data breaches

Pennsylvania AG’s Website, Email Taken Down in Security Incident

Published

2 days ago

on

Phone, email, and website went dark as investigators probe links to widely exploited Citrix NetScaler flaws.

The Pennsylvania Attorney General’s Office says a cyberattack disabled its phone lines, email, and public website, disrupting services while prosecutors continue casework using backups and manual processes. Investigators are probing whether recent, widely exploited Citrix NetScaler vulnerabilities factored into the outage, which persisted into midweek as restoration and forensics proceed.

A cyberattack has knocked out the Pennsylvania Attorney General’s Office communications—phones, email, and website—forcing emergency workarounds for public services and legal operations while state and federal partners investigate and rebuild impacted systems.

The AG’s office disclosed Monday that a “cyber incident” took down the network hosting its systems, taking the website, landlines, and office email offline. As of Wednesday morning, the site remained unavailable while teams worked “around the clock” to restore services and determine the cause.

Attorney General Dave Sunday posted that staff are collaborating with law enforcement and IT to recover systems, and operations critical to public protection continue despite outages. Media inquiries have been rerouted to alternate email addresses during the disruption.


In July and early August, security researcher Kevin Beaumont flagged two internet-exposed Citrix NetScaler appliances tied to the AG’s office as vulnerable to CVE-2025-5777 (“CitrixBleed 2”)—a bug actively targeted worldwide. Those devices were later removed from the internet (July 29 and August 7), though officials have not confirmed any link to the current attack.

“This is a frustrating situation, and everyone is doing their very best. I am grateful for the dedication and professionalism of our Information Technology staff who are working around the clock to resolve the matter.” — Pennsylvania Attorney General Dave Sunday, in a public statement.

“In collaboration with our law enforcement partners, we will work diligently to restore systems. We will continue to do the work of protecting Pennsylvanians no matter the obstacle.” — Dave Sunday, Attorney General of Pennsylvania.

“The NetScaler boxes appear to be offline now, and they were getting owned back then. Although, it could just be another incident if there’s overall poor security hygiene.” — Kevin Beaumont, security researcher, discussing the previously exposed devices.

Technical Analysis

From an attacker’s playbook, state AG offices present rich targets: centralized identity, case data, and email routing. The most plausible initial access here is an edge-device exploit followed by credential theft and lateral movement.

  • Likely initial vector: exploitation of Citrix NetScaler (ADC/Gateway) via CVE-2025-5777 (“CitrixBleed 2”), which—similar to 2023’s CitrixBleed—can expose session material and enable impersonation, sometimes bypassing MFA. Remote code execution or session hijack on the gateway can yield a beachhead with enterprise SSO adjacency.
  • What the outage implies: Phones, email, and website down suggests containment playbooks kicked in: isolating core directory services, mail transport (e.g., on-prem or hybrid), VoIP call managers, and the public web tier to stop spread and preserve evidence. That aligns with a defensive network isolation move rather than pure DDoS. (Officials have not attributed the attack.)
  • Tradecraft likely used: token theft from memory, replay against internal apps, and lateral movement to messaging and web front-ends. If ransomware operators were involved (unconfirmed), they often hit comms first to blind responders. BleepingComputer notes the impact “bears all the signs of a ransomware attack,” though no group has claimed it.
  • Wider scanning: As of this week, thousands of NetScalers remain vulnerable on the internet, increasing opportunistic compromise odds for public agencies.

Defensive mitigations :

  1. Pull gateways behind a maintenance ACL; patch and rebuild NetScaler images; rotate all associated secrets/tokens.
  2. Purge and reissue SSO/MFA sessions (invalidate id tokens, refresh tokens, Kerberos TGTs).
  3. Segment VoIP, mail, and IdP; restrict management planes via jump-hosts and per-admin hardware keys.
  4. Turn up logging beyond defaults; NetScaler’s native logs can miss exploitation traces. Enable full HTTP/S, auth event, and memory sensor telemetry.
  5. Hunt for persistence: GPO/script changes, new service principals, OAuth consents, and any “shadow IT” mail connectors.
  6. Tabletop restore of mail, DNS, and web tiers; pre-stage clean infra before reconnecting to production AD.

Impact & Response

Who is affected: Residents and partners relying on the AG’s website, phones, and email for consumer complaints, victim services, and legal coordination. Prosecutorial work continues under manual contingencies.

Actions taken: Network isolation, law-enforcement coordination, and use of alternate communication channels while the root cause is investigated and services are rebuilt.

Potential long-term implications: If edge-device exploitation is confirmed, agencies may need accelerated funding for secure access modernization, mandatory patch SLAs for internet-facing gear, and continuous external attack surface monitoring.

Background

Courts and justice-sector networks have been repeatedly targeted in recent years, and Citrix gateway flaws have figured in multiple high-profile incidents and threat advisories globally. Shadowserver reported ongoing mass exposure of vulnerable NetScalers while researchers observed widespread scanning and exploitation attempts.

Conclusion

Whether opportunistic edge exploitation or a targeted intrusion, the Pennsylvania AG outage underscores a persistent truth: when your identity and access edge is brittle, the blast radius includes communications lifelines. The fix is not just patching—it’s architectural: minimize public attack surface, assume token theft, and practice fast isolation and clean rebuilds.

Sources:

  • The Record by Recorded Future – “Pennsylvania attorney general says cyberattack knocked phone, email systems offline” (Aug. 14, 2025)
  • BleepingComputer – “Pennsylvania Attorney General’s email, site down after cyberattack” (Aug. 13, 2025)
  • The Register – “Major outage at Pennsylvania Attorney General’s office after cyberattack” (Aug. 12, 2025)
  • StateScoop – “Cyber incident disrupts Pennsylvania AG’s office services” (Aug. 11, 2025)
  • Public statements from Pennsylvania Attorney General Dave Sunday, August 2025
  • Commentary and technical analysis from cybersecurity researcher Kevin Beaumont, August 2025
Related Topics:

Trending

Exit mobile version