as a first-line defense and then refine those blocks as intelligence becomes clearer and more granular.”
Belmont County, CEAO, Stark County, Seneca County, Ashtabula County, Mercer County, Noble County, Coshocton County and Wayne County all reported varying levels of compromise, he later said.
The How of It
Antenucci provided an update June 11 as to how the breach happened.
“Our cybersecurity team has medium confidence that the origin of this multi-county breach was an unsecured public Wi-Fi network used during a recent conference attended by members of the CEAO and Belmont County staff,” he said. “Attackers likely intercepted official login credentials over this public Wi-Fi and used them to infiltrate various county systems.”
Unsecured public Wi-Fi networks are a “high-risk vector” for cyberattacks, he said, detailing the possible methods the attackers could have used in this case, those being man-in-the-middle, evil twin networks and packet sniffing.
In a man-in-the-middle attack, attackers capture usernames, passwords and session information in real time without the user’s knowledge by positioning themselves between the user’s device and the internet to intercept transmitted data, Antenucci explained.
Evil twin networks are fake Wi-Fi networks mimicking the real ones of venues — like coffee shops and hotels — that record the internet activity of users, while packet sniffing involves attackers monitoring unencrypted data over a network, such as login information, he said.
In this attack, once someone’s credentials were obtained, the attackers were able to send phishing emails containing malicious links or attachments from a trusted account and access internal county systems, posing as a legitimate employee, he said.
In light of this attack, county employees are now prohibited from accessing official county systems or logging in to county-issued devices from unsecured public Wi-Fi networks, Antenucci said.
Employees are now required to either pre-verify a secured network, or use a hotspot or county-approved virtual private network, he said.
“This incident underscores the importance of remaining vigilant and adhering to all county cybersecurity policies,” Antenucci said. “A single misstep — like logging in through public Wi-Fi — can lead to widespread consequences for your colleagues, our systems and the public we serve.”
