Executive Summary
In June 2021, Catalin Dragomir, a Romanian national operating under the alias "inthematrixl," unlawfully accessed the Oregon Department of Emergency Management's network. He extracted personally identifiable information, including names, email addresses, dates of birth, and passport numbers, and sold this data alongside unauthorized network access to potential buyers. Dragomir extended his cybercriminal activities by compromising nearly a dozen other U.S. networks, resulting in cumulative losses exceeding $250,000. Following his arrest in Romania in November 2024 and subsequent extradition to the United States in January 2025, Dragomir pleaded guilty to charges of aggravated identity theft and obtaining information from a protected computer. In May 2026, he was sentenced to 56 months in federal prison and ordered to forfeit approximately 23 Monero (XMR) cryptocurrency, valued at roughly $8,500. This case underscores the persistent threat posed by cybercriminals targeting government infrastructures and the critical need for robust cybersecurity measures to protect sensitive data. The incident also highlights the importance of international cooperation in apprehending and prosecuting cyber offenders.
Why This Matters Now
This incident highlights the ongoing threat of cybercriminals targeting government infrastructures, emphasizing the need for robust cybersecurity measures and international cooperation to protect sensitive data and prosecute offenders.
Attack Path Analysis
In June 2021, Catalin Dragomir gained unauthorized access to a computer within the Oregon Department of Emergency Management's network. He escalated his privileges to obtain administrative access, allowing him to exfiltrate sensitive personal identifying information. Dragomir then established command and control by maintaining access to the compromised system, enabling him to sell this access on the dark web. He exfiltrated data by providing samples of the stolen information to prospective buyers. The impact of his actions included financial losses of at least $250,000 and the compromise of sensitive government data.
Kill Chain Progression
Initial Compromise
Description
Dragomir gained unauthorized access to a computer within the Oregon Department of Emergency Management's network.
MITRE ATT&CK® Techniques
Valid Accounts
Application Layer Protocol
File and Directory Discovery
Data from Local System
Exfiltration Over Web Service
Acquire Infrastructure
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct target of network intrusion with PII theft. Critical infrastructure vulnerability requires enhanced east-west traffic security and zero trust segmentation implementation.
Information Technology/IT
Primary attack vector enabling lateral movement across networks. Must implement multicloud visibility, egress security policies, and threat detection capabilities against intrusions.
Financial Services
High-value PII targets face similar network intrusion risks. Critical need for encrypted traffic protection and compliance with regulatory frameworks identified.
Health Care / Life Sciences
Sensitive patient data exposure mirrors Oregon incident. HIPAA compliance requirements demand encrypted traffic, access controls, and anomaly detection systems implementation.
Sources
- Romanian gets 5 years in prison for hacking Oregon govt networkhttps://www.bleepingcomputer.com/news/security/romanian-gets-5-years-in-prison-for-hacking-oregon-govt-network/Verified
- Romanian National Sentenced for Selling Access to Networks of Oregon State Government Office and Other U.S. Victimshttps://www.justice.gov/usao-or/pr/romanian-national-sentenced-selling-access-networks-oregon-state-government-office-andVerified
- Hacker Who Sold Access to Oregon Emergency Network Gets Prisonhttps://www.govtech.com/security/hacker-who-sold-access-to-oregon-emergency-network-gets-prisonVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to escalate privileges and exfiltrate sensitive data by enforcing strict segmentation and controlled access within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access would likely have been limited to a segmented portion of the network, reducing the potential for widespread compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely have been constrained, reducing the risk of obtaining administrative access.
Control: East-West Traffic Security
Mitigation: Potential lateral movement would likely have been restricted, reducing the risk of the attacker accessing additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain and monetize access would likely have been detected and disrupted, reducing the risk of prolonged unauthorized presence.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been identified and blocked, reducing the risk of sensitive information being leaked.
The financial and data loss impact would likely have been mitigated, reducing the overall damage to the organization.
Impact at a Glance
Affected Business Functions
- Emergency Response Coordination
- Disaster Recovery Planning
- Public Safety Communications
Estimated downtime: N/A
Estimated loss: N/A
Personal identifying information of an employee, including name, date of birth, Social Security number, and email address.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit lateral movement within the network.
- • Enhance East-West Traffic Security to monitor and control internal communications, preventing unauthorized data exfiltration.
- • Deploy Egress Security & Policy Enforcement to filter outbound traffic and block unauthorized data transfers.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities and detect anomalies.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors promptly.
