Henry County’s Enhanced 911 system was the victim of a computer virus attack last summer that temporarily deprived dispatchers of information about callers’ locations, but did not affect the ability to make or receive 911 calls.
Mark Archer, Enhanced 911 director, confirmed the attack this morning, after a Department of Homeland Security official in Nashville named the county’s emergency number system as one of the agencies statewide that have been hacked.
The 911 system fell victim to a ransomware attack — a type of virus that locks a computer’s hard drive and prevents access to any of its data.
“There’s been multiple 911 agencies hit, but just a few in Tennessee,” Archer said in an interview Wednesday morning in his office. “Hospitals and government agencies have been hit nationwide.”
In Henry County’s case, the culprit, called the .LOL! virus, was discovered by a 911 dispatcher on the morning of June 8, 2016.
“We got a call from dispatch that the CAD (Computer Aided Dispatch system) was not working right,” Archer said. “It was populating fields in areas that it wasn’t supposed to. It just started acting crazy.”
The virus infected the system’s CAD server, which stores information about a specific house or location; and its mobile server, which allows ambulances, firefighters and police officers access to the 911 mapping system through laptops.
“CAD has 911 calls from years and year of data that is there for the dispatchers to look up,” he said. “For example, if there were domestics there on multiple times, were there guns involved — all of those things would have been lost. It would have been wiped clean.”
A message displayed on the screen from the makers of the virus demanded a payment of $1,000 in order to free access to the important data.
“We contacted our CAD vendor, and they said it was ransomware,” Archer said. “I was taken aback and didn’t believe them. In my twenty-two years, we’ve never had anything like this happen.”
Investigators later discovered the system had been accessed through an old user name and password left behind by a technician who had been working on the system.
The password was apparently discovered by use of a computer program that runs through thousands of combinations until it arrives at the right one.
The password also wasn’t strong enough, which has since been corrected, Archer said.
“This program is spread almost one-hundred percent through .exe files — executable files, which mean Microsoft products,” Archer said.
The virus often spreads by attaching itself to Adobe and to Java software update packages.
“If you open it up, it’s over,” Archer said. “There’s nothing you can do to decrypt it other than pay these people money to send a decryption file. It’s either that, or you shut it down and wipe it clean. And that’s what we did.”
Chad Howard, the system’s IT manager, happened to be attending a conference in San Diego at the time, along with Homeland Security officials.
He was able to confer with them on the steps that needed to be taken to eliminate the virus.
“They were very instrumental in helping us to handle the situation correctly,” Archer said. “We also wanted to give them the files on how it came through, that hopefully they would track down the people who were responsible. We’ve never heard any world on whether they’ve made any progress with that.”
Instead, the 911 system spent about 30 hours shutting down the infected computers and restoring all of the software and data from backups.
“We had to rush in and start shutting down programs once we got the diagnosis,” Archer said. “We shut down all of our mobile terminals that were in the ambulances and the fire trucks and the police cars.”
The mobile server and CAD server were also shut down. As a result, the virus was unable to infect the 911 system itself. However, the 911 system’s computer firewall kept the virus from infecting any other computers, and no 911 calls were lost as a result of the virus.
“It made it hard because, in the field, the mobile terminals were something new, and they were still in a learning mode on how to use them,” Archer said. “The CAD system, on the other hand, is what records everything. It documents everything. So for two days, they had to go to pen and paper until the server was reinstalled with the appropriate CAD software.”
A stranger passing through Henry County who called 911 might have had difficulty, because they might not be able to tell dispatchers where they were. Instead, every caller was able to supply information on their location until the CAD system was restored.
Archer said he didn’t go public with the information at the time because he didn’t want citizens to worry that the 911 center was down — which it never, in fact, was.
“The things that were happening were software programs that are tied to it, but were not the critical point,” he said. “The critical point is that 911 call and talking to that dispatcher and saying I need help. I just didn’t want the citizens to worry. It was handled, and 911 never did go down, so everything was good.”
There’s been no information discovered about who committed the attack. FBI agents who retrieved a copy of the infected hard drive for their investigation believe the hack may have originated in Russia, but no one is certain.
And while no damage was done by the attack, Archer and Howard are trying to tighten their security even more to make sure nothing like it happens again.
“This is becoming an epidemic worldwide,” Archer said. “If I can give any after-the-fact advice, make sure you use strong passwords, you have firewalls, and you have anti-virus and you keep your anti-virus up to date. And keep a backup. The backup is what saved us, or we would have lost tons of information.”