Virginia legislature hit by ransomware attack


Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cybercrime

Governor Ralph Northam instructs executive agency to support recovery

Dan Gunderman (dangun127) •
December 14, 2021

Virginia Governor Ralph Northam, who has been briefed on a ransomware attack affecting the Commonwealth Assembly (Photo: Virginie DOT via Flickr)

The IT unit overseeing the Virginia General Assembly has been the victim of a ransomware attack, state officials say. The incident, first detected on Sunday evening, prevented state lawmakers from accessing a portal for their legislative proposals. The attack would not have affected the executive branch of the Commonwealth.

See also: Live Webinar | How to deal with cyber insurance in the midst of the ransomware era

Alena Yarmosky, press secretary to Virginia Governor Ralph Northam, a Democrat, told the Washington Post that the cyberattack took the Division of Legislative Automated Systems, or DLAS, offline; the IT unit deals with both technological and legislative information / publication. The governor, Yarmosky said, has been made aware of the incident and has asked executive agencies to offer assistance in response.

After the detection, the General Assembly’s IT agency reportedly shut down its servers to prevent further spread, the governor’s representative told the Post.

Lawmakers have since been “cut off” from “most of their critical systems,” the press secretary said. An anonymous staff member also told the Post that the situation – including the assessment of the level of compromise – would likely “not be a quick fix.”

“Right now the bad guys have most of our critical systems locked down, with the exception of LIS. [the Legislative Information System on the General Assembly site]”Dave Burhop, director of the legislative computer agency, reportedly told Senate and House delegates on Monday, according to the Richmond Times-Dispatch.

According to the same report, Burhop told House and Senate clerks that “the bad guys have left us with a ransom note, but details are scarce and no ransom amount has yet been specified.” He also reportedly indicated that the agency’s backup system “may have been compromised”.

Other entities were also reportedly affected, including the Joint Legislative Audit and Review Commission, an assembly oversight agency, according to the Richmond, Virginia-based newspaper.

The Virginia Information Technology Agency, or VITA, which serves the executive branch of the state, is said to be working with DLAS to resolve the incident, although computer systems differ from one branch of government to another. .

Yarmosky, the governor’s spokesperson, did not immediately respond to Information Security Media Group‘s request for comment.

Other affected entities

Officials say the attack also affected the Virginia Law Portal, which provides access to state laws and the state constitution. The Virginia Capitol Police website, which reports to the legislature, is also down.

Virginia Capitol Police Public Information Officer Joe Macenka told ISMG that the police’s critical communications systems were not affected in any way, allowing them to continue to provide information. essential services.

Administrative staff, Macenka says, do not have access to the voicemail system, which is controlled by DLAS, but says there is a suitable workaround using cell phones. “Is this a disadvantage? Sure. But we are able to provide law enforcement services, ”he said.

Virginia has partnered with cybersecurity firm Mandiant for incident response.

So far, 74 state or local governments have been affected by ransomware in 2021, Emsisoft threat analyst Brett Callow told The Associated Press on Tuesday.

Speaking separately with the ISMG, Callow said: “Ransomware attacks have impacted almost every level of government, so it’s somewhat surprising that it has taken so far for a legislature state is affected. “

The attack on Virginia comes just weeks before the start of the next session of the General Assembly, and the state will inaugurate a new governor, Republican Glenn Youngkin, on January 15, 2022.

Emsisoft’s Callow said: “The timing of the attack – just before the start of a new legislative session – is probably hit or miss, but there’s a chance the actors decided to strike when they think the legislature would be under pressure to resolve the issue quickly. “

(Photo: Darwin Laganzon via Pixabay)

The attack frequency will increase

Cyber ​​security experts told ISMG that the latest incident could have lasting effects.

“In a year characterized by a high-profile ransomware attack[s] … this attack on the [legislative arm] of the Commonwealth of Virginia… is one of the most crucial, “says Neil Jones, a cybersecurity evangelist for the Egnyte Corporation.” This prevents lawmakers from drafting and amending bills during the busiest time of the year. ‘year. “

Jones says, “We can also anticipate that cyber attacks will increase in the new year, as attackers realize that IT teams are already overworked and will take time off work during the holidays.”

Other experts say the timing of the incident – amid the mitigation of the Apache Log4j remote code execution vulnerability – will prove particularly trying.

“Many lawmakers have deadlines for tabling bills and legislative actions, and by attacking the systems used to generate and file these actions, they could be significantly delayed,” said Erich Kron, former security officer of the US Army 2nd Regional Cyber ​​Security Center.

Kron, currently a security awareness advocate for KnowBe4, says, “Unfortunately, security practitioners are a finite resource, and a resource currently taxed by the Log4j vulnerability during an already stressful time of year. … We can expect a constant attack. Attacks occur throughout the holiday season as ransomware gangs and bad actors take advantage of the emotional and physical fatigue caused by the Log4j issue and the season. “

Ransomware activity

Throughout 2021, there has been a meteoric rise in ransomware. In May, an attack on Colonial Pipeline Co. temporarily cut off fuel supplies to much of the East Coast, causing consumer panic. Other targets include the world’s leading meat supplier, JBS, and remote IT management software provider Kaseya, in an incident that affected 1,500 downstream organizations.

Just this week, Ultimate Kronos Group, or UKG, a US-based multinational company that provides workforce and human resource management services, said its private cloud service was victimized. a ransomware attack. A company executive said it could take “several weeks” to restore service (see: HR UKG Platform Says Cloud Solutions Hit With Ransomware).


Comments are closed.