Cyber Incident Victim: Dakota Carrier Network
Date:
Apr 2020
Location:
United States of America
Summary
Dakota Carrier Network, a consortium operating a fiber optic network supporting North Dakota's government and public-sector entities, experienced a ransomware attack compromising its internal systems. The Maze ransomware operators published some of the consortium's files on a shaming website to coerce payment, impacting services for state and local governments, educational institutions, libraries, and other critical infrastructure customers relying on its statewide connectivity infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 26, 2020, Dakota Carrier Network (DCN), a consortium of 14 independent broadband providers operating over 40,000 miles of fiber optic infrastructure across North Dakota, suffered a ransomware attack affecting its internal systems. The intrusion was detected early on Sunday morning, though the exact initial attack vector and duration of unauthorized access prior to detection were not disclosed in available reports. DCN’s infrastructure supported STAGEnet, a critical network shared by North Dakota’s state government and approximately 400 public-sector entities, including local governments, K-12 schools, libraries, and the state university system. The attackers deployed Maze ransomware, a variant known for its "double-extortion" tactic involving data theft alongside system encryption. Following the encryption of DCN’s systems, the Maze operators published a portion of the victim’s files on a dedicated leak site, a common strategy to pressure organizations into paying ransoms by threatening further data exposure.
The publication of stolen data confirmed that sensitive information was exfiltrated during the attack, though the specific contents or scope of the compromised data were not detailed in public disclosures. DCN’s status as a backbone provider for STAGEnet raised concerns about potential cascading impacts on government operations, educational services, and public library systems reliant on its network, though no direct disruptions to these external services were explicitly reported. The incident highlighted the operational risks to regional telecommunications providers serving critical public infrastructure, particularly in rural states where such networks consolidate essential services. No information was released regarding ransom demands, payment status, or DCN’s specific technical remediation steps beyond the initial detection. The attackers’ use of a shaming website underscored the evolving tactics of ransomware groups to maximize psychological and reputational leverage against victims beyond technical system compromises.