MML# 4 – Hackers Hitting Clarkston in 2018 Serves as Training Example for Other Cities
(Crystal A. Proxmire, Dec. 14, 2022)
Clarkston, MI – Back in Sept 2018, the City of the Village of Clarkston got hacked. Their computer system was frozen by a malware program and held hostage until a ransom was paid. That very stressful day is one that City Manager Jonathan Smith will never forget. And it’s one he hopes to help prevent others in local government from experiencing. He, along with Andy Brush of the Michigan Cyber Partners Program, and Luke Thelen of the Michigan State Police’s IT Division, shared his experience with officials from across the state at the recent Michigan Municipal League Convention in Muskegon.
Clarkson is a small community – just a half a mile square with 420 homes, a municipal operating budget of $900,000, and a team of just five employees. “For years we used a local IT person,” he said. “We’re a small community with a small, limited budget.”
Smith said he would not have imagined hackers targeting such a tiny town. “If you are a small community, don’t think ‘they won’t come after me.’ You’re a target because you are vulnerable. You don’t have the protection, that makes you a target.”
When team members arrived that day, everything was locked up. Smith contacted Oakland County IT for help, who quickly called in the State Police and the FBI.
“It kind of felt like the Ghostbusters coming into the office,” he said, describing how they dove into their work “removing everything, turning off printers, routers, taking hard drives out of computers.”
The ransomware was present on the server and was spreading quickly. The MSP and FBI got copies of the servers, with it taking an hour and a half to copy the hard drives. The last backup available was three month prior. Had they not resolved the issue, they would have had to recreate all files and data input from the past three months.
The attackers contacted the office with their demands. They would unlock the system if the City paid them. Within the first 24 the cost would be 1.2 Bitcoins ($7,771). From 24-48 hours the ransom would be 2.1 Bitcoins ($13,600). And after 48 hours the offer would be gone and they would not have access.
“We had two options,” Smith said. “We could restore with a three month old back up, or we could negotiate with the attackers and pay the ransom.”
Another option would be to have experts try to decipher the encryption, “but that could take weeks, or months, or it could never happen.”
“Michigan State Police, FBI, and Oakland County recommended I pay the ransom.
“These are businessmen. They want you to have a successful event. If word ever got out that people paid ransom and didn’t get the code [needed to unlock the system], people would never pay the ransom.”
It was a difficult position. “How the hell am I going to explain this to my City Council,” Smith told the attendees. “How am I going to explain I need money to pay a criminal?”
Thankfully Clarkston had included Cyber Security Coverage in their municipal insurance policies. The plan is offered through Michigan Municipal League, and in Clarkston’s case the plan is what saved the day.
Before paying, the tech team insisted that the attacker prove that they had the key. “To confirm we were talking to the right hackers, we asked for decryption proof.”
At 3am they told Smith “Give us a file and we will send you a tool that will decrypt that file.”
They picked an innocuous Word document and gave them the name of the file. The IT team confirmed it worked. An emergency council meeting was called and they agreed to move forward using the insurance and paying the ransom.
“Shortly after making the payment, we received the decryption codes as promised.”
That wasn’t end however. A forensic analysis had to be done to see if the hackers had stolen any data, and to find out exactly what happened. “A data breach is another whole nightmare,” Smith said. In this case, attackers did not access files with sensitive information like billing records and credit card transactions.
The audit also determined that the server was the weak link. “Over two weeks they accessed the server 42 times for 20 seconds or less,” Smith said. “Because they were only in for such sort times, they determined they were just there for ransom and not for data.”
Including the Bitcoin purchase and the tech support help, the cost of this incident was $112,000 and the City itself paid $2,500 of that.
Smith and the other experts had recommendations for other cities, townships, and villages to consider.
“Strong firewalls are crucial,” he said. “Clarkston had one, but it was not up to current standards.”
He also suggested that manual backups are not acceptable, as they can be easily neglected. “They must be automated and daily,” Smith said. He added that they should be stored in a detached device with an “air gap,” or stored in the cloud, or both.
Training staff is also important. “Train your employees not to just click on anything,” he said. “Avoid fishing emails.”
Another trick the experts cautioned against is putting unknown thumb drives into any computer. Someone could come in asking for a file printed, or a thumb drive might be left at a workplace and an employee might be tempted to open it to see what is on there.
“Put plans in place on what to do and who to call when a virus or malware is detected,” he said.
Another tip is to reduce risk by adding cybersecurity coverage to insurance plans.
Brush added that municipalities should update software and systems, change default passwords often, and use multi-factor authentication. He said there should be different passwords for everything, and that using a password manager like Bitwarden or 1Password can also help reduce risks.
Doing everything right is still no guarantee of avoiding a hack, however the more resistance cyber criminals fine, the less likely they will do the work. “They look for the weakest links, so they may just pass you by,” Brush said.
Examples of attacks can be found all over the county, and the costs have not been as small as Clarkston. In Lake City Florida officials paid $460,000 only to have their service partially restored. And in Wheat Ridge, Colorado they refused to pay the $5 million ransom, and were still trying to get into their system weeks later. Advice seems to vary across states as to whether to pay ransom or not. And of course prevention is the best protection.
Michigan State Police offers cybersecurity training for local governments, businesses and organizations. Info on those can be found at www.Michigan.gov/mc3.
Other resources can be found at www.cisa.gov/badpractices.
This article is part of a series about the Michigan Municipal League’s 2022 Convention that took place in Muskegon Oct. 19-21. We will be sharing articles from the convention over the next few weeks to help readers better understand the issues local governments face. If you aren’t already on our list for Daily Headlines, please sign up HERE so you won’t miss any of this exciting and informative series! Find other MML related articles HERE.
For more on Michigan Municipal League, check out their website at http://www.mml.org.