Full Report
The Chelan County Clerk's Office put out an update Tuesday on progress made to recover after the county computer systems suffered a malware attack that caused a systemwide disruption for many services. Computer systems were recently restored after the three-week shutdown that also impacted telephones, employees' computers, email, and servers starting May 24th. The interruption created a backlog of document processing and County Clerk Marty Young says the staff is busy catching up on the processing of about 6,000 documents. https://www.co.chelan.wa.us/news/article/department-office-updates-on-system-wide-failure https://www.co.chelan.wa.us/news/article/county-continues-to-make-progress-in-restoring-systems
Analysis Summary
# Incident Report: Chelan County Malware Attack
## Executive Summary
Chelan County, Washington, suffered a systemwide malware attack beginning in late May that disrupted critical government services for approximately three weeks. The incident forced a total shutdown of servers, email, telephones, and employee workstations across multiple departments, including the Clerk's Office. While systems were largely restored by late June, the county continues to manage a significant administrative backlog and restricted service availability.
## Incident Details
- **Discovery Date:** May 24, 2026 (approximate based on shutdown start)
- **Incident Date:** May 24, 2026 – June 22, 2026
- **Affected Organization:** Chelan County Government (specifically the County Clerk's Office)
- **Sector:** Government / Public Sector
- **Geography:** Wenatchee, Washington, USA
## Timeline of Events
### Initial Access
- **Date/Time:** May 24, 2026
- **Vector:** Not publicly disclosed (Article notes "malware attack")
- **Details:** The attack led to an immediate disruption of systemwide services.
### Lateral Movement
- **Details:** Information not disclosed; however, the impact reached across several infrastructure layers including servers, telephones, and individual workstations, indicating a broad spread across the county network.
### Data Exfiltration/Impact
- **Details:** No specific data exfiltration was confirmed in the report. The primary impact was **unavailability**. A backlog of approximately 6,000 legal/administrative documents was created during the outage.
### Detection & Response
- **May 24:** Systems taken offline following the discovery of malware.
- **Early to Mid-June:** Systems remained offline while recovery efforts proceeded.
- **June 22:** Access to state-level document management systems was restored.
- **June 23:** Public announcement of system restoration and ongoing backlog processing.
- **July 1 (Projected):** Resumption of electronic document filings.
## Attack Methodology
*Note: Specific technical details regarding the MITRE ATT&CK chain were not disclosed by county officials.*
- **Initial Access:** Malware (Exact variant unknown).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Not disclosed.
- **Collection:** Not disclosed.
- **Exfiltration:** Not disclosed.
- **Impact:** System Shutdown / Resource Hijacking causing a three-week service outage.
## Impact Assessment
- **Financial:** Not disclosed, but likely significant due to forensic costs, overtime for staff catching up on 6,000 documents, and lost productivity.
- **Data Breach:** None confirmed; primary impact was the loss of integrity/availability of document processing.
- **Operational:** Systemwide disruption including VoIP phones, email, server access, and workstation usability. Passport applications and electronic filings were suspended.
- **Reputational:** Public delay in legal services and administrative functions for nearly a month.
## Indicators of Compromise
- **Network indicators:** hxxps[://]www[.]co[.]chelan[.]wa[.]us/ (Official site used for recovery updates)
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Massive system failure, inability to access document management systems, and loss of telecommunication services.
## Response Actions
- **Containment measures:** Isolation and shutdown of all county computer systems and servers.
- **Eradication steps:** Rebuilding/cleaning servers and workstations over a three-week period.
- **Recovery actions:** Coordination with Washington State to restore access to document management systems; prioritized processing of the 6,000-document backlog; phased reopening of public services (e.g., passports).
## Lessons Learned
- **Dependency Awareness:** The county's heavy reliance on interconnected state document systems meant that even after local restoration, they remained at a standstill until external access was re-granted on June 22nd.
- **Continuity Planning:** A three-week shutdown indicates a need for more robust offline business continuity plans to prevent massive document backlogs.
- **Communication:** Regular updates via the county website were necessary to manage public expectations during the three-week "dark" period.
## Recommendations
- **Implement Multi-Factor Authentication (MFA):** To prevent unauthorized access via compromised credentials.
- **Endpoint Detection and Response (EDR):** Deploying advanced monitoring to catch malware before it can facilitate a systemwide shutdown.
- **Offline Backups:** Ensure data backups are immutable and stored off-network to expedite recovery without paying a ransom (if applicable).
- **Phishing Training:** Conduct regular security awareness training for county employees to mitigate the common entry point for malware.