Sen. Mark Warner, D-Va., said Friday that the criminals behind a ransomware attack on Virginia’s legislative agencies had penetrated state computer systems last spring — almost nine months before they prepared to shut down networks critical to the General Assembly session that began last week.
Warner, speaking after a private briefing by the director of the assembly’s automated services division, said the attack was stymied by a state employee who came to work on a Sunday afternoon last month and discovered that “some of the defenses in the system had started to be taken down.”
The Division of Legislative Automated Systems immediately shut down the IT networks for assembly agencies, including the division that drafts bills and resolutions for the legislative session and the Capitol Police.
The agencies were able to resume their work on a backup IT system reserved in the case of an emergency to maintain “continuity of government.”
“It could have been a much nastier circumstance,” said Warner, speaking at the assembly’s temporary home at the Pocahontas Building in Richmond after a briefing by Dave Burhop, the director of the legislature’s IT agency.
The senator, chairman of the Senate Intelligence Committee, pitched the close call as reason to step up investment in cybersecurity and pass federal legislation to ensure that the government knows about ransomware attacks that often are resolved privately by paying criminals what they demand.
“This demonstrates something that is not a Richmond problem — it is a national issue,” he said.
A criminal investigation is underway, led by the Virginia State Police with help from the FBI, to determine who was behind the attack.
Warner, who was in Richmond to attend the inauguration of Glenn Youngkin as governor on Saturday, said “no definitive amount” of ransom was demanded by the attackers and the state declined to follow them “into the Dark Web” of the internet to find out.
He said he has no evidence that any countries such as Russia or China were involved in the Virginia attack, but noted that foreign adversaries like to disrupt government operations in the U.S., including those at the state level.
“These are the kinds of things our adversaries like to mess with,” he said.
Warner said the state discovered at the end of last March that someone had penetrated the system. IT experts thought they had rid the system of malware implanted by the attackers, but they saw evidence this fall that they were wrong.
“They thought they had cleared out the bad guys,” he said, but “the bad guys were still in the system.”
Warner said the legislature’s IT agency is “well, well down the path” of disinfecting the compromised computer systems.
He declined to estimate the cost to the state, but said government would be wise to invest more money up-front to prevent cyberattacks instead of paying for repairs later.
“We’re going to have to up our game,” Warner said.