Spokane Tribe of Indians

Incident Command Center

STOI Email Server Attacked by Virus

Updated: Mar 22, 2021

Some of you may have noticed the Spokane Tribal Email Server is down.

After some investigation we have found the Spokane Tribe email server was attacked by a zero day virus created by the group Hafnium. A zero day virus is an infection so new there is no protection available. Zero day viruses do happen often and we have been unaffected in the past, however this particular attack appears to be highly deliberate, and Microsoft is accusing China of launching the cyber attack. It based its conclusion on "observed victimology, tactics and procedures". The STOI I.T. Department blocks all internet traffic from certain countries with a known history of cyber attacks, and that list includes China. Although Hafnium is based in China, it conducts its operations primarily from leased virtual private servers in the US, Microsoft said.

Microsoft has been working to push out patches to fix the flaws the virus exploits. The I.T. Department has been implementing these patches as the come out. However, this virus also had a timed deployment associated with it, and it appears the virus was already on the server before the patches were applied. This means the fixes did nothing for us. The time for deployment was set to Friday, March 19, 2021, which is when our server went offline. We have found we are far from being the only company to be knocked offline.

The I.T. Department is currently working to restore the Email Exchange server from the latest backup. This process will take several hours as the amount of data is enormous, at 3TB. We also have MS Exchange Engineers on standby. Some email addresses will need to be rebuilt. The I.T. Department will be reaching out to directors to ascertain which newer addresses will need to be rebuilt.

Update Sunday 3/21/2021 - The latest usable email backup was restored over night, however the server itself was compromised. This morning a new server was built. The rest of the day is being spent applying all fixes and patches to bring this new server to a more secure level before it is internet facing. We are hoping for to have email accessibility restored either tonight, or tomorrow.

Update Monday 03/22/2021 - The movement of data is slow going. We are working to have a temporary fix in place this morning, while the Exchange is restored. We are currently having issues connecting our server to the domain. When the temporary fix is in place employees will have email access, however the service may be erratic and slow.

Monday 1:10 p.m. - Trying to get the temporary email running while restoring the email data proved to be too much for the hardware. We will continue the restore of the server without the temporary email service.

The last usable backup we have is February 24, 2021. Here are steps to take to backup your Outlook email data:

  1. Open Exchange Email application (Outlook).

  2. Click on File menu > Open & Export > Import/Export

  3. Import & Export wizard will appear, click on Export to a file > Outlook data file (.pst)

  4. Choose the OST folders which contain the required Exchange information and click Next button

  5. Browse the location where you want to save the recovered data, and then click the finish button.

The messages are exported to the newly created PST. After this, you can copy and import the messages from the PST back to the server-based mailbox.

If you have any questions contact the I.T. Department at 509-458-6567 or 509-458-6557.


Recent Posts

See All