CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

Pennsylvania AG Office Ransomware Attack Causes Two-Week Service Outage

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

The Pennsylvania Attorney General's Office experienced a ransomware attack that led to a three-week service outage. The attack encrypted files to extort payment, but the office refused to pay. The outage affected public services, including the website, email, and phone lines. The investigation is ongoing, and no ransomware group has claimed responsibility. The attack began on August 11, 2025, and the office has been working to restore services. The impact on criminal prosecutions, investigations, and civil proceedings is expected to be minimal. The possibility of data exfiltration is under investigation, and affected individuals will be notified if data was stolen.

Timeline

  1. 03.09.2025 14:29 📰 1 articles

    Pennsylvania AG Office confirms three-week outage and service restoration progress

    The Pennsylvania Attorney General's Office confirmed that the ransomware attack caused a three-week outage, longer than initially reported. The office detailed the gradual restoration of services, including partial website access by August 14 and email access by August 18. Phone lines were restored after a week. The office's divisions operated using alternate channels during the outage. The outage has prompted modifications to the office's routines, but the impact on legal proceedings is expected to be minimal. The investigation into the attack and the possibility of data exfiltration continues.

    Show sources
    Open in new tab
  2. 02.09.2025 16:20 📰 1 articles

    Pennsylvania AG Office confirms ransomware attack behind two-week service outage

    The Pennsylvania Attorney General's Office announced that a ransomware attack caused a two-week service outage. The attack encrypted files to extort payment, but the office refused to pay. The outage affected public services, including the website, email, and phone lines. The investigation is ongoing, and no ransomware group has claimed responsibility. The impact on criminal prosecutions, investigations, and civil proceedings is expected to be minimal. The possibility of data exfiltration is under investigation, and affected individuals will be notified if data was stolen.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Bridgestone Americas manufacturing facilities impacted by cyberattack

Bridgestone Americas, the North American arm of Bridgestone, is investigating a cyberattack affecting multiple manufacturing facilities in North America. The incident impacted operations in Aiken County, South Carolina, and Joliette, Quebec, leading to the suspension of operations at the latter. Bridgestone's rapid response reportedly contained the attack early, preventing customer data theft or deep network infiltration. The attack began on September 2, 2025. Bridgestone operates 50 production facilities and employs 55,000 people in North America, representing roughly 43% of Bridgestone Corporation's total size. The company is working to mitigate the impact and maintain business continuity. No threat actor or group has claimed responsibility for the attack.

Open in new tab

Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

Open in new tab

Allianz Life data breach affects 1.1 million customers via Salesforce compromise

Allianz Life, a U.S. insurance subsidiary of Allianz SE, experienced a data breach in July 2025. Hackers accessed a third-party cloud CRM system, stealing personal information of 1.1 million customers. The breach involved a malicious OAuth app linked to Salesforce instances, leading to the exfiltration of sensitive data. The extortion group ShinyHunters, tracked as UNC6040, claimed responsibility and leaked the stolen data. The breach is part of a broader campaign targeting multiple high-profile companies, including Google, Adidas, Workday, Qantas, Pandora, and Workiva. Allianz Life confirmed the breach but declined to provide additional details due to an ongoing investigation. Qantas Group executives reduced their short-term compensation by 15% due to the impact of the cyberattack on customers, which affected approximately 5.7 million passengers.

Open in new tab