Romanian Hacker Sentenced to 5 Years for Breaching Oregon Emergency Management Network and Selling Access to U.S. Victims
What Happened — Catalin Dragomir, a 46‑year‑old Romanian, pleaded guilty to aggravated identity theft and unauthorized access after infiltrating the Oregon Department of Emergency Management’s network in June 2021. He sold the compromised foothold and harvested personally identifiable information (names, email addresses, dates of birth, passport numbers) to at least a dozen U.S. buyers, causing losses of > $250 k.
Why It Matters for TPRM —
- Attackers can monetize a single breach by reselling network access, expanding the impact far beyond the original victim.
- State‑level systems often integrate third‑party services; a compromise can cascade to those suppliers.
- Persistent credential abuse underscores the need for continuous privileged‑access monitoring and rapid revocation.
Who Is Affected — State and local government agencies, any third‑party vendors or SaaS providers that connect to the Oregon Emergency Management network, and the downstream organizations that purchased the stolen access.
Recommended Actions — Review contracts and security controls with the Oregon Department of Emergency Management and any linked vendors; enforce MFA and least‑privilege for privileged accounts; implement continuous monitoring and threat‑intel feeds for known actor “inthematrixl”; conduct forensic scans on shared infrastructure to confirm no lingering backdoors.
Technical Notes — The exact intrusion method was not disclosed, but the pattern suggests credential theft or exploitation of unpatched services. No specific CVE was cited. Exfiltrated data included PII such as names, emails, DOBs, and passport numbers. Source: BleepingComputer