Cyber Incident Victim: Geauga County

On April 12, 2023, at approximately 4:00 a.m., the CrowdStrike Falcon endpoint cybersecurity product installed on the Geauga County network began detecting possible nefarious scripts and command line activity on a server belonging to the Department of Water Resources. This product, which was installed on all county servers and workstations under the oversight of the Automatic Data Processing (ADP) board, provided the initial alert of a potential threat. Shortly before 8:00 a.m. that same morning, ADP staff began receiving a series of serious, high-priority alerts from their Cybersecurity Center, which was fed by CrowdStrike. These alerts indicated what was assessed to be a significant and persistent threat attack targeting that specific Water Resources server.

Given the persistent and critical nature of the attack, the CrowdStrike Falcon platform automatically executed its protocols to block access to the compromised server. It also initiated a series of procedures and provided instructions for ADP to follow in order to further isolate the server and protect the broader county network infrastructure. In immediate response to these alerts, ADP personnel notified the Water Resources Department of the ongoing attack. They then took action to block all inbound network traffic destined for the Water Resources domain. To prevent any potential lateral movement, ADP also removed Water Resources from all shared internet service provider (ISP) switches, effectively segmenting the department's compromised systems from the rest of the county network. A deep scan of all other county systems under ADP control was subsequently initiated to ensure the county's core environment remained secure and unaffected by the breach.

The server at the center of the attack was identified as an "end-of-life, end-of-support server." It was running an operating system from 2012 and software from 2016 that had not received proper service patches or updates. This outdated and unpatched state created a critical vulnerability that likely allowed an outside threat actor to penetrate the server. The initial attack vector was through Microsoft Exchange, an email program, from which the attacker attempted to run a series of commands. Despite the efforts of ADP and CrowdStrike to contain and analyze the incident, the server was ultimately powered off by staff from the Water Resources Department. This action prevented any further immediate malicious activity but also halted further forensic analysis by the cybersecurity teams.

The containment efforts by CrowdStrike and ADP were successful in preventing any disruption to other county services or to any systems under ADP's direct control. The incident was isolated to the email server operated solely by the Water Resources Department. This server was one of five servers operated by the department without oversight from the ADP board. It was reported that the department had neglected to keep its other servers properly patched and up to date, leaving multiple systems vulnerable.

The incident precipitated an emergency meeting of the ADP board on April 13, which was attended by Geauga County Commissioners, the County Prosecutor Jim Flaiz, and representatives from Water Resources. During this meeting, a significant exchange of accusations occurred between officials. Water Resources Director Steve Oluic stated he had received an email at 8:00 a.m. on the day of the breach and was then shut down without further phone calls or information, leaving him without a report on what had transpired. Prosecutor Flaiz directly placed responsibility on Water Resources for running the server and expected an explanation from them.

The Water Resources Network Administrator, Michael Kurzinger, confirmed that CrowdStrike's action had shut the server off from the network, ending the immediate threat until remediation could occur. He also stated that he had made multiple attempts to contact ADP Chief Deputy Administrator Frank Antenucci but was unable to reach him, being told by the help desk to call back later. A key point of contention arose regarding the department's use of an outdated Exchange server instead of migrating to the more secure Microsoft 365 platform, which is still supported by service patches. Kurzinger revealed he had been instructed by County Administrator Gerry Morgan not to proceed with the migration to Microsoft 365 until mediation between the county commissioners and the ADP board was finalized. Prosecutor Flaiz presented a February 2 email as evidence of this instruction from Morgan.

Flaiz explicitly stated that the failure to migrate was the fault of County Administrator Morgan. When asked if the breach would have occurred had the migration to Microsoft 365 already taken place, Water Resources Director Oluic replied that he did not know. Morgan agreed during the meeting to allow the migration to move forward, stating he had already spoken with Water Resources about its implementation. This prompted a sharp rebuttal from Flaiz, who accused Morgan of lying about previously promising to bring Water Resources completely under ADP oversight two years prior and only authorizing the migration after a cyberattack had occurred. ADP Chief Administrator Chuck Walder confirmed that Microsoft 365 had been installed everywhere in the county except for Water Resources due to difficulties in dealing with the department.

A resolution was passed by the ADP board during the emergency meeting. The motion authorized ADP to migrate the Water Resources email server to Microsoft 365 and to perform any other necessary services to restore the department to full operation. It was stipulated that the Water Resources Department would be responsible for covering all associated costs. ADP also agreed to attempt to recover historical email data from the compromised server, though the powering off of the server by Water Resources staff may have complicated this effort. The immediate consequence for the Water Resources Department was a complete loss of email access following the containment actions. The meeting also highlighted a deep operational rift between departments, with discussions about appointing a liaison to improve communication between ADP and Water Resources. The underlying tensions were further exemplified by references to a previous lawsuit filed by county commissioners that personally named ADP officials, which was called "classless" and "vindictive" by Prosecutor Flaiz.