Hackers claiming responsibility for breaching Fulton County’s computer systems have set a deadline of 12:47 a.m. Friday for releasing the stolen data.
The hackers posted to the darknet more than two dozen screenshots of what appears to be legitimate county documents. Many of them seem to be items, such as police reports, that would be available to the public via the Georgia Open Records law. But there are also documents that would not be considered public and some of the screenshots may indicate that the hackers gained access to sensitive internal county computer networks.
No demand for payment is attached to any of the screen shots, but a countdown clock to the data’s release suggests a ransom demand. Multiple cyber security experts have told The Atlanta Journal-Constitution that the hack has all the markings of a ransomware attack.
County commissioners met in emergency session midday Thursday to discuss the cyberattack, but after 90 minutes in closed session they adjourned without taking public action and left without making any comment or taking questions.
Notorious hacking group LockBit claimed responsibility for the attack, which took took down many county systems the weekend of Jan. 27.
Credit: LockBIt website
Credit: LockBIt website
LockBit’s ransomware tools emerged in Russian-language hacking forums in January 2020, according to the U.S Cybersecurity & Infrastructure Security Agency. Since then, affiliates have used those tools to attack infrastructure worldwide.
“LockBit ransomware operation functions as a Ransomware-as-a-Service model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure,” the agency said in June. “Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures.”
Between January 2020 and June 2023, LockBit software was used in about 1,700 U.S. ransomware attacks, with victims paying a combined $91 million, according to CISA. In 2022, LockBit made up 16% of ransomware attacks in this country.
Commission Chair Robb Pitts confirmed Wednesday that the hack was a ransomware attack and that some personal information may have been leaked. Until that afternoon’s brief news conference, he had maintained there was no evidence of a personal data breach.
If personal information is exposed, the county will notify anyone affected and offer services to help protect them, Pitts said.
State and federal law enforcement agencies are involved in the investigation, and county officials have cited that process in limiting details released about the cyberattack.
All county offices have reopened but many continue to use work-arounds to compensate for computer systems that are still down. The attack took down the county’s phone system, which runs over the internet; the internal financial system; online court and law enforcement systems; tax offices; and public-use computers at libraries, among other things.
About one-third of county phone lines are working again, and most services are available — though often only in person, since many online functions remain down.
County officials have dismissed rumors that the attack was political in nature. Elections Division Director Nadine Williams has said there is no evidence elections were a specific target, but as a precaution the connection between state and county election systems was severed.
That connection has been restored, and Pitts said the county is ready to start early voting Monday at 36 locations for the March 12 presidential primary.
Atlanta Journal-Constitution reporters Rahul Deshpande and Jennifer Peebles contributed to this report.