GEORGETOWN — Seth Housand remembers the call.
The Georgetown County IT department director was a network engineer on that day in January 2021, when the county was targeted with a potent, and occasionally lucrative, cyberthreat — ransomware.
Housand, who has been with Georgetown County's IT department for 11 years, said a sinking feeling set in as the questions formed in his mind. How deep did it go? How many devices were affected?
Ransomware is computer software — specifically, malware — that infects a device or network and blocks access to it until a sum of money is paid. It has made headlines with use in such high-profile attacks as that on Colonial Pipeline in May 2021. The shutdown of the pipeline, which transports nearly half of the gasoline consumed on the East Coast, caused a shortage throughout the Southeast, including South Carolina.
Since the attack on its own network, Georgetown County's IT department has worked to build a multi-layered security platform with Housand as department director, a position that the county decided to bring back in-house after the attack.
The "malicious payload" that initiated a foothold in a county computer was delivered, Housand said, on Jan. 20, 2021, in the form of a spear phishing attack — in this case, an email meant specifically for a specific target with an attached macro-enabled document. The term "macro" refers to commands used in Microsoft Office programs that automate tasks to save keystrokes.
Microsoft warns on its support page that macros should not be enabled unless the user is sure what they do, noting that unexpected macros pose a "significant security risk" as they can be used to install malware. The company went so far as to announce this February that macros in files downloaded from the Internet would be disabled by default, before doubling back in July and then announcing on Aug. 2 that the change would indeed go forward.
It was when a server rebooted off-schedule that Georgetown County employees were tipped off that something out of the ordinary had occurred. Housand said that by the time the county became aware of the intrusion on Jan. 23 — a Saturday — computers and servers had been infiltrated and encrypted as the malware began working its way laterally across the Georgetown County network.
The decision was made to keep county phone systems operational while internally cutting off most of the rest of county services to contain the damage. Not all of the county's 60 servers were affected, Housand said, and the number of devices encrypted totaled less than 1 percent of the approximately 3,000 owned by the county.
"But in the grand scheme of things, it was enough to cause major concerns and issues because it was county servers and where data is stored," Housand said.
In addition to the need to pay county employees, the date by which the IRS requires employers to file wage statements so W-2 forms can be compiled was days away when the threat was detected. But efforts to backup the county servers could not even start until a forensics report was completed to determine when the intrusion took place.
"Each server can take, depending upon its size and how much data involved, can take 2 hours, it can take 12 hours (to restore)," Housand said. "And even then, it's not always perfect. So we saw about a week and a half to two weeks of just restoring servers from backups."
The Georgetown County Council approved a $140,000 budget amendment two months after the attack to upgrade county cybersecurity measures, then budgeted for further system upgrades in its fiscal 2022 budget. The measures since taken involve backup solutions, email security, account authentication, endpoint protection and replacing "old-school" antivirus software.
"It allows us in IT to have a lot more insight on exactly what's going in the PCs, what's happening," Housand said. "It gives us a lot more freedom."
For example, Housand said, he can disable devices at any time to prevent threats from spreading throughout the network. He is still careful not to reveal sensitive information regarding the 2021 attack, as he said it was clear last January that the actors who infiltrated the county's network were listening to the information being put out by the county and the media.
"They pay attention to what we put out there, they pay attention to what we publish on our website, they pay attention to all of it," Housand said.
Still, Housand said, the county is more protected against cyberthreats than previously.
"But we still have a long way to go, a lot of things we have to do to continue to ensure the safety and security of the county network and try to maintain operations," Housand said.
Gloss