When a City Falls Offline: Inside the St. Paul Cyberattack That Triggered a National Guard Response

A City Under Siege

In late July 2025, the city of St. Paul, Minnesota—home to over 300,000 residents—was hit by a deliberate, coordinated cyberattack that overwhelmed its cybersecurity defenses. Within days:

• Internal IT systems were taken offline to contain the breach.

• Public Wi-Fi, library systems, and online municipal services—including payment portals—went dark.

• Crucially, emergency operations like 911 remained functional.

• Governor Walz deployed the National Guard’s cyber protection unit—marking Minnesota’s first public deployment of this kind. 

What Went Wrong—and Who’s Responsible

A. The Scope and Impact

The attack, identified around July 25, incapacitated city systems by July 27. Mayor Carter officially declared a state of emergency, initiating a full shutdown to protect city infrastructure.
Over the following days, the National Guard’s cyber protection unit and elite cybersecurity firms joined the response—working alongside the FBI.

B. A Ransomware Group Claims Credit

A ransomware gang known as Interlock was later confirmed responsible for the attack — claiming the theft of 43GB of city data. The city refused to pay ransom and launched Operation Secure St. Paul: a full rebuild involving mass password resets for 3,500+ city employees. 

Why Your City or Organization Isn't Immune

1. Municipal systems are high-impact targets — affecting everyday lives and therefore high-leverage for attackers.
   

2. Standard response tools often fall short — St. Paul’s deployment of the National Guard highlights how quickly local capabilities can be overwhelmed.
   

3. Response speed matters — St. Paul detected anomalies around July 25 and began system shutdowns almost immediately. That early containment likely prevented broader cascading damage.
   
   

Lessons from the Frontlines: What You Need to Know

Here’s how Mike Wright recommends cities and organizations level up their cybersecurity posture to withstand such attacks:

1. Prepare in Advance:

• Build and rehearse a digital incident response plan involving local, state, or national cyber resources.

• Conduct backups off-site, regularly tested and isolated.

2. Monitor for Anomalies in Real Time:

• Network-based “tripwire” systems that trigger automated isolation or alerts.

3. Implement Defense-in-Depth:

• Use Zero Trust wherever possible—segment networks, enforce strict access controls.

4. Pre-Position External Support:

• Have contracts in place with cybersecurity firms and protocols to request assistance (e.g., from National Guard cyber units) on very short notice.

5. Communicate Proactively:

• Inform civilians about service outages in real time.

• Maintain transparency—even if services are offline—to protect resident trust.

6. After-Action & Hardening:

• Reset credentials.

• Recover systems.

• Conduct a formal root-cause analysis, then implement the security fixes your systems lack.
  
  

Final Takeaway from Mike

When a city like St. Paul falls victim to a cyberattack, it's not about IT budgets—it’s about preparedness. If your town or organization hasn’t tested its cyber playbook with partners outside, it’s already playing catch-up.

Want Help Building Your Cyber Crisis Playbook?

Mike offers strategic advisory services for:

• Incident response planning

• Simulated cyber drills for municipal teams

• Backup and disaster recovery design
  
  

📩 [Contact Mike to secure your systems before they’re the next headline.]