When the Pennsylvania Office of Attorney General (OAG) went offline this August, it wasn’t just a technical disruption, it was an operational paralysis. For days, attorneys couldn’t reach witnesses, courts issued stay orders, and critical cases stalled. The office responsible for defending the Commonwealth found itself defending its own networks instead.
The OAG confirmed that a malicious actor infiltrated its systems, encrypting files and attempting extortion. The agency reports that no ransom was paid, but the recovery is ongoing. Email, phone systems, and public websites were impacted. A limited number of individuals were notified of possible data exposure, and the investigation remains active. In short: Pennsylvania’s legal nerve center faced the same playbook we’ve seen deployed against cities, hospitals, and school districts...but with far higher stakes.
What Happened
On August 11, state officials detected unauthorized activity inside the Attorney General’s network. Systems were taken offline immediately to contain the spread. The incident halted nearly all digital operations. Prosecutors lost access to evidence databases, litigation files, and internal communications. The fallout extended beyond the agency: the U.S. District Court for the Middle District of Pennsylvania issued standing orders delaying civil cases because OAG attorneys couldn’t access case materials.
The attack fits the pattern of a ransomware incident, reportedly claimed by the “INC Ransom” group. While their data-theft claims remain unverified, the tactics are familiar — compromise, encrypt, exfiltrate, then pressure with public leaks.
The Attorney General’s Office, to its credit, refused to pay ransom. It’s rebuilding from clean backups, re-establishing services in phases, and coordinating with law enforcement and the Commonwealth’s cybersecurity teams. This response, while disruptive, sends the right signal: public institutions should never negotiate with criminals.
Why This Should Concern Every State and Local Leader
This breach isn’t Pennsylvania’s problem alone; it’s a blueprint for what can happen anywhere that government, law, and data intersect.
The Attorney General’s office sits at the crossroads of public trust. It holds sensitive evidence, consumer data, and active investigations. It connects to courts, law enforcement, and dozens of agencies. When it goes down, the entire ecosystem feels it.
If this can happen to one of the most security-mature offices in the country, it can happen to any of us. Here’s why it matters:
- Justice cannot go offline. Court orders, prosecutions, and statutory deadlines don’t pause because a file server is encrypted. The cost of downtime isn’t measured in dollars; it’s measured in delayed justice.
- The ripple is statewide. Every AG office, district attorney, and court shares dependencies. An outage in one agency can freeze the others.
- Adversaries know your pain points. Attackers target where time pressure is greatest — election offices before voting day, hospitals during crises, AGs mid-case. They rely on urgency to drive ransom payments.
- Public perception matters. Citizens expect the government to be stable. When the justice system goes dark, trust erodes, and confidence in public institutions weakens.
The lesson here isn’t just “improve security.” It’s that resilience is the new measure of readiness. Every CIO, CISO, and state leader should ask: If we went dark tomorrow, how long before we’re back up? And who would we call first?
How Did the Attack Happen?
The Attorney General’s Office has not released technical details, which is standard practice during an active investigation. Based on patterns from similar incidents, we can infer several likely possibilities:
- Credential compromise or phishing. Email remains the easiest and most common entry point. Once one set of credentials is stolen, attackers move laterally across systems.
- Exposed remote access services. RDP, VPN, and contractor portals are often left with weak passwords or misconfigured access controls.
- Third-party or shared system compromise. Justice environments often share systems with partner agencies or vendors — expanding the attack surface beyond their direct control.
- Unpatched systems. Delays in patching legacy case management systems and document servers create open doors for exploitation.
Until forensics are complete, we won’t know the precise chain of compromise. But we know this much: the playbook isn’t new. The tactics are simple, the consequences severe, and the pattern entirely predictable.
What to Look Out for and What to Implement Now
Most agencies already have the right policies on paper. The gap is execution. This is what should be in place today to keep your organization from reliving Pennsylvania’s headlines.
Early warning signs:
- Sudden spikes in privileged account logins
- File servers showing rapid encryption or rename activity
- Endpoint agents disabled or failing to check in
- Large outbound data transfers to unrecognized IP addresses
- Administrative accounts created outside change-control windows
- Suspicious VPN logins outside normal hours or geographies
If your SOC isn’t monitoring for these signals, your agency is blind to its most common early indicators of compromise.
Core Cybersecurity Protections Every Justice or State Agency Must Implement
1. Identity First Security
- Enforce phishing-resistant multi-factor authentication (FIDO2, smartcards, or passkeys).
- Remove standing admin privileges and use just-in-time elevation.
- Monitor for impossible-travel logins and password reuse.
2. Vendor and Third-Party Access Control
- Require brokered access through jump hosts or secure remote gateways.
- Log and record every vendor session.
- Disable vendor accounts when inactive — “temporary” often becomes “permanent.”
3. Backup and Recovery Discipline
- Keep immutable, offline backups — not connected to the network.
- Test restore times quarterly. If you’ve never practiced a live restore, you don’t have a backup; you have a hope.
- Document recovery priorities for mission-critical systems.
4. Endpoint and Email Defense
- Deploy EDR and email security across all users, servers, and endpoints.
- Block executable attachments and enforce content disarm and reconstruction for incoming files.
- Route every alert to a 24×7 monitoring team; ransomware doesn’t wait for business hours.
5. Network Segmentation
- Isolate case management, HR, and legal repositories from user networks.
- Use micro-segmentation where possible to prevent lateral movement.
- Disable or restrict remote protocols (RDP, SMB, WMI) by default.
6. Visibility and Telemetry
- Aggregate all logs — identity, email, network, and endpoint — into a centralized SIEM.
- Retain at least a year of data for investigation and compliance. Compliance such as CJIS may require retention of 7 years.
- Build detection rules for ransomware precursor behaviors, not just the ransom note.
7. Crisis Preparedness
- Conduct ransomware tabletop exercises annually with leadership, communications, and legal teams.
- Draft public statements in advance. Waiting for “perfect information” wastes critical hours.
- Establish your chain of custody for evidence and public records before the crisis hits.
Resilience Is Leadership
The Pennsylvania incident proves that even highly capable agencies can be disrupted. But resilience is built before the breach, not during it.
Public sector leaders have to think differently now: security isn’t an IT problem, it’s an operational continuity problem. The difference between a setback and a shutdown is preparation.
As one state CISO told me recently, “We’re not defending computers; we’re defending courtrooms, classrooms, and communities.” That’s exactly right. The mission is bigger than malware removal. It’s maintaining public trust when adversaries try to erode it.
If you need help defending your ecosystem, reach out to the NuHarbor team.
Don't miss another article. Subscribe to our blog now.
Included Topics
