Earlier this month, the Oregon Department of Environmental Quality sent an email to members of the public, media organizations and other state agencies.
A week later, DEQ shut down its networks as it faced a massive cyberattack — and it internally warned staff that a website linked in that statewide email was hacked.
The agency still won’t confirm the cause of the cyberattack that forced it to temporarily shutter many of its regulatory services. But workers who had to work from their phones for about two weeks say they are frustrated by their employer’s response.
OPB spoke with three DEQ employees who asked not to be named to protect their jobs. They said they found personal information about their coworkers available for anyone to download from the dark web. It was contained within files that a ransomware group claimed it stole from the department.
It’s not clear if other state agencies that received DEQ’s press release have become vulnerable to the attack. Gov. Tina Kotek’s office didn’t provide a statement by press time.
On Monday, DEQ spokesperson Lauren Wirtis wouldn’t confirm if any of the agency’s data had been stolen, only that an investigation by Enterprise Information Services — a state agency under the Department of Administrative Services — is ongoing.
Last week, OPB reported that a well-known hacking group called Rhysida had released over a million files the group claimed it had taken from the department. Rhysida’s website indicated it sold a portion of the files, and posted the rest for anyone to download.
The group made those files available on the dark web, a portion of the internet that’s hidden from most major search engines. They appeared to include sensitive information about DEQ employees.
“The state does not support taking claims made off the dark web or unverified sources as fact,” a spokesperson for Oregon’s Enterprise Information Services team said in an email. “The state will share additional information as we have it validated.”
'We've been blindsided by the news'
On April 8, DEQ warned its staff not to click a link in a press release it had sent a week earlier, according to an email obtained by OPB. But DEQ didn’t share the same warning with media organizations, nonprofits or other people who were signed up to receive its news alerts.
In the agency’s warning to staff, DEQ’s information technology department told employees that a link in its press release about Food Waste Prevention Week had been compromised.
“If the link is clicked, it takes you to a hijacked website and asks you to verify that you are human,” the message from DEQ’s IT officer reads. “During this process, it asks you to run a command on your system that downloads malicious content to your computer and could provide outside entities access to DEQ networks.”
The link was intended to take people to a website where they could register for a community event about how to prevent food waste. But that site had been hijacked. The website doesn’t appear to be compromised anymore.
Hijacking websites is a common method used by ransomware groups to spread their malicious software, or malware, and steal data they can later put up for ransom. These groups often infiltrate a small business or community organization to transmit their malware to larger agencies with bigger pocketbooks.
During interviews and email exchanges with OPB, DEQ declined to specify if the hijacked website is what led to the cyberattack that DEQ publicly announced on April 9. “The cyberattack is still under investigation and the cause is not yet confirmed,” spokesperson Wirtis said in an email.
The cyberattack forced the agency to temporarily shutter many of its regulatory services, and employees had to work from their phones until their computers were repaired.
DEQ didn’t tell staff that their personal information was potentially vulnerable in this attack, according to the three DEQ employees who spoke to OPB.
“They lied to us,” one employee said. “They said no information was compromised. We’ve been blindsided by the news.”
Wirtis told OPB that the agency warned its employees that someone claimed to have access to DEQ’s internal data on April 12. That email from DEQ, obtained by OPB, told staff about “someone saying they had access to some account information.”
“Scams are normal in cyberattack incidents, this is not a credible threat” it reads, adding “DEQ employee data is safe.”
After OPB reported on Rhysida’s data leak claims on Friday, the three DEQ employees looked up files that the hacking group released. They said they recognized some of the folders, as well as their coworkers’ names and information.
Had the agency been more clear, the DEQ employees said, they could have taken earlier measures to protect their personal information, like freezing their credit accounts or signing up for credit protection services.
“We could have protected ourselves,” one employee said. “There’s been no opportunity for that.”
This story comes to you from the Northwest News Network, a collaboration between public media organizations in Oregon and Washington.
