Full Report
A Romanian national was sentenced this week to 56 months in federal prison for breaking into an Oregon state government computer network and fr cyberattacks targeting dozens of other U.S. victims. [...]
Analysis Summary
# Incident Report: Compromise of Oregon State Government Network by Initial Access Broker
## Executive Summary
Romanian national Catalin Dragomir ("inthematrixl") compromised the Oregon Department of Emergency Management (OEM) and dozens of other U.S. entities between 2020 and 2021. Acting as an initial access broker, Dragomir exfiltrated personally identifiable information (PII) and sold network access to third parties. The investigation culminated in his extradition and a 56-month federal prison sentence in May 2026.
## Incident Details
- **Discovery Date:** Approximately June 2021 (active investigation period)
- **Incident Date:** June 2021 (Oregon specific), 2020–2024 (Global activity)
- **Affected Organization:** Oregon Department of Emergency Management (formerly Office of Emergency Management)
- **Sector:** Government / Public Sector
- **Geography:** Oregon, USA; Constanta, Romania (Attacker Origin)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2021
- **Vector:** Exploitation of a "protected computer" (specific technical vulnerability not disclosed in court documents).
- **Details:** Dragomir gained unauthorized access to a single device within the Oregon OEM network.
### Lateral Movement
- **Details:** While the depth of lateral movement within the Oregon network was not fully detailed, the attacker accessed sensitive databases containing federal-level documentation (Passports, etc.).
### Data Exfiltration/Impact
- **Details:** Stole samples of PII to prove network access to potential buyers. Sold unauthorized access credentials for Oregon OEM and approximately a dozen other U.S. victims.
### Detection & Response
- **Detection:** Investigated by the FBI Portland Field Office.
- **Response Actions:**
- International law enforcement coordination for arrest in November 2024.
- Extradition to the U.S. in January 2025.
- Seizure and forfeiture of 23 Monero (XMR).
## Attack Methodology
- **Initial Access:** Targeted compromise of network-connected devices.
- **Persistence:** Not specified, though access was maintained long enough to facilitate a sale.
- **Privilege Escalation:** Accessed files containing highly sensitive PII (Passports).
- **Defense Evasion:** Used cryptocurrency (Monero) for financial transactions to obfuscate the money trail.
- **Credential Access:** Stole PII including names and passport numbers.
- **Collection:** Scraped databases for "proof of access" samples.
- **Exfiltration:** Transferred PII samples to prospective buyers via online handle "inthematrixl."
- **Impact:** Financial loss of at least $250,000 across multiple victims; unauthorized sale of government access.
## Impact Assessment
- **Financial:** Total losses estimated at $250,000; forfeiture of ~$8,500 in Monero.
- **Data Breach:** Names, email addresses, dates of birth, and passport numbers.
- **Operational:** Disruption to the Department of Emergency Management’s digital integrity.
- **Reputational:** High-profile compromise of a state agency responsible for emergency coordination.
## Indicators of Compromise
- **Network indicators:** Activity associated with the online handle "inthematrixl."
- **File indicators:** Not disclosed in public sentencing documents.
- **Behavioral indicators:** Unauthorized access to PII databases; outward traffic to known initial access broker forums/marketplaces.
## Response Actions
- **Containment:** Removal of the unauthorized access point and remediation of the OEM network.
- **Eradication:** Law enforcement neutralized the threat actor through international extradition.
- **Recovery:** Court-ordered forfeiture of assets to the U.S. government.
## Lessons Learned
- **The Rise of Access Brokers:** Individual actors often do not perform the final attack (e.g., ransomware) but provide the "keys" to those who do, making early detection of initial intrusion critical.
- **PII as Marketing:** Attackers use sensitive data samples (like passports) as "proof of work" to attract buyers on the dark web.
- **International Vulnerability:** State-level government networks remain high-value targets for foreign actors due to the sensitivity of stored resident data.
## Recommendations
- **Zero Trust Architecture:** Implement strict access controls to ensure that a compromise of one device does not grant access to sensitive PII/Passport databases.
- **Multi-Factor Authentication (MFA):** Ensure all remote access points to government networks require robust MFA to thwart stolen credential usage.
- **Dark Web Monitoring:** Organizations should monitor for their domain or specific IP ranges being advertised on initial access broker forums.
- **Vulnerability Management:** Prioritize patching of public-facing government assets to prevent initial entry by opportunistic hackers.