Full Report
The city government of Thomasville, North Carolina, and a court district in eastern Georgia are responding to recent intrusions into their networks.
Analysis Summary
# Incident Report: Dual Cyberattacks on North Carolina Municipality and Georgia Judicial Circuit
## Executive Summary
Two separate government entities in the Southeastern US, the City of Thomasville, NC, and the Ogeechee Judicial Circuit DA's Office in Georgia, suffered disruptive cyberattacks concurrently. The Thomasville incident has placed municipal systems offline, although essential services remain operational, while the Georgia DA's office experienced significant outages affecting phone, internet, and physical office closures across four counties. Both entities have engaged external and federal/state authorities for investigation and recovery.
## Incident Details
- Discovery Date: Not explicitly stated; incidents were ongoing as of reporting (Thursday for Thomasville, Tuesday for Ogeechee start).
- Incident Date: Ogeechee DA's Office attack began Tuesday morning. Thomasville attack was reported on a Thursday.
- Affected Organization: City of Thomasville, North Carolina; Ogeechee Judicial Circuit District Attorney’s Office (covering four Georgia counties).
- Sector: Municipal Government / Judicial/Legal Services
- Geography: North Carolina, USA; Georgia, USA
## Timeline of Events
### Initial Access
- Date/Time: Ogeechee attack started Tuesday morning. Thomasville attack detection/reporting was on a Thursday.
- Vector: Not specified for either incident, but the nature suggests ransomware or destructive malware affecting systems.
- Details: Ogeechee DA's office detected the intrusion in real time due to prioritized cybersecurity efforts.
### Lateral Movement
- Details: Not specified.
### Data Exfiltration/Impact
- Thomasville: Municipal systems are offline; essential services remain available. Compromise of sensitive information is currently unclear.
- Ogeechee: Phone and internet services are down, offices closed for five days, limited staff ability to check email or appear in court.
### Detection & Response
- Detection: Ogeechee detected the intrusion "in real time" due to recent cybersecurity prioritization. Unknown for Thomasville.
- Response Actions:
- Thomasville: Notified state and federal authorities; working with a cybersecurity firm to assess scope and recovery time.
- Ogeechee: State law enforcement agencies notified; offices closed for recovery; recovery efforts aided by recent prioritization of backup system implementation (though the full backup process was incomplete).
## Attack Methodology
*Note: Specific TTPs were not detailed in the article, so the methodology below reflects the likely impact based on service outages.*
- Initial Access: Unknown (Likely phishing, exploitation, or compromised credential).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown/Internal system enumeration likely occurred minimally for Ogeechee due to early detection.
- Lateral Movement: Inferred for Thomasville due to widespread system outages.
- Collection: Unknown for both.
- Exfiltration: Unknown for Thomasville; potentially limited for Ogeechee due to early intervention.
- Impact: Denial of Service/System Encrypting (implied by outages).
## Impact Assessment
- Financial: Not disclosed. NC law prohibits paying ransoms.
- Data Breach: Unclear if sensitive information was accessed in Thomasville. Ogeechee leadership credits prioritization efforts with preventing "catastrophic data loss."
- Operational: Thomasville civil functions severely limited; Ogeechee DA's Offices closed for five days impacting county judicial functions across four counties.
- Reputational: Moderate public notification required due to essential service disruption (Thomasville) and court/office closures (Ogeechee).
## Indicators of Compromise
- Network indicators: None specified (Defanged).
- File indicators: None specified.
- Behavioral indicators: Sudden, widespread disruption of municipal/office systems and communication failures (phone/internet).
## Response Actions
### Containment
- Thomasville: Engaged cybersecurity firm for assessment.
- Ogeechee: IT specialists detected intrusion in real time and intervened; systems taken offline/restricted access.
### Eradication
- Underway, involving external cybersecurity expertise.
### Recovery
- Ogeechee: Offices closed for five days to facilitate recovery; staff operating with limited capabilities.
- Thomasville: Recovery timeline is being assessed.
## Lessons Learned
- **Proactive Investment Matters (Ogeechee):** Prioritizing cybersecurity and backup system implementation, even if costly or delayed, proved crucial in limiting data loss during an active intrusion.
- **Pre-existing Policy (Thomasville):** North Carolina's clear ban on paying ransoms frames the inevitable recovery strategy for municipal ransomware incidents.
- **Systemic Risk:** Cyberattacks continue to severely disrupt core functions of local government and essential public services across multiple states simultaneously.
## Recommendations
- Immediately complete and regularly test comprehensive, off-network backup systems for all critical data, especially in judicial and administrative environments where failure to comply with recovery timelines causes systemic delays.
- Review third-party access protocols and ensure continuous network monitoring to detect intrusions at the earliest possible stage, as demonstrated by the Ogeechee IT intervention.
- Ensure IT staffing and resource allocation prioritize robust cyber defenses over cost-saving measures, particularly within critical public service sectors.