December 24, 2025
While most Idahoans were preparing for Christmas celebrations, ITS was hard at work defending against a sophisticated cyberattack. Dubbed Operation Grinch, the attack targeted the state’s Microsoft Office 365 environment in the late hours of Christmas Eve.
At approximately 11:25 PM MST, ITS detected a password spray attack aimed at 1,751 ICS accounts. The attackers deployed a botnet of over 1,000 compromised systems, attempting 3,512 login attempts, prior to being stopped, using common passwords. Despite successfully guessing nine passwords, the attackers were unable to gain access thanks to Idaho’s layered security defenses, including multifactor authentication (MFA), advanced firewall capability, and rapid intervention by the our team.
Swift action prevented escalation
ITS immediately locked the affected accounts, blocked all login attempts using identified indicators of compromise, and initiated password resets. This decisive response ensured that no accounts were compromised beyond password guessing.
Persistent threats, even on holidays
Operation Grinch serves as a stark reminder: cyber threats do not take holidays. The attack originated from 53 countries, with the highest activity from Italy, the United States, and France. It exploited legacy accounts and demonstrated how attackers leverage global botnets and timing to evade detection. ITS emphasizes that the state remains under persistent attack 24/7, requiring constant vigilance and proactive measures
Looking ahead
To strengthen defenses, ITS will continue to enforce password hygiene, eliminate outdated exemptions, and expand MFA and firewall coverage for all accounts and systems. These steps help ensure that Idaho remains resilient against evolving threats.
