Cyber Incident Victim: Virginia Division of Legislative Automated Systems
Date:
Dec 2021
Location:
United States of America
Summary
A ransomware attack significantly disrupted operations at Virginia's legislative IT agency, impacting critical systems including bill drafting, budget management, and voicemail services while also taking down the Capitol Police website. The attackers employed sophisticated malware, accessed systems over a weekend, and left a nonspecific ransom demand. The agency collaborated with the FBI, cybersecurity firm Mandiant—previously engaged after a prior credential breach—and state executive branch IT teams for remediation. Legislative preparations for an imminent session were severely affected, marking the first known ransomware incident targeting a U.S. state legislature. Despite the disruption, essential police communications remained operational, and no executive branch systems were compromised during the ongoing response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A ransomware attack significantly disrupted operations at Virginia’s Division of Legislative Automated Systems (DLAS) in December 2021, impacting critical legislative functions ahead of the January legislative session. The attack began late on December 10, when hackers deployed "extremely sophisticated malware" to infiltrate DLAS systems, as confirmed by an email from agency official Dave Burhop to legislative leaders. By December 13, a ransom note—lacking specific demands or deadlines—had been delivered. The attack compromised all internal DLAS servers, including those supporting bill drafting, budget development, and the General Assembly’s voicemail system. Senate Clerk Susan Clarke Schaar emphasized the broad operational disruption, stating all bill-related workflows were impaired during peak preparation time. The Division of Capitol Police’s public website also went offline, though its critical communications remained functional. Cybersecurity experts noted this marked the first known ransomware attack against a U.S. state legislature, with Virginia becoming the 74th state or local government targeted in 2021. Analysts observed attackers often time incidents to maximize pressure, suggesting the pre-session timing was deliberate.
In response, Governor Ralph Northam directed executive branch agencies to assist DLAS, though no executive systems were compromised. DLAS collaborated with the FBI, cybersecurity firm Mandiant—retained since a prior summer 2021 credential-based breach—and the Virginia Information Technologies Agency (VITA), despite DLAS operating outside VITA’s jurisdiction. Burhop’s email indicated remediation would be protracted, with no immediate resolution expected. Law enforcement and third-party investigators worked to assess the intrusion’s scope and plan recovery. The agency withheld public details pending further internal discussions, reflecting the sensitivity of ongoing forensic work. Legislative operations faced extended uncertainty, with staff unable to access core systems weeks before the session’s start. Recorded Future analyst Allan Liska and Emsisoft’s Brett Callow underscored the attack’s novelty, highlighting ransomware groups’ expanding focus beyond traditional targets like schools or infrastructure. No ransomware group claimed public responsibility during the initial disclosure period.