Full Report
On October 15, 2025, Jewett-Cameron Trading Co. Ltd. (the "Company") learned that a threat actor had gained unauthorized access to portions of the Company's information technology ("IT") environment and claimed to have unlawfully accessed certain Company information and data. The Company immediately activated its cyber incident response process to contain the intrusion, assess and investigate the incident and implement remedial measures. The Company also immediately notified law enforcement and retained external cybersecurity experts to assist. Based on its investigation to date, the Company believes that the cybersecurity incident consisted of unauthorized access and deployment of encryption and monitoring software by a third party to a portion of the Company's internal corporate IT systems. The incident caused disruptions and limitation of access to portions of the Company's business applications supporting aspects of the Company's operations and corporate functions, which the Company voluntarily took offline as a precautionary measure. Based on the information reviewed to date, the Company believes the unauthorized activity has been contained and is working diligently to bring the impacted portions of its IT systems and individual computer devices back online.
Analysis Summary
# Incident Report: Jewett-Cameron Trading Co. Unauthorized Access and Encryption Incident
## Executive Summary
On October 15, 2025, Jewett-Cameron Trading Co. Ltd. discovered unauthorized access to its IT environment, where a threat actor deployed encryption and monitoring software. This incident caused operational disruptions as the company proactively took systems offline. The unauthorized activity has reportedly been contained, and the company is working to restore systems while working with law enforcement and external experts to investigate the full scope of data exfiltration, which included meeting images and financial preparation data.
## Incident Details
- Discovery Date: October 15, 2025
- Incident Date: Unknown (Prior to October 15, 2025)
- Affected Organization: Jewett-Cameron Trading Co. Ltd.
- Sector: Manufacturing and Distribution (Pet, Fencing, and Industrial Wood Products)
- Geography: Headquarters in North Plains, Oregon (Operations across North America and globally)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to discovery on October 15, 2025.
- **Vector:** Unauthorized access to IT environment.
- **Details:** The threat actor gained unauthorized access leading to the deployment of encryption and monitoring software.
### Lateral Movement
- **Details:** The exact lateral movement is not detailed, but the activity impacted a "portion of the Company's internal corporate IT systems."
### Data Exfiltration/Impact
- **Date/Time:** Post-access, prior to or during containment.
- **Details:** The threat actor claimed to have unlawfully accessed and exfiltrated certain Company information, specifically identifying **images of video meetings and computer screens** that may contain sensitive Company information. Financial information being prepared for the upcoming 10-K filing was also exfiltrated. Threat actors demanded a monetary payment.
### Detection & Response
- **Date/Time (Detection):** October 15, 2025.
- **Date/Time (Disclosure):** October 21, 2025 (via 8-K filing).
- **Response actions taken:**
- Activated cyber incident response process.
- Notified law enforcement.
- Retained external cybersecurity experts.
- Voluntarily took impacted business applications offline as a precautionary measure.
- Closed off the point of unlawful access.
- Bolstered cyber defensive capabilities.
## Attack Methodology
- **Initial Access:** Unauthorized access (Specific method unknown).
- **Persistence:** Deployment of monitoring software (Implies an effort to maintain presence).
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, but successful in deploying software.
- **Credential Access:** Not specified.
- **Discovery:** Implied through monitoring software and subsequent collection.
- **Lateral Movement:** Impacted "a portion of the Company's internal corporate IT systems."
- **Collection:** Exfiltration of video meeting images, computer screen images, and financial data related to 10-K preparation.
- **Exfiltration:** Data was unlawfully exfiltrated.
- **Impact:**
- **Encryption:** Deployment of encryption software.
- **Disruption:** Caused disruptions and limitations to business applications, forcing precautionary shutdowns.
- **Extortion:** Threat actors demanded a monetary payment.
## Impact Assessment
- **Financial:** Potential material impact on Q1 fiscal 2026 financial results due to operational downtime. Costs associated with response activities are expected to be largely covered by cyber insurance.
- **Data Breach:** **Confirmed exfiltration** of video meeting images, screen images, and internal financial analysis data for the 10-K filing. **No current evidence** suggests compromise of PII (employees, customers, suppliers). Full extent remains under investigation.
- **Operational:** Caused disruptions and limitations of access to business applications supporting operations and corporate functions, leading to voluntary system shutdowns. The company is working to restore full operational capability shortly.
- **Reputational:** Public disclosure via an SEC 8-K filing.
## Indicators of Compromise
*(The provided text does not contain explicit, defanged IOCs like file hashes or specific IP addresses. The following are behavioral indicators derived from the report):*
- **Behavioral indicators:**
- Unauthorized deployment of encryption software on internal corporate IT systems.
- Deployment of monitoring software on internal corporate IT systems.
- Threat actor extortion attempt following data exfiltration.
## Response Actions
- **Containment measures:** Closing off the point of unlawful access. The company believes unauthorized activity has been contained.
- **Eradication steps:** Not explicitly detailed, but implied through system offline procedures and technical remediation.
- **Recovery actions:** Working diligently to bring impacted systems and individual computer devices back online in a "thoughtful and methodical manner."
## Lessons Learned
- The deployment of encryption and monitoring software suggests a sophisticated attack that impacted core systems controlling both operations and sensitive, non-public preparatory data (SEC filings).
- The company's immediate activation of its response plan allowed for swift engagement with law enforcement and experts.
- Critical preparatory data (10-K data) may be vulnerable to theft and associated with high-stakes extortion attempts.
## Recommendations
- Prioritize hardening of systems being used for sensitive compliance reporting (e.g., 10-K preparation) against unauthorized access and monitoring deployment.
- Review and test incident response playbooks, specifically procedures for managing system downtime and media/screen capture monitoring.
- Conduct a thorough forensic analysis to definitively determine the initial access vector and specific lateral movement techniques used by the threat actor.