Napanee Council openly discusses January cyberattack for first time

The Town of Greater Napanee Corporate Services building at 99 Advance Avenue. Photo by Michelle Dorey Forestell/Kingstonist.

Six months after it occurred, the Town of Napanee finally revealed some details of what it calls a “targeted cyber attack.”

At its regular meeting on Tuesday, Jun. 11, 2024, the Council of the Town of Greater Napanee held a closed session meeting to discuss “Confidential SR-520-2024—Cybersecurity Incident Review.” Council also received the Community and Corporate Services Cyber Incident Recommendations and Review Report, which revealed that Town data had been held for ransom by hackers during the incident.

As previously reported, on Thursday, Jan, 11, 2024, town systems were compromised through what the Town calls “a targeted cyber attack, taking down all internally hosted servers and associated services.”

After the conclusion of the closed session portion of the meeting on June 11, Mayor Terry Richardson reported that “at the closed session this evening, we approved the closed session minutes of the May 28 meeting and received information related to the security of municipal assets.”

After other agenda items, it came time to discuss a new report, prepared and presented by Dave Nicholson, the Town’s IT Manager with the department of Community & Corporate Services.

Cyberattack

Although it is not known what was discussed in the closed session, the report reveals some details of the cyberattack. On Wednesday, Jan. 10, 2024, a remote computer was connected to the Town’s backup server. Once the connection was established, what the report refers to as the “Threat Actor” — colloquially “hackers,” a person or group that intentionally causes harm to digital devices or systems — began extracting several files and one database.

The following day, the Threat Actor deployed tools that began encrypting both the virtual servers and the three physical host servers. (To clarify, encryption is basically converting the data those servers hold into a secret code that only the person doing the encryption can easily undo.)

On the morning of Thursday, Jan. 11, 2024, Town staff reported an inability to access systems and files and, according to the report, “recognized an external encryption of files and a posted ransom note.” In other words, the Threat Actor was demanding a ransom to give back the information they had encrypted.

“As per existing protocol,” the report states, staff immediately notified the Town’s cybersecurity insurer and the Ontario Provincial Police (OPP). The cybersecurity insurer led the response to the attack, and the Town retained the services of legal counsel with expertise in cybersecurity. At the same time, Town staff shut down all information technology (IT) operations and systems to limit any further access to digital files.

The Town’s cybersecurity insurer engaged the services of a cybersecurity response team to begin mitigation, recovery, and forensic review. Upon investigation, the team discovered that on-premises backups had been encrypted, “as is the norm with these types of attacks.” Further investigation found that backups to the cloud service had also been encrypted, the report notes. Over the following days, the cybersecurity response team swept the Town systems for threats and continually monitored activity. 

According to the report, no further actions or breaches have been discovered to date. The Town’s cybersecurity response team began the “negotiation protocols” with the Threat Actors to determine what had been compromised, potential threats, and harms done. 

The report states that investigators were able to establish the size and content of the breach in addition to the scale of the ransom demand. The stolen data was reviewed independently by the corresponding department managers and “deemed to not contain information harmful to the organization or compromise Corporate, personnel, or private information.” 

Staff then contacted the Town’s external hosting service to determine a course of action for restoring server backups and enacting its server cloud hosting service if physical servers could not be restored. The report states that the external hosting service retains Town data through scheduled backups. Although the regular backups had been compromised, the segregated secure backups were intact. Of the 23 servers previously hosted within the physical environment, 22 were successfully redeployed and re-launched on the cloud hosting platform. 

According to the report, one server backup was corrupted and could not be restored: “This server maintained an aging records management system for documenting the location of physical files.”

IT staff “flushed all passwords and forced resets to domain and Office 365 accounts as systems were brought online. Database accounts not linked to Active Directory were manually reset. Multifactor authentication was enabled across all appropriate platforms.”

“After thorough and rigorous scanning of devices by the cyber security response team,” the report notes, “staff were reissued laptops and PC’s based on priority of service required,” and other steps were taken for increased security.

The report states, “On close of the investigation, the Town’s cyber security insurers were able to determine the attack vector that allowed the ransomware to encrypt data and the extent and nature of the incident.” There has been no further correspondence with the Threat Actors, and to date, the exfiltrated data has not been released. The Town’s cybersecurity response team suggests that, “given the long duration without contact or release of the data, that release of data may not occur… No ransom has been paid and, given the nature of the data exfiltrated, it is highly unlikely Staff will recommend paying any future ransom demand for this breach.”

Recommendations

The approved budget for 2024 included $48,000 so the IT Department could obtain a contracted cybersecurity solution; the current contract is due to expire in November 2024.

In the report, Staff proposed single-sourcing the replacement of the current security system with a managed service solution provided by Solis. They also asked for approval to continue server hosting services through the current backup solution provider, Hostedbizz.

The report explained that the server hosting would cost $4,500 per month and would replace on-premises hardware that was compromised during the cyberincident. The pre-existing hardware, three “[HPE] Simplivity servers,” would require rebuilding at an estimated one-time cost of $25,000, but the report notes that these will be five years old in December 2024, and HPE will provide no further support or service after then.

The report explains that this ending of support presents further cybersecurity issues “with the inability to patch vulnerabilities beyond the current state” and that the required replacement of this hardware in 2025 is estimated at $180,000 with a recommended five-year cycle of replacement.

“Continuing to host our servers in the cloud through HostedBizz will eliminate the need for on-premise[s] servers and greatly reduce the required server room footprint in terms of size and utility requirements,” the report states. “An additional saving of $8,000 per annum would be made as VMware support would no longer be required if servers were cloud-hosted.”

The report recommended that Council approve the single source request and award the contract for cybersecurity services to Solis.

“The tools and services rapidly deployed by Solis during the cyberattack have proven invaluable in protecting our environment from further attack,” the report explains, noting that Town staff were recommending that service continue, given Solis’s “intimate understanding of our environment; their proven ability to rapidly respond; exceptional customer service; enhanced 24/7 managed detection and response; and use of industry-leading security tools.”

Discussion

Councillor Dave Pinnell asked Nicholson if he was satisfied with the report and recommendations.

“I know that it’s funny to ask that question, but I just want to make sure we make this decision,” said Pinnell.

Nicholson replied, “Absolutely, yes.”

Councillor Mike Schenk agreed with the recommendation based on his faith in Nicholson’s abilities.

“As everybody will do the math, it’s basically $100,000, but you know what? This security can save us a lot in the long run. So you’re the IT expert,” he said, indicating Nicholson. “You’ve done your homework, and I agree with the staff recommendation.”

Before calling the question, Mayor Richardson commented, “Unfortunately, this is the world we’re living in now, and it’s hard to imagine that we have to guard the information that’s maybe not even in this building, but it’s just the world we live in. I’m sure it’s going to get worse before it gets better. So thank you, Dave, for your work on this.”

Council voted unanimously (aside from the absent Councillor Angela Hicks) to “receive for information Community and Corporate Services Cyber Incident Recommendations and Review report… [and] approve the purchase and single sourcing of the required cyber security services … at the cost of $46,731.72 and service setup one-time fee of $4,293.31.”

The vote also included a stipulation that the ”budget [be] amended to support the continued hosting of Town servers at HostedBizz at an additional operating cost of $4,500 per month, to be funded from reserves at year-end if the costs cannot be accommodated through the operating or capital budget.”

Meetings of the Council of the Town of Greater Napanee can be viewed virtually (or watched afterward) on the Napanee Town Council YouTube channel or attended in person in Council Chambers at Napanee Town Hall, 124 John Street. Further information about Council meetings, including agendas and reports, is available on the Town’s CivicWeb portal.

Leave a Reply

You cannot copy content from this page, please share the link instead!