Oregon Department of Environmental Quality shuts down system after cyberattack
Learn More
Oregon's Department of Environmental Quality (DEQ) has been forced to shut down its network systems after experiencing a cyberattack on Wednesday 9th of April 2025.
The Oregon DEQ, which is responsible for regulating the state's air, land, and water quality, initiated emergency protocols following the attack. The incident has disrupted services, including:
- Vehicle inspection stations closed through Friday with uncertainty about Saturday operations
- Complete network shutdown while the agency works to isolate servers
The Oregon DEQ's IT team is collaborating with Enterprise Information Systems, and Microsoft Cybersecurity teams to address the situation.
The agency noted that its environmental data management system, "Your DEQ Online," operates on a separate server and remains available. Officials have not confirmed whether the incident involves ransomware, despite requests for clarification.
The nature of the attack, number of affected individuals, or any exposed data is not disclosed. Oregon DEQ has advised the public to monitor its website and social media pages for updates regarding service restoration.
Update - as of 18th of April 2025, the attack is attributed to the Rhysida ransomware operation. The attackers claim to have compromised more than 2.5 TB of data, contradicting the agency's initial statement that none of its data had been impacted by the incident. The hackers claim the stolen data includes:
- Employee details
- SQL databases
The attackers are demanding a ransom payment of $2.5 million in Bitcoin, threatening to put the stolen data up for sale to a single buyer if the agency fails to pay within one week. The number of affected individuals is still not disclosed.
As of 25th of April 2025, the Rhysida ransomware gang has released over 1.3 million files (approximately 2.4 terabytes of data) it claims to have stolen from the Oregon Department of Environmental Quality (DEQ).
As of 29th of April 2025, evidence suggests the attack may have originated from a compromised link in an official email the agency sent to members of the public, media organizations, and other state agencies. According to internal communications obtained by Oregon Public Broadcasting (OPB), DEQ's IT department warned employees on April 8 that a link in a press release about Food Waste Prevention Week had been hijacked.
The compromised link redirected to a malicious site that prompted visitors to verify they were human, then instructed them to run a command that would download malware to their computer, potentially providing unauthorized access to DEQ networks.
Despite warning its staff internally about the compromised link, DEQ has not issued alerts to external recipients of the email, potentially leaving others vulnerable to the same attack vector. It's not clear whether other state agencies that received the original press release have become vulnerable to the attack.
