Full Report
WINONA COUNTY, Minn. (WKBT) -- Governor Tim Walz issued an executive order on Tuesday providing emergency assistance to Winona County following a cyberattack that began on Monday, according to a release. Walz’s office said the attack has continued into Tuesday, disrupting critical systems and digital services, thus impairing the county’s ability to deliver vital emergency and municipal services. “Cyberattacks are an evolving threat that can strike anywhere, at any time,” stated Walz. “Swift coordination between state and local experts matters in these moments. That's why I am authorizing the National Guard to support Winona County as they work to protect critical systems and maintain essential services.” County officials are working in coordination with Minnesota Information Technology Services, the Minnesota Bureau of Criminal Apprehension, the League of Minnesota Cities, the Federal Bureau of Investigation, and external cybersecurity experts.
Analysis Summary
# Incident Report: Winona County Critical Systems Disruption
## Executive Summary
Multiple cyberattacks targeted Winona County, Minnesota, starting on Monday, August 11, 2025, and continuing through Tuesday. The incident disrupted critical municipal systems and digital services, leading Governor Tim Walz to issue an executive order for emergency state assistance. The response involved a multi-agency effort, including the deployment of the Minnesota National Guard to maintain essential services and protect infrastructure.
## Incident Details
- **Discovery Date:** Monday, August 11, 2025
- **Incident Date:** Ongoing (Discovered Monday, August 11; Executive Order issued August 12)
- **Affected Organization:** Winona County
- **Sector:** Government / Municipal Services
- **Geography:** Winona County, Minnesota, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Monday, August 11, 2025
- **Vector:** Undisclosed (Details not specified in the public release)
- **Details:** The attack was identified following the disruption of internal digital services.
### Lateral Movement
- **Details:** Not specifically disclosed; however, the attack successfully progressed from initial entry points to impact "critical systems" and "digital services" county-wide.
### Data Exfiltration/Impact
- **Impact:** Significant disruption to the county's ability to deliver vital emergency and municipal services. No specific data exfiltration was confirmed in the initial report, though "critical systems" were compromised.
### Detection & Response
- **How it was discovered:** County officials identified disruptions to digital services on Monday.
- **Response actions taken:**
- Governor Tim Walz authorized an executive order for emergency assistance.
- Minnesota National Guard was activated to provide technical support.
- Coordination established with state and federal agencies (MNIT, BCA, FBI).
## Attack Methodology
- **Initial Access:** Undisclosed
- **Persistence:** Ongoing through Tuesday despite initial mitigation efforts.
- **Privilege Escalation:** Unknown
- **Defense Evasion:** Not disclosed
- **Credential Access:** Unknown
- **Discovery:** Unknown
- **Lateral Movement:** Impacted multiple critical municipal systems.
- **Collection:** Unknown
- **Exfiltration:** Not confirmed.
- **Impact:** Deployment of disruptive measures/malware that impaired municipal and emergency service delivery.
## Impact Assessment
- **Financial:** Unknown; state emergency funds and National Guard resources have been allocated.
- **Data Breach:** Under investigation; volume and type of data compromised are not currently disclosed.
- **Operational:** Critical. Disruption of emergency and municipal services required state intervention.
- **Reputational:** Moderate; public awareness of the vulnerability of county infrastructure.
## Indicators of Compromise
- **Network indicators:** None disclosed in the initial public report.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Sudden loss of access to municipal service dashboards; disruption of digital service availability.
## Response Actions
- **Containment measures:** Isolation of critical systems and engagement with external cybersecurity experts.
- **Eradication steps:** Coordination with Minnesota Information Technology Services (MNIT) and the Bureau of Criminal Apprehension (BCA).
- **Recovery actions:** Activation of the National Guard to support service maintenance and system protection; collaboration with the League of Minnesota Cities.
## Lessons Learned
- **Scalability of Threat:** Local government entities remain high-value targets for attackers looking to disrupt societal infrastructure.
- **Value of Response Frameworks:** Existing state-level coordination protocols allowed for the "swift coordination" and rapid deployment of the National Guard once the scale of the incident was realized.
## Recommendations
- **State-Level Preparedness:** Counties should maintain pre-established communication channels with MNIT and the National Guard Cyber Wing for rapid escalation.
- **Redundancy:** Ensure offline backups and manual workarounds for "vital emergency services" are tested regularly.
- **Segmentation:** Implement strict network segmentation between general municipal digital services and critical emergency infrastructure to prevent lateral movement.