Cyber Incident Victim: Cobb County
Date:
Mar 2025
Location:
United States of America
Summary
CobbCounty experienced a cyber attack that forced its systems offline after an intrusion was detected. A cybersecurity expert identified the Russian‑speaking group Qilin as responsible and said the attackers leaked sample data including autopsy photos, driver’s license images and social security cards, threatening to release 400,000 documents unless a ransom was paid. The county confirmed it declined the ransom demand, stating it does not negotiate with threat actors, and noted that systems were restored shortly after the incident. Officials said the investigation is ongoing and that, if personal information is found at risk, affected individuals will be offered credit monitoring and identity theft protection, while urging residents to monitor financial accounts for suspicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
InMarch, Cobb County officials reported that the county’s computer systems were taken offline due to a cyber attack. The attack was discovered and the county immediately followed its established incident response protocols, which included shutting down affected networks. After the shutdown, county officials stated that operations were restored shortly thereafter. A third party issued a ransom demand to the county, which the county declined to pay. Cybersecurity expert Rick Hudson of Critical Path Security identified the Russian‑speaking threat actor group Qilin as responsible for the breach. Hudson said that Qilin had already begun sharing material it obtained and threatened to release the full dataset within two days. As proof, the group posted 16 sample images on a dark web site, depicting autopsy photographs, driver’s license pictures, and social security card images. Hudson added that the attackers claimed to have 400,000 documents ready for publication unless a ransom was paid.
The county spokesperson acknowledged that the incident had disrupted county services while the systems were offline. The spokesperson noted that, at the time of the statement, the county had not confirmed the accuracy of the data leak claims circulating on social media and would not speculate about information allegedly found on obscure parts of the internet. Despite the uncertainty, the spokesperson confirmed that Cobb County Government and the residents it serves were victims of a cyberattack. The spokesperson said that, if the investigation determines that specific personal information is at risk, the county will provide affected individuals with credit monitoring and identity theft protection services. Residents were urged to remain vigilant, monitor their financial accounts closely, and report any suspicious activity to their financial institutions. The spokesperson also stated that, to date, there is no evidence that any individual has suffered harm as a result of the incident.
The county’s response included taking the compromised systems offline, restoring operations after the shutdown, and refusing to meet the ransom demand in line with the official stance of not supporting criminal enterprises. The spokesperson emphasized that the investigation remains active and is being conducted by law enforcement authorities. The county reiterated that its network is now secure and that it is safe for the public to continue doing business with the county. The spokesperson concluded by noting that, as the investigation continues, there may be questions that cannot be answered at this time.