Oregon’s Department of Environmental Quality recently survived a massive cyber attack. The agency was targeted by hackers who said they stole more than a million files — and who tried to charge DEQ about $2.5 million worth of Bitcoin to get that data back.
OPB environment reporter April Ehrlich has been looking into how state environmental programs – and DEQ workers – have been affected. She joined OPB “All Things Considered” host Crystal Ligori to share what she’s learned.
FILE - A person works on a laptop in North Andover, Mass., on June 19, 2017. Cyberattacks can be very costly and time consuming if organizations don’t have a plan to deal with them. Oregon’s Department of Environmental Quality recently survived a massive cyber attack.
Elise Amendola / AP
Crystal Ligori: You reported the hacking group Rhysida has claimed responsibility for this attack. Did they get what they wanted out of it?
April Ehrlich: I don’t think so. DEQ says it did not pay any ransom — something that cyber experts I’ve spoken to say is a good move. Paying a ransom doesn’t mean you’ll actually save your data from being leaked, and it might just end up helping the ransomware group pay for more tools and steal more data from you or others.
So the website for this ransomware group, Rhysida, indicates it sold some of the files in an auction, then made the rest available to download.
Related: Hackers release millions of files after Oregon DEQ cyberattack
Of course, we don’t actually know if Rhysida sold some of the data, or if the files directly came from DEQ’s internal servers. And DEQ won’t confirm whether any data was stolen — not until the state’s administration department finishes its investigation.
Ligori: So what has DEQ told us?
Ehrlich: DEQ says it had to shut down most of its services for multiple days starting on April 8. That was to limit the spread of malware into systems that regulate pollution, waste and water across Oregon. Even now, some of its systems are not entirely back up and running.
Ligori: So does this mean that a ransomware group might potentially have some of my sensitive data from getting my car smog-checked at DEQ?
Ehrlich: I asked that question of DEQ and their spokesperson couldn’t give me a definitive answer.
To explain for anyone outside Portland and Medford: Oregon state law requires drivers in those metro areas to have their cars smog-tested before getting their drivers registration. It’s not clear if that information was stored in DEQ’s servers or with another agency.
Remember that DEQ had to shut down its entire IT system to prevent malware from spreading. That meant people couldn’t get their vehicles smog tested for a few days.
Ligori: Were other services also impacted?
Ehrlich: The attack mostly interrupted DEQ’s regulatory services — like issuing air quality permits or reporting greenhouse gas emissions.
It also interrupted the Clean Fuels Program at a time when businesses were finalizing reports on carbon emissions. This is Oregon’s carbon market where fuel producers can buy and exchange credits. DEQ lost a bunch of data during this time, so it had to ask its regulatory commission on Friday for a one-month extension to meet its quarterly deadline.
Ligori: April, do we know how this ransomware group actually got into DEQ’s IT system?
Ehrlich: We don’t know exactly what happened because, again, state officials are still investigating it.
But we do know that the cyberattack was announced shortly after DEQ warned its staff members not to click a “dangerous link” in a statewide email it sent a week earlier.
Related: DEQ’s statewide email included ‘dangerous link’ — but it didn’t warn the public
That link was supposed to take people to a site where they could register for events about food waste prevention week. But the website, belonging to a small nonprofit, was hijacked. So anyone who clicked that link became vulnerable to a cyberattack. The website is no longer hijacked.
Ligori: Did the compromised website actually impact anyone else?
Ehrlich: The bad link in the press release was shared widely to anyone who gets DEQ’s news alerts — so news organizations, other state departments, the general public. Still, the agency only warned its own staff internally about the infected link.
I’ve asked the governor’s office and DEQ if other state departments are potentially impacted by this — or if they even warned other departments about this. And I haven’t gotten an answer on that.
But a few DEQ employees have reached out to me. They’re upset, to say the least. They told me they recognized some sensitive information among the leaked files — and they say that DEQ did not warn them that their personal information was at risk.
Ligori: April, are there any lessons in what happened with DEQ for the rest of us?
Ehrlich: I think it’s important to know that DEQ isn’t alone in its risk of cyberattacks. We all are.
Cyber experts told me there just isn’t enough attention — or money — being dedicated to shielding critical agencies and resources from increasingly sophisticated attacks. And that just puts all of our information at risk.
This is all happening as the Trump administration is cutting funding that would go toward more cyber tools and training at state and local agencies. So we might actually see more attacks like this across the country in the near future.
