Cyber Incident Victim: Sault Ste. Marie Tribe of Chippewa Indians
Date:
Feb 2025
Location:
United States of America
Summary
A cyberattack targeting the Sault Ste. Marie Tribe of Chippewa Indians disrupted tribal computer and phone systems, forcing the temporary closure of five casinos and impacting healthcare services, government operations, and convenience stores. The tribe restored systems without paying a ransom, recovering data with law enforcement guidance, though stolen information is under review for potential identity theft risks. While most operations resumed, some tribal organizations continue recovery efforts. The incident caused significant revenue loss, and the tribe plans to notify affected individuals for credit monitoring. An FBI investigation into the ransomware attack remains active.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 9, 2025, a cyberattack targeted the Sault Ste. Marie Tribe of Chippewa Indians’ phone and computer systems, disrupting operations across tribal entities. The incident forced the immediate closure of all five Kewadin Casinos owned and operated by the tribe in Michigan’s Upper Peninsula, located in Sault Ste. Marie, St. Ignace, Manistique, Christmas, and Hessel. Tribal healthcare services, government functions, and businesses were also impaired by the system outages. Four tribal convenience stores co-located with the casinos experienced operational disruptions. The casinos remained shuttered for over two weeks, with Sault Ste. Marie and St. Ignace locations reopening first, followed by the remaining three casinos scheduled to resume operations on March 3, 2025, at noon. Tribal Chairman Austin Lowes confirmed the attack involved ransomware actors attempting to extort payment in exchange for stolen data, though the specific ransom amount was undisclosed.
The tribe restored systems and recovered data without paying the ransom, announcing this decision on February 28, 2025, following consultations with law enforcement and cybersecurity experts. Lowes cited concerns that paying would not guarantee data recovery or prevent its dissemination on dark web platforms. Forensic review revealed hundreds of thousands of compromised documents, prompting the tribe to plan notifications to affected individuals and offers of free credit monitoring services. The attack’s financial impact included direct revenue loss from prolonged casino closures, though broader economic effects on local businesses remained unquantified as of late February. An ongoing FBI investigation into the ransomware incident continued, while the tribe canceled its May 4 Board of Directors meeting due to unresolved recovery efforts. Most tribal operations had resumed near-full functionality by February 28, though some organizations required extended restoration timelines.