Many Fulton systems still down; experts suggest money motive for cyber attack

Caitlin Philpot got her notary public commission Feb. 1, 2024, on her third try. The Roswell resident had to come back to Fulton County offices due to effects of a weekend cyberattack.

Credit: Jim Gaines

Credit: Jim Gaines

Caitlin Philpot got her notary public commission Feb. 1, 2024, on her third try. The Roswell resident had to come back to Fulton County offices due to effects of a weekend cyberattack.

Continuing fallout from last weekend’s cyberattack on Fulton County government computers left Caitlin Philpot of Roswell a little nervous Thursday afternoon, but county efforts to deal with the hack let her accomplish her goal on the third try.

Philpot went to the North Fulton Service Center on Roswell Road Tuesday to get her commission as a notary public, only to find the Clerk of Superior & Magistrate Courts’ satellite office there could only accept money orders or checks, which she didn’t happen to have.

That was a result of the cyberattack that took down many county systems, which she hadn’t heard about on Tuesday.

Philpot returned early Thursday but had to fix a paperwork problem. Finally, Thursday afternoon, everything worked out: the computer situation had slowly improved.

“They actually took my card today,” Philpot said. “They said they were able to work something out.”

That was just in time, since there’s a 14-day deadline after applying for a notary’s commission to actually get it, she said.

“Today was the last day I would be able to do it, so I was a bit worried,” Philpot said.

Some offices at the county’s north service center — courts, the tax assessor and tax commissioner, and elections — are still closed or offering limited services, but business was slow Thursday as many people have gotten word of the cyberattack’s effects.

The county is slowly restoring basic functions but many public services and internal operations remain down, and details on exactly what happened are still scarce.

A computer security breach at Fulton County Schools around the same time, however, is unrelated to the county government cyberattack, according to Anne Boatwright, the school system’s media relations manager.

One or more students at FCS Innovation Academy gained “unauthorized access to certain Information Technology systems,” she said, noting that county government and the schools are separate entities. Most FCS services have been restored.

“Fulton County Schools has immediately undertaken measures to contain the incident and continues to monitor the security of Fulton County Schools’ environment,” Boatwright said.

Local governments and school systems are particularly vulnerable to cyber attacks and there have been several in Metro Atlanta alone over the past few years.

Cybersecurity experts elsewhere cast doubt on rumors that the Fulton cyberattack was politically motivated, an attempt to slow or stop District Attorney Fani Willis’ prosecution of former President Donald Trump and associates. It looked to them more like a ransomware attack, in which hackers damage or block vital computer systems and demand payment to restore them. County officials have not commented on the issue.

“The county government system across the U.S. has been increasingly targeted over the last couple of years,” said Jack Danahy, vice president of Strategy & Innovation for Vermont-based cybersecurity firm NuHarbor Security.

“It’s a very widespread style of attack if you’re trying to disrupt this specific thing,” Danahy said, referring to the Trump prosecution. There are better ways to disrupt prosecutors and courts specifically than the “great big hammer” used on Fulton’s systems, he said.

NuHarbor works with many local governments on cybersecurity, threats and best practices.

“We cover about a third of the U.S. population these days,” Danahy said.

The broad range of affected systems in Fulton also suggests a ransomware attack to Brendan Saltaformaggio, associate professor at Georgia Tech’s School of Cybersecurity & Privacy. Saltaformaggio recommends that targets never pay ransom, but that can be a hard stance for public officials trying to get vital services back online, he said.

Danahy said there was a recent attack on a company that stored data for about 70 Arkansas counties.

“Months after the incident some of the counties are still trying to get back on their feet,” he said.

Public agencies need to give employees basic cybersecurity training, such as telling them not to open email attachments and preventing them from installing outside software, said Doug Milburn, founder and president of 45Drives, a Canadian firm that sells a “behavior analysis solution” to hacking attempts.

“That needs to be done. We’re not a replacement for that,” he said.

Danahy said ransomware gangs now often buy previously stolen information on the Dark Web and use that to sneak into government systems, looking like legitimate users. It’s hard to blame government employees for responding to messages that look like they’re from colleagues, he said.

Finding out when personal information and employee credentials are for sale can really help organizations prevent problems before that data is used against them, Danahy said.

Fulton officials are probably trying to figure out “the breadth of the infection” while restoring services, Danahy said. He hopes they’re also looking at other systems that may seem untouched, but where attackers may have left a “foothold” to get back in later.

“People don’t understand how challenging it is to provide security for county governments,” Danahy said. Even a county as large as Fulton, with more than 1 million residents, probably has a cybersecurity staff and budget a tenth the size of what major corporations devote to the issue, he said.

“I feel their pain,” Milburn said. He developed his system after a previous company he owned was hit with a ransomware attack.

45Drives developed software that doesn’t look for computer viruses themselves, but looks for those consistent patterns in which the viral programs behave, Milburn said. It can identify such data-vacuuming attacks in a “fraction of a second,” and shut down access from a particular infected computer, he said.

So far it’s used by “small and medium” governments, nothing as large as Fulton County; but next week Milburn is presenting to major municipalities at a Florida conference, he said.

AJC reporter Martha Dalton contributed to this report.

What’s working, what’s not in Fulton County?

According to a county news release, as of Jan. 30:

  • Most county phone lines are down, but the county can still be reached by email
  • The court system is using “backup processes” to continue hearings, but e-filing and online record searches are unavailable. The sheriff’s office is using paper for detainee processing.
  • The downtown office of the Tax Commissioner has reopened and can process all vehicle transactions, but can’t do property taxes yet. “The Georgia Department of Revenue has approved a “holiday” for Fulton County customers who were not able to process their motor vehicle permits during this outage,” a county news release said.
  • Superior & Magistrate Court Clerk offices at the North and South Fulton Service Centers can process notary and passport applications, but appointments are recommended.
  • Probate Court can issue marriage licenses and renew firearm permits, but can’t issue new firearm permits or marriage certificates.
  • Boards of Equalization hearings scheduled through Feb. 5 have been postponed.
  • Online property records are unavailable, and the Board of Assessors can’t process any property transactions.
  • The county library’s online catalog is available but library public computers are out.
  • County water bills and payment are offline.
  • Elections offices are closed.
  • The 911 system is working, but the Fulton County Police Department can’t issue police reports.
  • County senior centers and Department of Behavioral Health & Developmental Disabilities services are all operating.