Full Report
Government services offered by one of the largest counties in Maryland are still being limited more than a week after it was targeted by a cyberattack.
Analysis Summary
# Incident Report: Anne Arundel County Cyberattack
## Executive Summary
Anne Arundel County, Maryland, suffered a significant cyberattack resulting in widespread disruption of local government services starting around February 23rd. The incident forced the county to shut down internet access as a precautionary measure, impacting operations like bill payments and permit processing, although core emergency services (911/311) remained operational. Response efforts involved cybersecurity specialists working to secure and restore systems, with services brought back online based on a priority order, though full scope and details remain under investigation.
## Incident Details
- Discovery Date: February 23 (First announcement date)
- Incident Date: Occurred over multiple days leading up to February 23
- Affected Organization: Anne Arundel County, Maryland
- Sector: Local Government
- Geography: Maryland, USA
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed (Began prior to February 23)
- Vector: External origin (Specific vector not disclosed)
- Details: The incident was described as a "multi-day event" by county officials.
### Lateral Movement
- Details: Specific details regarding internal movement were not disclosed as of the reporting date, pending full investigation.
### Data Exfiltration/Impact
- Details: Impacted services include general government operations, tax processing (requiring manual or alternative payment methods), Department of Aging and Disabilities centers, and closure of recycling centers/landfill. 911 and 311 centers remained operational.
### Detection & Response
- Date/Time: Detection appears to correlate with the public announcement on February 23.
- Response actions taken: County buildings were closed on the following Monday (February 24th), employees directed to work remotely, internet access was shut off as a security measure, in-person payments restricted to cash/check, and external cybersecurity specialists engaged.
## Attack Methodology
- Initial Access: Unknown (External origin)
- Persistence: Undisclosed
- Privilege Escalation: Undisclosed
- Defense Evasion: Undisclosed
- Credential Access: Undisclosed
- Discovery: Undisclosed
- Lateral Movement: Undisclosed
- Collection: Undisclosed
- Exfiltration: Undisclosed (Motivations and scope of theft are unknown)
- Impact: Operational disruption across non-emergency government services.
## Impact Assessment
- Financial: Unknown (Late payments allowed, manual processing incurring overhead)
- Data Breach: Unknown (Scope and type of potentially compromised data remain under investigation)
- Operational: Significant disruption to typical county operations (e.g., tax payments, permits, closures of service centers).
- Reputational: Public service disruption and necessary limitations on operations for over a week.
## Indicators of Compromise
- (No specific indicators were available in the provided text.)
## Response Actions
- Containment measures: Internet access for government systems was shut off as a precautionary measure; County buildings were temporarily closed.
- Eradication steps: Ongoing work with OIT and cybersecurity specialists to secure and restore systems.
- Recovery actions: Systems are being restored in a "priority order" to bring services back online; manual/alternative payment methods were implemented temporarily.
## Lessons Learned
- Key takeaways: The necessity of maintaining crucial services (911/311) even during a major outage.
- What could have been done better: Full disclosure regarding the nature (e.g., ransomware) and full scope of the incident is currently delayed due to the ongoing investigation and security concerns.
## Recommendations
- Enhance network segmentation to limit the blast radius of future incidents.
- Review and test Business Continuity/Disaster Recovery (BCDR) plans focusing on operations that must remain offline or manual during a network shutdown.
- Prepare comprehensive, timely public communication strategies that balance the need for transparency with the security imperative of not revealing information to threat actors.