A suspected cyber incident tied to suspicious network traffic led Geauga County officials to cut off Russell Township Police Department email in September, forcing the agency into manual workarounds for justice-system communications until email service was restored in early November through a new government domain. The department’s IT contractor disputes that the activity showed a compromise. Township, county and ADP officials did not respond to requests for comment.
Russell Township, in Geauga County roughly 20 miles east of Cleveland, had 5,404 residents in the 2020 census.
Geauga County’s Automatic Data Processing board, which oversees county IT and cybersecurity, blocked the department’s russellpolice.com domain on Sept. 8 after security tools flagged unusual activity tied to two police-connected endpoints: a mobile data terminal, the in-car computer used for tasks like running license plates and warrant checks, and a school resource officer laptop, according to ADP board minutes and reporting by the Geauga County Maple Leaf.
County leaders later emphasized in ADP board minutes that the mobile data terminals are effectively operational technology deployed and maintained through the Geauga County Sheriff’s Office, but still connect into county systems through VPN connections and high-privilege credentials, raising concerns about the risk of a compromise spreading beyond the township.
At an Oct. 9 ADP special meeting, officials described an evolving technical picture. ADP minutes say the county was initially told the activity stemmed from an MFA deployment, but later reported DNS lookups associated with Russia and Spain and said the pattern pointed to a potential Microsoft 365 “Direct Send” issue.
ADP leaders said in the Oct. 9 minutes that they moved quickly after a CrowdStrike Falcon alert and captured the activity in the county’s protective tooling. They also said the DNS requests traversed paths connected to Spillman, the law-enforcement records-management system used for reports, records and casework across many agencies, and warned a malicious foothold could have put broader county-connected systems at risk.
Simvay Systems, the police department’s IT contractor, rejected the intrusion characterization. In the Oct. 9 ADP meeting, company representatives said the indicators pointed to a configuration or setup problem rather than a compromise and argued that DNS requests alone do not justify shutting down an entire email domain. They also said they saw no evidence that police email accounts were compromised.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
The disruption quickly became operational. Police Chief Tom Swaidner told the ADP board the shutdown hindered routine communications with the sheriff’s office, prosecutor and courts, and said the department did not have full Spillman access from workstations, relying instead on MDT access in the field. He said the loss of email slowed time-sensitive exchanges and forced inconvenient alternatives, including physically delivering information to county partners.
ADP officials said in meeting minutes the block was a standard containment step in a “zero-trust” posture when endpoint telemetry suggests possible compromise on machines associated with a domain. They pressed Russell police and Simvay for a tighter incident-response package: logs pinpointing where the DNS activity originated, evidence the environment was clean, and proof mitigations were completed beyond toggling Direct Send off.
In the Oct. 9 meeting, ADP officials said Direct Send had been disabled two days after the Sept. 8 incident, but said additional mitigation steps were recommended and documentation was incomplete. The board voted to keep the domain block in place until ADP staff were satisfied the risk was mitigated, and cited an “election lockdown” as a reason to avoid lifting controls during the fall election period.
Russell Township records show the department continued working to satisfy ADP’s unblock requirements. At an Oct. 2 trustees meeting, Trustee Chris Hare said the chief would submit an unblock form after clarification, and Swaidner said ADP had already received a Simvay “rundown report” describing what happened and was waiting on the form to be completed properly.
The drawn-out disruption unfolded as Ohio’s mandatory cyber-incident reporting requirements were about to take effect. At a Sept. 4 trustees meeting, township officials discussed who would be responsible for notifying Homeland Security and the state auditor for departments not under ADP’s umbrella, including police and fire. At a Sept. 30 special meeting, trustees adopted cybersecurity policies and designated the board chair as the township’s incident-response lead and reporting designee.
By early November, Russell police reported they had restored operational email communications via a government domain. In the township’s Nov. 6 minutes, Swaidner told trustees the police department’s “.gov domain is operational,” marking the practical recovery point for day-to-day email needs after roughly two months of disruption.
The incident later produced a financial aftershock, with ADP seeking reimbursement from the township for response and investigation costs, reported locally as $5,700, but the core impact for public safety operations was the prolonged loss of trusted email communications into the county’s justice system.
Russell’s experience came during a busy year for Ohio local governments dealing with cyber incidents, with email and court-related systems frequently affected. In May, Liberty Township officials said a ransomware attack disrupted township email and briefly affected phone service. Lorain County officials also curtailed some court operations after what they described as a network security incident knocked systems offline.
By late summer, disruptions spread into broader municipal functions. Middletown halted in-person services after a cybersecurity incident, and West Chester Township officials reported a second cyberattack in two weeks that they said targeted the township’s central email server.
In early fall, Piqua officials said they stopped an attempted attack after a single employee email account was compromised and used to send impersonation messages. Mentor officials said they took hosted servers offline after a cyberattack as they worked to restore integrated systems. That pattern overlapped with Russell Township’s disruption.
More severe incidents followed later in the year. Trumbull County’s recorder’s office suspended e-filings and online searches amid what officials described as a third-party “internet-type breach.” Urbana reported a cyberattack that disrupted city systems while essential services stayed online. Golf Manor reported a ransomware attack that encrypted its network and backups.
County officials described the Sept. 8 Russell episode as a potential breach with indicators linked to Russia and later referenced Russia-and-Spain DNS activity, but no threat actor has been publicly named and the records reviewed do not confirm data theft or ransomware. ADP officials said DNS requests, not data, left the police network during the event.
