Fake email, stolen log-ins opened door to widespread hack on Mecklenburg County

CHARLOTTE, NC (Anna Douglas/The Charlotte Observer) - A foreign-based hacker gained access to at least one government employee's computer network log-in ID to launch a "ransomware" attack last week in Mecklenburg County, officials said Tuesday.

The cyber-attack knocked multiple data servers and many public services offline and caused widespread outages across Mecklenburg County systems. The county's "IT (information technology) Incident Response Team" first learned of the problem early in the morning of Dec. 5, said IT chief, Keith Gregg.

By mid-morning, the county began shutting down parts of its network to isolate damage.

RELATED: Officials release ransom note from hackers who got into county servers

A week later, 17 of 200 affected systems have been restored, Gregg said. Those include the court system's jury management application, an employee payroll platform and several programs at the Department of Social Services.

The incident is still an active "cyber crime scene," Gregg said Tuesday. The county has hired a cyber forensics firm, called Fortalice Solutions, to assist with recovery, investigation and network restoration.

So far, Gregg said, there's no evidence that the affected data has been stolen or redistributed by the person or people who hacked into the county's network of computers. The incident primarily revolved around a "ransomware" attack that consists of a hacker breaking into a system, blocking use of data and demanding money in exchange for restoring access.

RELATED: Meck Co officials will not pay hackers ransom for servers being held

In Mecklenburg County's case, its system was compromised when an employee inadvertently opened what cyber security experts call a "phishing email" – a message that appears to come from a trusted or known source but actually contains a malicious link, file or attachment. From there, officials believe the criminal gained unauthorized access to the county government's system using the stolen log-in credentials.

In an update Tuesday, Gregg described the cyber attack as a "freeze" on selected county systems. The attack came with a demand of $23,000, which county officials refused to pay, saying it would not speed up recovery time. Instead, the county said it would restore its system and applications using back up data.

"We could not be in the recovery process if we did not have back ups," Gregg said.

Still, recovery takes time, he said, because IT professionals want to ensure they do not reactivate infected systems or restore servers that could be vulnerable to another cyber attack. Last week, the county reported a second wave of "phishing" email attempts and responded by blocking employees from opening certain email attachments or file-sharing programs. No new infections came from the follow-up phishing attempts, officials said.

County officials say they do not yet have an estimate on financial revenue losses or costs associated with the cyber attack.

The hack comes as Mecklenburg County has spent nearly $16 million over the past three years to improve computer and network security, County Manager Dena Diorio told the commissioners Tuesday.

Those projects included expanded back-up capabilities, increasing firewall protections and new equipment or upgrades in some departments.

Overall, the health of Mecklenburg County's system and security features were strong at the time of the hack, said Fortalice CEO Theresa Payton on Tuesday. Even the most sophisticated systems, she said, can be vulnerable.

"Often it's just a matter of time," Payton said.