May 2 2017 11:33 AM

County wrestles with malware infection targeting ‘banking information’

TUESDAY, May 2 — Ingham county officials are working overtime to purge the county’s computer systems of a malware attack that sought to steal banking information, but systems may not be fully restored until Friday, the county controller, Tim Dolehanty, said this morning.

He said 25 percent of the systems had been restored as of 10:30 a.m.


The virus, which Dolehanty said tech staffers have not identified yet, caused the county to shut down the entire computer network Saturday. Antivirus software and the tech staff quickly identified and isolated the virus.


“It was searching for banking information and passwords,” Sarah Anthony, who chairs the Ingham County Board of Commissioners, said Monday night in a phone interview. “It did not do what it set out to do.”


She said the infections, which the county’s information technology helpdesk identified in an email Sunday night as “several malicious virus attacks,” were first noticed at about 1:30 p.m. Friday. Staff worked through the weekend identifying the virus, attempting to contain it and developing a “cleaning procedure” to rid county computers of the malicious codes. The viruses affected every department, Dolehanty said.


Over 1,600 computers were impacted by the fast spreading malware. Each requires an individual sweep with antivirus software and other procedures, Anthony confirmed. She was told each computer system would take “about 15 minutes to clear out.”


Dolehanty said staff are able to function using personal computers and smartphones, but “it’s not optimal.”

News of the contagion first broke Monday morning when Ingham County Clerk Barb Byrum announced she was shutting her offices “out of an abundance of caution.” The offices will remain closed today, as county tech officials work to clear out any of the malicious code that may remain.


The Sunday email directed staff to log off and turn off their computers that contained sensitive data. It warned continuing to use the system without clearance “may be exposing your data, including keystrokes, to individuals with malicious intent.” Capturing keystrokes is a way that viruses can identify passwords and other sensitive data to be exploited.


Tech employees took two and half hours to cleanse the computer used by Jennifer Shuster, chief deputy county clerk. Still, as of Monday night, Byrum was unable to access websites required to process various clerk services like gun licensing.


She said the special elections scheduled in East Lansing and Haslett today would not be impacted. She said the systems for elections are “safe and secure” and “redundancy” systems were in place if there are any concerns.


Anthony said she was uncertain what the final price tag would be on the containment and cleanup from the malicious contagion.


But Thomas Holt, an assistant professor in the School of Criminal Justice at MSU and an expert in cyber crime, said the price tag could easily reach $100,000 “just to do the repair.”


The fact the employees of the county are moving from computer to computer to remove the malware indicates the viral infection is “much more complex,” he said, and could result in increased vulnerability if the county fails to find out how the virus made it past the firewalls.


Dolehanty said tech employees had isolated the virus for later review, but he suspects it is a new version of an older virus.


While it is unclear what viruses are involved, Holt said they likely had their source from “foreign nationals.”

Just over a year ago, Vince Foess, then interim director of the county’s Innovation and Technology Department, warned county commissioners that the county’s computer systems were vulnerable to attack.

Foess told the County Services Committee in February 2016 that there were “security issues” with the web applications, adding that there had been “zero security on the back end” of past systems. Dolehanty declined to disclose the suspected vulnerabilities.


That news came only months after the county fired the former director, Michael Ashton, and Frank Chain, the department’s program manager, after City Pulse reported he had violated the county’s ethics policy by taking gifts and travel from county contractors.


Dolehanty said he was unsure if the current situation was related to those vulnerabilities.


“We have not even looked at how it got in here,” he said. “We’re just trying to contain and remove it right now.”