PALMER — The computer malware that penetrated the safeguards of one of Alaska's largest municipalities last week may have lurked in the Matanuska-Susitna Borough's computer network for more than two months.
The borough is still recovering from the "insidious" attack that clobbered phones, email and online systems and decommissioned some 650 desktop and server computers, officials there said Monday. Many of the disabled computers and multiple outlying offices remained offline.
The same virus hit Valdez, where it shut down all city computers and servers Friday.
Both governments say they didn't store personal credit card information on any of the computers or servers damaged in the cyber attack.
The attack appears to have been "lying dormant and/or undiscovered" within the Mat-Su network since as early as May 3, according to a memo distributed to employees Monday morning.
Some Mat-Su borough phones and email were restored by Monday after staff worked long nights through the weekend to restore systems, IT director Eric Wyatt said. The borough shut down systems last week to limit potential damage, though its website remained operational.
Employees dragged out typewriters. Departments working without computers shifted to pen and paper.
Fire stations and any buildings outside the main borough headquarters in Palmer didn't have phone service Monday, according to public works director Terry Dolan. That was a deterioration since Friday.
The borough sent six-person teams to work on phones at two main fire stations, animal control and capital projects departments as of Monday afternoon, according to public information officer Patty Sullivan. Public works was expected to get a team Tuesday.
Phones went down because the system was rebuilt Sunday night, Sullivan said.
About 100 desktop computers hit by the virus got cleaned up and were expected back on desks by the end of the day, Wyatt said Monday. By the end of the week, another 200 computers for critical systems in finance, tax, and property departments were expected to be restored.
Still, it will probably be three weeks before normal operations are restored, he said.
Mat-Su rebuilt its domain Sunday and redesigned and augmented parts of the network to deal with "this new and emerging threat," according to the memo.
At the borough's landfill near Palmer, computers and phones were still down Monday afternoon. Users got hand-written receipts from staffers doing math without the aid of computers, working with information that would have to be entered into the system later.
Officials urged the public to avoid the landfill if possible.
"We have a manual system in place. We're handwriting tickets," Dolan said. "It's going about as well as can be expected."
Borough officials said they initially feared the loss of a trove of historical information, such as financial documents and property information, because some backup systems were also damaged. But one layer held encrypted data that allowed at least some of the information to be recovered.
An investigation continues into the path the attack took.
At this point, Wyatt said, it appears an employee opened an attachment or clinked on a link that held the malware.
"Even if we find the person initially that was fooled by this phishing attack, this is not finger-pointing whatsoever," he said. "The only people to blame for this is the people that wrote this virus."
Both Mat-Su and Valdez are working with the Federal Bureau of Investigation. An FBI cyber expert in Anchorage wasn't available for comment Monday.
Wyatt said he met early with the Mat-Su school district to warn them and credited the public and roughly 20 entities as the borough worked through the damage done.
The borough IT memo Monday morning described a "multi-pronged, multi-vectored attack" that came not from a single virus but from malware with aspects including a Trojan horse — harmful software that appears legitimate — and at least one external hacker who logged into the borough's network.
The memo, from the borough's IT department, described the malware as an advanced persistent threat and a "Zero-day" attack so new anti-virus software isn't prepared for it.
The malware lays dormant for four to six weeks, and then a "Crypto Locker" component is launched, according to the Mat-Su memo. That's what happened in Valdez too.
The Alaska Municipal League hadn't heard from any other government members with problems. There were no reports of malware problems at University of Alaska, officials there said Monday.
There are no indications the malware infected any state assets, said Shannon Lawson, the state's chief information security officer.
Some organizations are targeted by malware like this, others are just unfortunate, Lawson said.
"These things don't take a lot to be very deadly in terms of damaging and just shutting things down," he said.