Full Report
Vehicle inspections and other services have been disrupted in Oregon after a cyberattack on the state Department of Environmental Quality (DEQ).
Analysis Summary
# Incident Report: Oregon DEQ Network Shutdown Following Cyberattack
## Executive Summary
The Oregon Department of Environmental Quality (DEQ) was forced to shut down its entire network on Wednesday after suffering a cyberattack. This incident led to the suspension of services, specifically closing vehicle inspection stations through Friday, as the agency worked to contain and eradicate the threat. While the specific nature of the attack (e.g., ransomware) was not confirmed by the DEQ, the response involved isolating servers and engaging internal cybersecurity, IT, and Microsoft teams.
## Incident Details
- Discovery Date: Wednesday (Implied, as systems were shut down that day)
- Incident Date: Wednesday, April 9th or 10th, 2025
- Affected Organization: Oregon Department of Environmental Quality (DEQ)
- Sector: Government / Environmental Regulation
- Geography: Oregon, USA
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Attack occurred prior to Wednesday shutdown)
- Vector: Unknown explicit vector was detailed in the report.
- Details: The attack necessitated a full network shutdown on Wednesday.
### Lateral Movement
- Details: Details on lateral movement were not disclosed in the report.
### Data Exfiltration/Impact
- Details: The impact involved the complete shutdown of the DEQ network systems and computers, forcing the closure of vehicle inspection stations through Friday. DEQ Online, the environmental data management system, was reportedly on a separate server and remained available. The possibility of data exfiltration or ransomware was not confirmed.
### Detection & Response
- Date/Time: Wednesday evening update provided.
- Details: The agency shut down servers and the network to isolate the environment. Oregon DEQ's IT, Enterprise Information Systems, and Microsoft Cybersecurity teams were engaged in containment and eradication efforts.
## Attack Methodology
*Note: Specific TTPs were not provided in the source material, hence the remaining fields are marked as **Not Disclosed** based on available information.*
- Initial Access: Not Disclosed
- Persistence: Not Disclosed
- Privilege Escalation: Not Disclosed
- Defense Evasion: Not Disclosed
- Credential Access: Not Disclosed
- Discovery: Not Disclosed
- Lateral Movement: Not Disclosed
- Collection: Not Disclosed
- Exfiltration: Not Disclosed (Investigation pending confirmation)
- Impact: Network outage, disruption of vehicle inspection services.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Unconfirmed, but the agency is working toward containment/eradication, suggesting potential access to sensitive data.
- Operational: Vehicle inspection stations were closed through Friday; core network systems and computers were non-operational; environmental data management system (DEQ Online) remained operational on a separate server.
- Reputational: Public reliance on state environmental and vehicle services was disrupted, requiring public updates via website and social media.
## Indicators of Compromise
- Network indicators: Not Disclosed.
- File indicators: Not Disclosed.
- Behavioral indicators: Network isolation and system shutdown were the observable behaviors following compromise.
## Response Actions
- Containment measures: Immediate isolation of servers and the entire network environment.
- Eradication steps: Ongoing efforts by internal IT, Enterprise Information Systems, and Microsoft Cybersecurity teams.
- Recovery actions: Systems will remain offline until the attack is "totally contained and potentially eradicated." Updates promised for vehicle inspection station status on Saturday.
## Lessons Learned
- Critical services (like vehicle inspection stations) can be severely hampered by comprehensive network compromise, necessitating immediate service suspension.
- The organization relies on external partners (Microsoft Cybersecurity teams) for incident resolution against significant threats.
- Segmenting critical services (like DEQ Online) onto separate servers can improve resilience for specific functions during a wider network compromise.
## Recommendations
- Review and enhance network segmentation, particularly isolating services critical to public operations from the primary administrative/IT network.
- Conduct a forensic investigation to definitively confirm the initial access vector and determine if data exfiltration occurred.
- Ensure all critical response teams, including third-party contractors, have clearly defined runbooks for network downtime scenarios.