The Fulton County Hack is a Ticking Bomb
A ransomware demand by hackers on Fulton County is far, far worse than leaders have disclosed to date. 12 hours from now, its justice system blows up.
UPDATE: This morning, the page showing the countdown clock to the release of Fulton County data disappeared from the .onion site hosting the ransomware hacker’s demands. There is no explanation from the hackers posted. One possible conclusion to draw is that Fulton County - or its insurer - met the attacker’s demands and paid the ransom.
Two weeks ago, hackers from a “ransomware as a service” group called Lockbit 3.0, began shutting down computers up and down Fulton County. If it was on a computer, it got screwed: payments, HR systems, even phones. Even today, the county only has about a third of its phone systems up and running.
Fulton County commission chairman Robb Pitts and other county leaders came out early to send two messages. The first is the one they said explicitly: that the county had been hacked, critical systems were down, but the Trump case and the elections computers were safe.
The second message was in what they didn’t say: any meaningful detail about what got hacked and how, or whether anyone’s personal information was at stake.
Well, I’ve seen the LockBit page with a sample of Fulton County’s data on it, and it’s much worse than the county’s general assurances that it’s computers systems will be restored.
The hackers posted 25 documents, a sample of what they were able to download in the days and weeks before crashing the county’s computers. Those screenshots include:
The county’s VMware access pages, along with the identities of users with access credentials.
A complete file folder list for the county.
A random file list from within the folders, showing insurance and risk management files.
A judicial order sealing a medical record.
Purchase orders for Apple equipment, and files on some Apple iPads (apparently), and backup files on Apple computer.
A sealed record related to a child abuse case.
A sealed motion in the murder trial of Juwuan Gaston, demanding the state turn over confidential informant identities.
An evidence list from the Atlanta Police Department showing a list of guns and drugs.
The first page of an investigators report given to a grand jury on the jail death of Montay Stinson. I note that the Stinson family has repeatedly complained about being unable to obtain information from the county about his death.
Records showing the county’s investments in its pension funds.
A file list from the district attorney’s office, showing case files in murder and gang cases.
An Excel spreadsheet showing configuration data for the county’s servers.
An APD incident report as a PDF, which indicates that the hackers have access to individual files attached to cases in the county’s Odyssey system.
The hackers are prolific, with more than a dozen recent attacks as far afield as Indian brokerage firm Motilal Oswal and Bank of America partner Infosys McCamish Systems.
The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases. Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.
Speaking to a colleague, a Fulton County employee said that the confidential material includes the identities of jurors serving on the racketeering trial of Jeffery “Young Thug” Williams and the YSL gang case.
The hackers have a timer counting down to 12:47 AM Friday, EST.
“We will demonstrate how local structures negligently handled information protection. We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens' personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”
I have more to write about this later. The county has spent millions of dollars on cybersecurity over the last two years. Only a few months ago, its chief information security officer was bragging about how the county had been closing off avenues of attack.
The county employs packet-level monitoring systems. It spent $425,000 on IDaptive account management software, $190,000 on Cylance antivirus software, $15,000 for encryption software, $300,000 on Varonis, above, and more.
And yet, here we are. We are owed an explanation.
I'm a cybersecurity industry veteran. There is a lot of the public, especially laymen, do not understand - things like deep packet inspection, spending millions of dollars, etc. will NOT protect you forever. It can reduce the chances, but never eliminate them.
Ransomware works on targeted attacks using novel (IE, campaign made/zero day) malware. All you need is one idiot to open that email with the bad attachment and execute the program to attack the targeted exploit.
Companies like the ones I've worked have made billions (literally) trying mitigate threats like this, but they will never be entirely eliminated because the weakest link in the chain are the humans being targeted by what, to them, looks like something specific. The most successful avenue of attack is called spearphishing - targeting a specific, high profile, person who has enough information available online to provide clues on how to get them to click on something they shouldn't.