Virginia's Legislative Branch Hit With Ransomware AttackGov. Ralph Northam Directs Executive Agency to Support Recovery
The IT unit charged with overseeing the Virginia General Assembly has been hit with a ransomware attack, according to state officials. The incident, first detected late on Sunday, has prevented state lawmakers from accessing a portal for their legislative proposals. The attack reportedly has not affected the commonwealth's executive branch.
Alena Yarmosky, press secretary for Virginia Gov. Ralph Northam, a Democrat, told The Washington Post that the cyberattack has knocked the Division of Legislative Automated Systems, or DLAS, offline; the IT unit handles both technology and legislative information/publication. The governor, Yarmosky said, has been briefed on the incident and has directed executive branch agencies to offer assistance in response.
Following detection, the General Assembly's IT agency reportedly powered off its servers to prevent further spread, the governor's representative told the Post.
Legislators have since been "cut off" from "most of their critical systems," the press secretary said. An unnamed staffer also told the Post that the situation - including assessing the level of compromise - will likely "not be a quick fix."
"Currently the bad guys have most of our critical systems locked up except for LIS [the Legislative Information System on the General Assembly site]," Dave Burhop, director of the legislative IT agency, reportedly told Senate and House delegates on Monday, according to the Richmond Times-Dispatch.
According to the same report, Burhop told House and Senate clerks that "the bad guys have left us a ransom note but details are scant and no amount of ransom has been specified yet." He also reportedly indicated that the agency's backup system "may have been compromised."
Other entities also reportedly affected include the Joint Legislative Audit and Review Commission, a watchdog agency for the Assembly, according to the Richmond, Virginia-based paper.
The Virginia Information Technologies Agency, or VITA, which services the state's executive branch, is reportedly working with DLAS to address the incident, although the IT systems differ across the government branches.
Yarmosky, the governor's spokesperson, did not immediately respond to Information Security Media Group's request for comment.
Other Entities Hit
Officials say the attack also affected the Virginia Law Portal, which provides access to state laws and the state constitution. The website for the Virginia Capitol Police, which resides under the legislative branch, is also down.
Virginia Capitol Police Public Information Officer Joe Macenka tells ISMG that the police force's critical communications systems have not been affected to any extent, allowing it to continue providing essential services.
Administrative staff, Macenka says, do not have access to the voicemail system, which is controlled by DLAS, but he says there is a suitable workaround using cellphones. "Is it an inconvenience? Sure. But we're able to provide law enforcement services," he says.
Virginia has partnered with the cybersecurity firm Mandiant for incident response.
Some 74 state or local governments have been hit by ransomware so far in 2021, Brett Callow, a threat analyst at the firm Emsisoft, told The Associated Press on Tuesday.
Speaking separately with ISMG, Callow says, "Ransomware attacks have impacted almost every level of government, so it's somewhat surprising that it's taken until now for a state legislature to be hit."
The Virginia attack comes just weeks before the General Assembly begins its next session, and the state will inaugurate a new governor, Republican Glenn Youngkin, on Jan. 15, 2022.
Emsisoft's Callow says: "The timing of the attack - right before the start of a new legislative session - is probably random, but there's a chance the actors decided to strike when they believe the legislature would be under pressure to resolve the issue quickly."
Attack Frequency Will Rise
Cybersecurity experts tell ISMG that the latest incident could have long-lasting effects.
"In a year that's been characterized by high-profile ransomware attack[s] … this attack on the [legislative arm] of the Commonwealth of Virginia … is one of the most pivotal," says Neil Jones, a cybersecurity evangelist for the firm Egnyte. "It blocks legislators from drafting and modifying proposed bills during the busiest time of year."
Jones says: "We can also anticipate that cyberattacks will spike between now and the New Year, as attackers realize that IT teams are already stretched thin and will be taking time away from their jobs during the holidays."
Other experts say the timing of the incident - amid mitigation of the Apache Log4j remote code execution vulnerability - will prove particularly taxing.
"Many legislators have deadlines for filing bills and legislative actions, and by attacking the systems being used to generate and file these actions, they could be delayed significantly," says Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center.
Kron, currently a security awareness advocate for the firm KnowBe4, says, "Unfortunately, security practitioners are a limited resource, and one that is currently being taxed by the Log4j vulnerability during an already stressful time of year. … We can expect a constant onslaught of attacks to be occurring throughout the holiday season as ransomware gangs and bad actors take advantage of the emotional and physical fatigue caused by the Log4j issue and the season."
Throughout 2021 there has been a meteoric surge in ransomware. In May, an attack on Colonial Pipeline Co. temporarily cut off the fuel supply for much of the East Coast - spurring panic buying among consumers. Other targets have included the world's leading meat supplier, JBS, and remote IT management software vendor Kaseya, in an incident that affected 1,500 downstream organizations.
Just this week, Ultimate Kronos Group, or UKG, a U.S.-based multinational firm that provides workforce management and human resource services, said that its private cloud service fell victim to a ransomware attack. An executive with the company says service restoration could take "several weeks" (see: HR Platform UKG Says Cloud Solutions Hit With Ransomware).