Cyber Incident Victim: Virginia State Corporation Commission

The Virginia State Corporation Commission (SCC), a regulatory body overseeing businesses in Virginia, was confirmed in January 2021 as a target of the SolarWinds cyber espionage campaign. The SCC had utilized SolarWinds’ Orion IT management platform, which was compromised by malicious code inserted by attackers in 2020. A spokesperson acknowledged the SCC installed the compromised Orion version to monitor its IT infrastructure but stated it was no longer in use by the time of disclosure. The SCC collaborated with state and federal officials to investigate potential impacts on its systems and data, though no specific details regarding data exfiltration or operational disruption were provided. This incident occurred within the broader context of the SolarWinds attacks, which impacted thousands of organizations globally after threat actors tampered with Orion software updates to distribute Sunburst malware.

Other confirmed targets included cybersecurity firms Qualys and Fidelis, both of which reported limited exposure due to isolating the compromised Orion software in test environments. Qualys stated its lab environment prevented data exfiltration, while Fidelis noted infrequent use of the affected machine hindered attacker progression. The attacks, first disclosed in December 2020, involved a multi-stage process where Sunburst malware established initial access before deploying a secondary backdoor for selective data theft. Researcher Erik Hjelmvik identified 23 additional targets by analyzing encoded domain lists from the attackers’ infrastructure, though his findings did not confirm successful breaches. U.S. officials attributed the campaign to Russian actors, an allegation denied by the Kremlin. While the SCC’s investigation remained ongoing, no conclusive evidence of data compromise had been publicly released, mirroring the uncertainty surrounding many victims where Orion installations did not lead to confirmed data loss.