St. Paul Cyberattack: National Guard Assists Amid Network Crisis

Updated October 10, 2025 — With new forensic results and federal guidance, St. Paul’s incident highlights critical lessons in municipal cybersecurity.

Executive Summary

A coordinated ransomware and data exfiltration operation hit St. Paul, MN on July 25, 2025. The breach overwhelmed on-premises defenses, forced a citywide shutdown of information systems, and prompted Governor Walz to activate Minnesota’s National Guard cyber units.

Incident Timeline & Scope

1. July 25, 2025 (03:17 AM CDT): SIEM alerts spike as dozens of domain controllers report unusual login attempts.
2. July 25, 2025 (07:42 AM): City IT staff detect lateral movement via stolen admin credentials.
3. July 26, 2025: Full shutdown of servers, desktops, VoIP, and Wi-Fi to contain ransomware payload.
4. July 28, 2025: FBI, CISA, and two leading cybersecurity firms onboarded for incident response.
5. July 30, 2025: Governor activates National Guard cyber protection teams.

Technical Anatomy of the Attack

Preliminary forensics indicate use of a multifaceted toolchain:

• Initial Access: Phishing emails with ISO attachments exploiting CVE-2025-2145 in Windows Print Spooler.
• Malware Payload: Customized variant of LockerPoint ransomware employing AES-256 encryption in memory to evade disk-based detection.
• Command & Control: HTTPS beaconing to TOR-based C2 infrastructure, with DNS tunneling fallback via TXT records.
• Lateral Movement: Pass-the-Hash and credential dumping using modified Mimikatz and Impacket scripts.

Network Segmentation & Endpoint Gaps

Attackers exploited flat VLAN architecture and out-of-date EDR agents on legacy Windows 7 endpoints. A lack of microsegmentation allowed rapid propagation to core database servers.

Response & National Guard Activation

“The scale and complexity of this incident exceeded both internal and commercial response capabilities,” — Governor Tim Walz.

The Minnesota National Guard’s cyber protection teams (CPT) deployed to:

• Assist in rebuilding Active Directory with golden tickets revoked and new certificate authorities established.
• Implement Zero Trust segmentation and least-privilege access controls across city subnets.
• Restore critical services via an isolated recovery site using immutable backups stored in a hardened AWS GovCloud environment.

Expert Analysis & Recommendations

Municipal Cybersecurity Lessons

• Patch Management: Prioritize CVE remediation on internet-exposed servers within 72 hours.
• Multi-Factor Authentication: Enforce FIDO2 security keys for all privileged accounts.
• Network Monitoring: Deploy behavioral analytics and EDR with rollback capabilities.
• Incident Preparedness: Conduct bi-annual tabletop exercises with cross-agency coordination.

Threat Actor Attribution

While no group has claimed credit, indicators suggest a Russia-linked Advanced Persistent Threat (APT) with prior targeting of U.S. municipalities. IOC sets include hashes: 4d5e6f… and IPs within ASN 9009.

Outlook & Ongoing Investigations

Federal authorities are reviewing ransom negotiations, data exfiltration volumes, and potential ties to other recent ransomware campaigns against U.S. cities, including Abilene, TX.