The Office of the Pennsylvania Attorney General has announced that a recent cyberattack has taken down its systems, including landline phone lines and email accounts.
As Attorney General Dave Sunday revealed on social media on Monday, the office staff is currently working to restore affected services and investigate the incident with the help of law enforcement authorities.
“The network that hosts the Office of Attorney General’s systems is currently down, meaning the office’s website is offline, as are office email accounts and land phone lines,” Sunday said.
“We are taking steps to determine the cause of the cyber incident, and working to restore services on all avenues. Office of Attorney General staff are continuing to advocate on behalf of the Commonwealth and are working with supervisors to minimize any interruptions.”
Pennsylvania’s attorney general has yet to attribute the attack to a specific group officially. However, the incident’s widespread and crippling impact bears all the signs of a ransomware attack, even though no ransomware operation has claimed responsibility to date.
While incident responders continue to work on restoring impacted systems, the website of Pennsylvania’s Attorney General was still offline at the time this article was published.
Although the attack vector is still unknown, cybersecurity expert Kevin Beaumont had found, one month prior, that several public-facing Citrix NetScaler appliances on the Pennsylvania AG’s network were vulnerable to ongoing attacks exploiting a critical vulnerability tracked as CVE-2025-5777 (also known as Citrix Bleed 2).
According to Shodan scans shared by Beaumont, one of the two devices has been offline since July 29th, while the other was taken down on August 7th.
On Monday, the internet security nonprofit Shadowserver Foundation reported that over 3,300 Citrix NetScaler appliances were still vulnerable to CVE-2025-5777 attacks.
The same day, the Netherlands’ National Cyber Security Centre (NCSC) warned that attackers have exploited the flaw as a zero-day since at least early May to breach multiple critical organizations in the country.
The Openbaar Ministerie (the Netherlands’ Public Prosecution Service), which only recently restored its email servers, also disclosed a breach on July 18th that led to significant operational disruptions.
CISA has added the CVE-2025-5777 Citrix vulnerability to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch their systems against active exploitation within a day.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.