ADP Rescues Water Resources From Russian Cyber-Attack

After a recent cyber-attack on its email server, the Geauga County Water Resources Department has relinquished authority over its information technology systems to the county Automatic Data Processing board.

The ADP board approved the move during an emergency meeting on April 17.

At another emergency meeting April 13, board members argued with County Administrator Gerry Morgan and water resources personnel about the conditions leading up to the attack, which left the department unable to operate.

During the April 17 meeting, Information Security Analyst Zach McLeod reported that, according to a report from CrowdStrike, a third-party security vendor, the attack on water resources’ email server originated in a computer located in Russia.

As of the time of the meeting, the affected server was still in quarantine from the rest of the network at CrowdStrike’s suggestion, he said.

“They have completed their investigation,” McLeod said while presenting their report. “Just before the detection (of the malware), they see logs where a network request was made between the server and somewhere in Russia.”

CrowdStrike successfully identified the malware used to attack the server and did not find any further malicious activity in the department’s network after the server was put in containment, he added.

Geauga County Prosecutor Jim Flaiz asked McLeod to weigh in on a rumor he said was repeated by several county employees since the attack was exposed — that the hack was “concocted by ADP.”

“Apparently, water resources employees were told, or are under the belief, that this is all made up, this isn’t a real thing, this is something that’s been concocted by ADP and the people running ADP. I’ve heard that from a number of different people in the county,” he said. “Is that possible, or is this real ransomware?”

McLeod said CrowdStrike is a national company and that ADP was not responsible for the initial detection — that information was brought to them by a CrowdStrike alert.

“They were able to identify the exact type of malware that was used, and, you know, what it was attempting to exploit,” he said. “There’s not a way that we would have been able to duplicate that with a connection going to Russia from our end.”

Geauga County Auditor Chuck Walder — who acts as chief administrator of the county’s IT department under the umbrella of ADP services — said the move to bring water resources into compliance with the county’s IT operating standards comes after years of pushback.

In an April 18 interview, Walder said even before he took office, previous county auditors attempted to bring the department into alignment with the county’s IT security protocols and were rebuffed.

ADP Chief Deputy Administrator Frank Antenucci said county IT staff were having difficulty restoring access and function to the water resources department because of pushback from Network Administrator Michael Kurzinger. At the meeting April 17, Antenucci said while Kurzinger maintained he could not provide a list of all users who would need new email accounts because ADP had locked access to their servers and files, there should be a backup device somewhere with that information on it.

ADP Systems Administrator Corey Thompson said he believes there is a backup, but it may not have been properly configured.

“Information we received said it might have been just basically stuck in a loop and just bloating the mailbox, and it might not be usable. However, even if we had that, we could have made a better list (of email addresses) than what we have,” Thompson told the ADP board.

Walder said as county IT staff worked through the weekend to restore the department’s access, employees of his office pulled payroll records early Saturday to try to reconstruct an email user list. Antenucci said even an outdated backup list would be useful because it would include non-user accounts like alert systems that sent notifications when there was an issue at a water plant.

“So all you have are the employee names from payroll,” Flaiz said. “They didn’t even give you a list of employees that have email?”

“Well, we just assumed everybody was getting a paycheck is gonna have email,” Walder said.

“I’m not an IT guy but … let’s say I can’t connect to my network. I can still open up my computer at my desk and get in there and pull (email contacts),” Flaiz added.

An email exchange forwarded to the Geauga County Maple Leaf shows Antenucci asked Kurzinger for a list of email accounts that need to be restored. Kurzinger, from a Gmail account with a water resources username, said he could not provide the information.

“As you are aware, I/we have not had access to anything. No network, no Internet, no files, nothing. So please tell me how we are supposed to get you all the files and documents you keep insistently asking for,” Kurzinger replied. “This kinda seems like intentional harassment. If I can help productively, please let me know.”

Antenucci said after that exchange, he consulted Walder and Flaiz, who gave him permission to cease further interaction with Kurzinger.

After the meeting, Walder said while password protocols and outdated software issues have come to the foreground after last week’s attack, alarms were raised last summer when the McFarland Wastewater Treatment Plant was found to have a vulnerability in its security cameras.

According to reporting from the Chagrin Valley Times, in August 2023, security cameras installed by water resources IT staff were sending video footage from the McFarland Wastewater Treatment Plant to multiple computers in China for an unknown period of time.

In an April 18 interview, Antenucci said while alarming, public infrastructure data being scraped by Chinese computers is more common than the public realizes. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency considers the wastewater systems sector to be one of 16 critical infrastructure sectors “whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Antenucci said China is an “expert” in scraping data from public infrastructure, mostly via technology manufactured in their country and sold to users in the U.S.

At the meeting, Walder said water resources will continue to have control over their operational technology, which will be housed at the McFarland plant — the county’s largest wastewater processing plant — located at the southern end of the county, which has its own staff to monitor its functions.

ADP employees are working to rebuild and restore email accounts and access for water resources employees, he said, adding users should regain access to previous emails within the next week or so, as files affected by the attack are cleaned up and restored.