Cyber Incident Victim: Geauga County Department of Water Resources
Date:
Apr 2023
Location:
United States of America
Summary
A cybersecurity breach targeted an outdated email server operated by the Geauga County Department of Water Resources, detected via CrowdStrike Falcon alerts indicating malicious command-line activity. The compromised server, running unsupported 2012-era software without recent patches, was isolated by ADP cybersecurity personnel, preventing spread to other county systems. The incident disrupted Water Resources' email access and revealed internal governance failures, including delayed migration to Microsoft 365 due to administrative disputes. County leadership exchanged accusations during emergency proceedings, with the prosecutor blaming the county administrator for blocking security upgrades. ADP's board mandated an immediate migration to Microsoft 365 at the department's expense while attempting data recovery. No other county services were impacted by the contained attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 12, 2023, at approximately 4:00 a.m., CrowdStrike Falcon—an endpoint cybersecurity product installed on Geauga County’s network—detected potential malicious scripts and command-line activity targeting an email server operated by the Department of Water Resources. The server, running an unsupported 2012 operating system and outdated 2016 software lacking service patches, was vulnerable to exploitation. By 8:00 a.m., the Automatic Data Processing (ADP) Cybersecurity Center received high-priority alerts indicating a persistent attack, prompting CrowdStrike to automatically block access to the server and initiate isolation protocols. ADP personnel immediately severed all inbound traffic to Water Resources’ domain, disconnected the department from shared ISP switches, and conducted system-wide scans to confirm no lateral spread to other county infrastructure under ADP management. The attacker reportedly exploited vulnerabilities in Microsoft Exchange to execute unauthorized commands, though Water Resources staff powered down the compromised server before ADP or CrowdStrike could complete forensic analysis, limiting insights into the attack’s scope.
The breach disrupted Water Resources’ email operations but did not affect other county services. During an emergency ADP board meeting on April 13, Auditor Chuck Walder confirmed the department operated five servers independently of ADP’s oversight, all potentially unpatched. Water Resources Director Steve Oluic stated he lost email access without prior notification, while Network Administrator Michael Kurzinger cited failed attempts to contact ADP for remediation guidance. County Prosecutor Jim Flaiz attributed the breach to delayed migration to Microsoft 365—a patched email platform—revealing County Administrator Gerry Morgan had instructed Kurzinger in February 2023 to halt the upgrade pending mediation between ADP and commissioners. Flaiz accused Morgan of obstructing IT modernization for two years, exacerbating security gaps. The board resolved to migrate Water Resources to Microsoft 365 at the department’s expense and recover historical emails if possible. Discussions about appointing an interdepartmental liaison stalled due to legal concerns stemming from a prior lawsuit Morgan filed against ADP personnel.