Full Report
Jonathan Greig reports: A 45-year-old Romanian national pleaded guilty this week to hacking into computers at Oregon’s Department of Emergency Management in June 2021 and selling the access he obtained for $3,000 worth of Bitcoin. Catalin Dragomir also hacked into 10 other U.S. companies, causing financial losses of at least $250,000. He was arrested in... Source
Analysis Summary
# Incident Report: Breach and Sale of Access to Oregon Department of Emergency Management
## Executive Summary
Catalin Dragomir, a Romanian national, compromised the Oregon Department of Emergency Management (OEM) and at least 10 other U.S. companies between 2021 and 2024. Dragomir monetized the breaches by selling unauthorized access on the dark web and engaging in identity theft, resulting in over $250,000 in financial losses. Following an international investigation, the subject was extradited to the U.S. and pleaded guilty to federal charges in February 2026.
## Incident Details
- **Discovery Date:** Approximately November 2024 (Law enforcement intervention)
- **Incident Date:** June 2021 (Initial OEM breach) through late 2024
- **Affected Organization:** Oregon Department of Emergency Management (OEM) and 10 undisclosed U.S. companies
- **Sector:** Government / Public Safety / Private Sector
- **Geography:** Oregon, USA (Target); Romania (Attacker Origin)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2021
- **Vector:** Unauthorized hacking into protected computers.
- **Details:** Dragomir successfully bypassed security measures to gain entry into the Oregon OEM computer network.
### Lateral Movement
- **Details:** While specific lateral movement techniques were not detailed in the report, the attacker secured a foothold sufficient to maintain access for sale and leveraged stolen information to target additional U.S. entities.
### Data Exfiltration/Impact
- **Details:** Access to the OEM network was exfiltrated and sold for approximately $3,000 in Bitcoin. Additionally, the attacker committed aggravated identity theft.
### Detection & Response
- **Discovery:** Law enforcement investigation and international cooperation.
- **Response Actions:** In November 2024, the suspect was arrested in Romania; he was subsequently extradited to the U.S. to face prosecution in 2025.
## Attack Methodology
- **Initial Access:** Exploitation of protected computer systems (specific vulnerability not disclosed).
- **Persistence:** Maintained access for the purpose of brokering "Access-as-a-Service."
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of cryptocurrency (Bitcoin) for financial transactions to obscure the money trail.
- **Credential Access:** Stole personal identifiable information (PII) to facilitate identity theft.
- **Discovery:** Internal network reconnaissance of the OEM and 10 corporate targets.
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering of sensitive credentials and system access points.
- **Exfiltration:** Transfer of stolen access credentials to dark web forums.
- **Impact:** Financial loss and compromise of government infrastructure; use of stolen identities.
## Impact Assessment
- **Financial:** At least $250,000 in total losses across all victims; $3,000 in direct illicit profit from the Oregon OEM sale.
- **Data Breach:** Compromise of protected government systems and individual identities.
- **Operational:** Potential disruption to emergency management infrastructure.
- **Reputational:** Public concern regarding the security of critical state-level emergency response systems.
## Indicators of Compromise
- **Network indicators:** Connections to known dark web marketplaces or Initial Access Broker (IAB) forums.
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Creation of unauthorized accounts; unusual Bitcoin transactions linked to identity theft activities.
## Response Actions
- **Containment measures:** Law enforcement seizure of digital assets and accounts.
- **Eradication steps:** System remediation at the Oregon OEM (post-incident).
- **Recovery actions:** Extradition and legal prosecution of the perpetrator.
## Lessons Learned
- **The IAB Threat:** Initial Access Brokers (IABs) remain a significant threat to government sectors, as they provide affordable entry points for more destructive actors (e.g., ransomware groups).
- **Identity Theft Linkage:** System breaches often lead directly to aggravated identity theft, expanding the damage beyond the primary organization to its employees or constituents.
- **Global Reach:** Threats to local U.S. state agencies often originate from international jurisdictions, requiring robust federal and international law enforcement cooperation.
## Recommendations
- **Implement Multi-Factor Authentication (MFA):** Ensure all remote access points to government networks require hardware-based or push-notification MFA to prevent the sale of simple credential-based access.
- **Monitor for Stolen Credentials:** Utilize dark web monitoring services to identify if organizational credentials or system access are being advertised on underground forums.
- **Principle of Least Privilege:** Limit the impact of a breach by ensuring that even if one segment of the network is compromised, the attacker cannot pivot to sensitive identity data.
- **Incident Response Training:** Regularly update IR plans to include procedures for dealing with "sold access" where the attacker may no longer be present, but a buyer is.