When multiple computer servers crashed nearly simultaneously on Nov. 2 at Edulog, the Missoula firm says it sought help from a former information technology administrator who had been laid off about a week earlier.
Now, Missoula County authorities allege it was that man, Vladimir Ivanovich Shved, who hacked into the computers in the first place, took the servers down and erased backup servers.
The crash also affected Edulog's sister company, Logisys, which provides software for law enforcement, fire and emergency management services, including the Missoula County Sheriff's Office and the Missoula Police Department.
Shved appeared in District Court on Friday, charged with two counts of unlawful use of a computer. Both are felonies because the value of the property involved exceeded $1,500.
Shved's bail was set at $5,000.
Edulog, which provides software for school bus routing and scheduling, GPS school bus tracking and systems that affect payroll for school districts, says it offered Shved an hourly wage if he would return temporarily to assist in restoring network function.
Shved was one of six employees who had been laid off by Edulog on Oct. 25.
An affidavit filed by Missoula County deputy prosecutor Jason Marks Friday says Shved "made a counter offer and demanded a three- to five-year consulting contract at $100 to $150 per hour in exchange for the work."
Instead, Edulog hired Blackfoot Telecommunications Group. The affidavit says Edulog has paid more than $6,000 to Blackfoot Telecommunications so far to deal with the computer problems created by the alleged hacking.
The Edulog servers crashed at about 9 a.m. on Nov. 2, taking down Internet, email and other essential systems, plus client sites and information access for approximately 200 clients.
"When employees attempted to restore systems from backups," Marks wrote in the charging documents, "they found the backup servers had been erased."
At the time, it was not immediately apparent that the systems had been hacked. Edulog employee Jason Barker was the first to make a connection between Shved at the crashed servers, according to the affidavit.
When Barker checked Schved's former work computer, the documents say, he found log files showing a past history of Secure Shell connections directly to that machine from an Internet Protocol address that occurred both before, and after, Shved had been laid off.
He also found log files showing connections from the IP address to Edulog servers which in turn used a VPN, or virtual private network, to connect with other servers on the company's internal network.
The County Attorney's Office alleges that Shved sent a text message to a former Edulog colleague, Matthew Horvath, the day the servers crashed saying, "Do you know what is going on over there? I have been called 100 times today."
When Horvath told him what was happening, the documents say Shved advised Horvath to do a "normal restart" of a server.
"Had Horvath followed through on that advice, another server would have been erased," Marks wrote.
Edulog systems installation and help desk manager Ryan Reed and his team told authorities most of the damage was done to configuration files, deleting them, altering them or overwriting them in a way that would allow a person who had backup files to easily repair the problem.
"However," the court documents say, "the on-site backups had all been erased."
As employees attempted to make repairs on the morning of Nov. 2, they go on, "it was discovered several of the servers had been erased of data and were running based only on what was in current memory, which would be permanently erased as soon as a server was rebooted, disabling that server even further."
Reed told authorities his team found many other company computers with "malicious" changes - configuration files that were changed or deleted, firewall scripts that were deleted, IP tables that were changed and user tables that were deleted.
The affidavit says the changes were made both on the day Shved was laid off and the morning the servers crashed.
"These changes substantially disabled the ability of Logisys/Edulog to have their computer systems in working order, and also took down many of their clients for approximately five days," the documents state.
They also say Reed knew the changes were malicious because the changes were not consistent with mistakes or normal hardware issues, and they were all made within the same general time frame.
"Some files had their names changed by one character; some had one line of code removed; and some had been overwritten with garbage files filled with binary code," the affidavit said.
It also claims that Shved refused to divulge all of his passwords for the Edulog servers when he was notified he was being laid off, and was subsequently escorted from the building and not allowed to return to his desk or work computer.
Authorities traced the IP address discovered by Barker through an Internet service provider to 2320 Woodcock Drive, which is listed as Shved's home address on both his Montana driver's license and registration papers for his 2006 Acura sedan and 1999 Nissan Pathfinder.
Reporter Vince Devlin can be reached at 1-800-366-7186 or at firstname.lastname@example.org.