Full Report
The St. George Fire Protection District is suing a Baton Rouge cybersecurity firm after hackers were found to have gained access to the fire district’s network— and were lying in wait for a future attack. In a suit filed on May 23, the fire district is seeking damages for a December 2023 security breach that its contracted cybersecurity firm, General Informatics, allegedly failed to prevent. Hackers in that attack were found to have been “living off the land” inside St. George Fire Protection District’s computer network, meaning they were using legitimate and trusted software tools already built into the network to evade detection and gain access to other trusted networks. According to the lawsuit, the agency was able to find multiple other vulnerabilities within the fire district’s network, including a “note written in plain text which contained the fire district’s administrative credentials for its various accounts and software applications.” Other reported vulnerabilities included the fact the network’s firewall was not recording logging activity and that the network was not “segmented” to prevent the spread of malware.
Analysis Summary
# Incident Report: St. George Fire Protection District Network Breach
## Executive Summary
The St. George Fire Protection District suffered a major network compromise in December 2023, where hackers utilized "Living off the Land" (LotL) techniques to maintain persistence and prepare for a future ransomware attack. The breach was attributed to compromised credentials from the district’s third-party managed service provider (MSP), General Informatics. The incident resulted in a total network rebuild after investigations revealed critical security failures, including plain-text credential storage and a lack of network segmentation.
## Incident Details
- **Discovery Date:** December 23, 2023 (via Law Enforcement notification)
- **Incident Date:** December 2023 (Active discovery; initial access likely earlier)
- **Affected Organization:** St. George Fire Protection District
- **Sector:** Public Safety / Emergency Services
- **Geography:** St. George, Louisiana, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-December 2023
- **Vector:** Compromised Third-Party Remote Access Credentials
- **Details:** Attackers gained access using compromised credentials for a remote access tool used by the district’s IT contractor, General Informatics.
### Lateral Movement
- Attackers compromised the **Domain Controllers**, allowing them to impersonate any user and gain "gatekeeper" access to the entire network.
### Data Exfiltration/Impact
- **Preparation for Ransomware:** Attackers were "lying in wait," likely preparing to deploy ransomware to lock dispatch and emergency response systems.
- **Supply Chain Risk:** The breach was used as a potential jumping-off point to access other municipal networks (e.g., Computer-Aided Dispatch).
### Detection & Response
- **Discovery:** Law enforcement (ESF-17) notified the district on Dec 23, 2023, after identifying the breach during a separate investigation into a neighboring municipal agency.
- **Response:** The Louisiana Emergency Support Function—17 spent five months auditing the network, leading to a complete hardware and software overhaul.
## Attack Methodology
- **Initial Access:** Valid accounts (Compromised MSP remote access tool).
- **Persistence:** Highjacking legitimate system tools and maintaining access via compromised Domain Controllers.
- **Privilege Escalation:** Domain Controller compromise.
- **Defense Evasion:** "Living off the Land" (LotL) using built-in, trusted Windows software; disabled or non-existent firewall logging.
- **Credential Access:** Plain-text administrative passwords stored in a text file on the network.
- **Discovery:** Identifying trusted connections to other municipal and state agencies.
- **Lateral Movement:** Using administrative credentials and Domain Controller access.
- **Impact:** System rebuild required; imminent threat of ransomware/operational shutdown.
## Impact Assessment
- **Financial:** High; costs associated with rebuilding the entire network and ongoing litigation.
- **Data Breach:** Administrative credentials compromised; potential exposure of municipal data.
- **Operational:** Threat to emergency response and Computer-Aided Dispatch (CAD) systems.
- **Reputational:** Loss of trust in the contracted cybersecurity provider; public disclosure of severe security lapses.
## Indicators of Compromise
- **Network indicators:** Compromised remote access tool traffic originating from known bad IPs (not specified in text).
- **Behavioral indicators:** "Living off the land" behavior (unusual use of legitimate admin tools like PowerShell or WMI); lack of firewall log generation.
## Response Actions
- **Containment:** System isolation following law enforcement notification.
- **Eradication:** Decommissioning of all compromised servers, switches, and domain controllers.
- **Recovery:** Rebuilding the entire network infrastructure, implementing new firewalls, and establishing a legitimate backup routine.
## Lessons Learned
- **Credential Hygiene:** Storing passwords in plain-text files is a critical failure that allows for instant total network compromise.
- **MSP Risk:** Using the same credentials across multiple clients by an MSP creates a "single point of failure" for an entire region.
- **Logging Matters:** A firewall that does not record logs prevents timely detection and forensic analysis.
## Recommendations
- **Implement MFA:** Multi-factor authentication should be mandatory for all remote access tools.
- **Network Segmentation:** Divide the network into zones to prevent "east-west" movement of attackers.
- **Regular Audits:** Conduct independent third-party security audits rather than relying solely on the MSP's assurances.
- **Encrypted Vaults:** Use a managed password vault instead of local text files for administrative credentials.