Cyber Incident Victim: Geauga County Department of Water Resources

On April 12, 2023, at approximately 4:00 a.m., the CrowdStrike Falcon endpoint cybersecurity product installed on the Geauga County network began detecting possible nefarious scripts and command line activity on a critical server belonging to the Department of Water Resources. This product, which was installed on all county servers and workstations under the oversight of the Automatic Data Processing (ADP) board, generated alerts indicating a significant and persistent threat attack targeting this specific water resource server. Shortly before 8:00 a.m., the ADP staff at the Cybersecurity Center began receiving a series of serious high-priority alerts from CrowdStrike detailing the ongoing attack. The cybersecurity software identified activity where an outside actor was attempting to access and control the server. Given the critical and persistent nature of the attack, the CrowdStrike system automatically executed its protocols by blocking access to the compromised server and initiating procedures to further isolate it to protect the broader county network infrastructure.

In immediate response to these alerts, ADP personnel notified the Water Resources Department of the cyber attack. To prevent the threat from spreading, ADP then blocked all inbound internet traffic for the Water Resources domain and removed the department from all shared internet service provider switches. Concurrently, ADP initiated a deep scan of all other county systems under its control to ensure the security of the county’s network environment and confirm it was not affected by the breach. The investigation by ADP and CrowdStrike determined that the compromised server was an “end-of-life, end-of-support” system. This server was running an outdated operating system from 2012 and software from 2016 that had not received proper service patches, creating a critical vulnerability. This vulnerability likely allowed the external threat actor to penetrate the server through its Exchange email program and attempt to run a series of commands. The forensic analysis was cut short when Water Resources staff independently powered the infected server off, an action which prevented ADP or CrowdStrike from conducting any further analysis to determine the full scope of the attacker's actions or intentions.

The incident caused significant operational disruption for the Water Resources Department, whose director, Steve Oluic, stated he had lost all email access and had not received any substantive information or report regarding the server breach. This lack of communication became a central point of contention during an emergency meeting of the ADP board convened on April 13. During the meeting, Geauga County Prosecutor Jim Flaiz directly questioned Water Resources Network Administrator Michael Kurzinger about the attack. Kurzinger confirmed that the CrowdStrike product had acted to shut the server off from the network upon detecting the threat, effectively ending the immediate threat until remediation could occur. He also stated that he had made multiple attempts to contact ADP Chief Deputy Administrator Frank Antenucci for guidance but was unable to reach him, being told by the help desk to call back later.

A primary point of discussion and blame during the emergency meeting centered on the fact that the infected email server was one of five servers operated by the Water Resources Department without ADP’s oversight. County Auditor and ADP Chief Administrator Chuck Walder stated the department had neglected to keep its other vulnerable servers patched and up to date. Prosecutor Flaiz questioned why the department was still running an outdated and vulnerable Exchange server instead of having migrated to the more secure and currently supported Microsoft 365 platform. Network Administrator Kurzinger responded that he had been instructed by County Administrator Gerry Morgan not to proceed with the switch to Microsoft 365 until mediation between the county commissioners and the ADP board was finalized. Flaiz presented a February 2 email from Morgan that explicitly directed Kurzinger not to move forward with the migration.

This revelation led to a heated exchange where Flaiz placed blame for the incident squarely on County Administrator Morgan, stating that had the migration to secure software been completed, the problem might have been avoided. Flaiz accused Morgan of lying about intentions to bring Water Resources fully under ADP control, a process that had been discussed for over two years but never implemented. Walder supported this, noting that ADP had successfully installed Microsoft 365 everywhere in the county except for the Water Resources Department, citing difficulty in dealing with the department, particularly following a prior issue at the McFarland Wastewater Plant. Morgan proposed that Water Resources could transfer to Microsoft 365 on its own without ADP's assistance and then convert to ADP administration at a later date, a suggestion that was met with strong opposition from Flaiz and Walder, who questioned the need for further delay.

The immediate consequence of the attack was a complete loss of email functionality for the Water Resources Department. As a resolution, the ADP board passed a motion to migrate the Water Resources email server to Microsoft 365 and to perform any other services necessary to restore the department’s operational capacity. It was stipulated that the Water Resources Department would be responsible for covering all associated costs. ADP also agreed to attempt to recover historical email data from the compromised server if such recovery was still possible after it was powered off. During the meeting, the successful containment of the attack by CrowdStrike and ADP was noted, with confirmation that no other county services or systems under ADP control were disrupted.

The incident also exposed and exacerbated significant pre-existing tensions and communication breakdowns between different county entities. Commissioner Tim Lennon suggested designating a specific liaison to improve communication between ADP and Water Resources. Budget and Finance Manager Adrian Gorton was proposed for this role, but Water Resources Director Oluic quickly disagreed. Walder further complicated the suggestion by noting the potential liability such a position could carry, referencing a lawsuit filed the previous September by county commissioners that had personally named him, Antenucci, and another ADP employee. Prosecutor Flaiz called that lawsuit “classless” and vindictive, directly attributing it to County Administrator Morgan, who left the room during this portion of the discussion. The breach served as a catalyst that brought longstanding administrative and political conflicts within the county government to a head, highlighting issues of responsibility, oversight, and inter-departmental cooperation in maintaining cybersecurity.