A growing number of cyberattacks have targeted governments and global agencies this year. Ransomware operators continued to target governments in 2022 despite the fact that, among all sectors, they are least likely to pay the ransom.
It is generally believed that threat actors are motivated by financial gain. However, with many states considering no-ransom bills and the FBI notifying governments to refrain from paying ransom demands, what could be behind the rise of attacks targeting the public sector?
Government agencies can implement defences to protect themselves from cyberattacks. This blog post discusses why more cyberattacks target the public sector.
Government agencies are responsible for managing a large amount of sensitive data, from the personal information about citizens to classified information related to national security. In data-driven worlds, information remains a hot commodity in the dark marketplace, thus painting its custodians as targets.
Government agencies have risen to the top as one of the most targeted sectors, following attacks on businesses, healthcare providers, educational institutions, and financial institutions. According to research in Q3, the government was the second most attacked industry, averaging 1564 attacks per week. It represents a 20% increase over the same period last year.
The year 2022 will witness some of the most significant cyber attacks on governments.
January – Cyberattacks targeting the Ukrainian government led to the damage of dozens of computers in government-run agencies. The Informatics Directorate identified an attempt to compromise 60 parliamentary email accounts in the Greek Parliament. Some internet-connected services were disrupted by threat actors targeting the Canadian Foreign Ministry.
February – A cybercrime group breached the U.K.’s Foreign Office and the Iranian government was spied on by a cybercrime group linked to the Iranian government. RATs were used by Pakistani-linked groups to spy on Indian military officials and diplomats. The Ukrainian Defense Ministry was subjected to DDoS attacks prior to the Russian invasion, and the websites of the Ministries of Foreign Affairs, Infrastructure, and Education were severely disrupted.
March – An organization backed by China has hacked the government of at least six U.S. states. One of Canada’s most prominent state-funded research agencies recently noted a data breach. There was an apparent espionage operation that slowed social benefit payments in Greenland, according to the parliamentary authority. Malware was delivered to Indian government employees by actors connected to the Pakistani government.
April – Phishing attacks targeted Ukrainian government officials’ Telegram accounts. A DDoS attack targeted the Finnish Ministry of Defense and Foreign Affairs websites, and the U.S. announced sanctions against a DPRK-based hacking group after it attacked the Treasury Department’s Office of Foreign Assets Control. Cyber researchers discovered a Russian-linked campaign that used phishing emails to deliver malware to diplomats from Portugal, Poland, France, and other countries.
May – An Iranian cyberspy was suspected of conducting a phishing campaign against the Jordanian Ministry of Foreign Affairs. The Senate, Ministry of Defense, and National Health Institute websites were among those targeted by Russian-linked threat actors in a DDoS attack on Italian websites.
June – DDoS attacks targeted Norwegian public institutions specifically to disrupt government websites. Several actors hacked into Chinese government networks to uncover and leak-evidence of human rights abuses against the Uyghur population. Several Israeli officials and military personnel as well as a former U.S. ambassador to Israel have been targeted by phishing emails. A Russian-based group claimed responsibility for attacks on Lithuanian government ministries and state-owned airports, railways, and media outlets.
July – Threat actors hampered Albanians’ use of public services and brought down the websites of the parliament and the office of the prime minister. In Lithuania, a state-owned energy company was the target of a deliberate DDoS attack.
August – The official websites of both public and commercial organisations in Estonia were subjected to a DDoS attack. Officially, it was believed that Russian-affiliated entities were behind a breach of the government institutions of Montenegro. DDoS assaults aimed to take down the main portal of the Taiwanese Foreign Ministry and temporarily took down the presidential website of Taiwan. Threat actors attacked the state energy organisation of the Ukrainian government, which is in charge of the nation’s nuclear power reactors.
September – ‘A number of cyberattacks on the Iranian government were attributed to the group Anonymous. The Mexican Defense Ministry reported that a hack resulted in access to six terabytes of internal communications, criminal data, and people’s private health information. The state-level parliamentary website of Bosnia and Herzegovina as well as important state websites and government information platforms in Montenegro were attacked.
October – Government websites in Colorado, Kentucky, and Mississippi were forced offline by pro-Russian hackers. Bulgaria’s presidential office, defence, interior, justice, and constitutional court websites were targeted, according to a different hacking gang with ties to Russia.
Data Is the Prize | Why Governments Are In the Crosshairs
This year, only 32% of state and local governments paid cybercriminals to restore encrypted data, a significant decrease from 42% in 2020. This was the lowest reported rate when compared to all other sectors, which averaged 46% in 2022. Despite the fact that fewer government entities are paying ransoms, the number of threat campaigns continues to rise, indicating that threat actors have goals other than monetary gain.
Because the government offers so many services to residents and businesses, government agencies are sitting on a plethora of data. State-level intelligence, classified assets, and personally identifiable information (PII) could all be exposed to cyber criminals as a result of even a single successful government breach. The stolen information is frequently bought and sold on underground markets in order to fabricate documents, steal identities, get initial access to businesses, or seize control of accounts with high privileges.
The Threat of Hacktivism & Cyber Terrorism
Threat actors who are supported by states are driven by special interests other than profit. In addition to selling stolen data, their objectives can include interfering with vital services, destroying national assets, provoking riots, revealing political malfeasance, or undermining trust and causing shame.
State and local governments frequently operate on tiny, publicly-funded budgets that provide little room for robust cybersecurity strategies since they are viewed as “soft targets” by threat actors. Government organisations might only use general-service IT or small SOC teams as their primary security resources. It’s possible that the legacy technology this level of government is using isn’t sophisticated enough to handle the serious ransomware attacks they are facing.
If compromised, government organisations might serve as a point of entry for cyber threat actors to thousands of other businesses, outside providers, and sizable portions of the general populace. Effective government-level strikes can have far-reaching consequences and destabilise the populations they control.
In political cyberwarfare, hostile state-sponsored threat actors may find it advantageous to attack governmental institutions. Actors have the ability to spread false information and make a story more popular in order to forward their objectives by engaging in an “influence operation” using harmful cyber tactics.
Governmental Infrastructure Digital Security Warning Signs
When it comes to digital security red flags, many government IT systems are three for three:
They have a large audience and are widely trusted by users. Researchers discovered this year that attackers were using legitimate government domains to distribute malware to a large number of people at once because site visitors implicitly trusted them.
Systems can be complicated, storing a lot of sensitive data, and communicating with numerous contractors and outside parties. The regulating body now faces more external risks due to its complexity and accessibility.
Governments at the state and local levels receive less funding than those at the federal level. As a result, they frequently have to make do with antiquated software that cannot defend against contemporary, sophisticated cyber threats.
These warning signs are often the result of a shoddy IT and cybersecurity setup, which is a prevalent issue with underfunded government organisations. Although opportunistic assaults frequently target the public sector, governments are also a target of skilled attackers that take advantage of their porous defences to spread malware, lateral movement tools, ransomware, and phishing.
The Critical Need for Cybersecurity Professionals
Weak government IT systems are already a problem, but they’re getting worse due to the global shortage of cybersecurity specialists. According to a recent report from the (ISC)2 organisation, there are currently 3.4 million unfilled positions in the field of cybersecurity that need to be filled. According to the survey, this year’s geopolitical and socioeconomic turmoil has had a direct impact on the threat landscape we face today.
There are typically few (if any) cybersecurity resources allocated to supporting agencies as state and municipal governments operate within constrained budgets. The agencies are ultimately vulnerable due to a lack of security knowledge. Without integrating cybersecurity skills into leadership and working with technological teams, underfunded governments run the risk of:
Having trouble implementing new technologies,
Regulatory standards that haven’t been updated or important trends in tactics, techniques, and procedures (TTPs) that haven’t been observed
Handling security incidents and post-incident procedures incorrectly.
What’s next for Government Security Strategies?
Governments provide a wide range of services to the public, all of which add to the complexity and extent of their attack surface. CISOs should think about utilising a straightforward, end-to-end security strategy that can address all of the inherent dangers that governing bodies confront in the current environment if they are to continue offering those services in a secure manner.
Once the conflict erupted between Russia and Ukraine, the CISA issued a Shields Up advisory advising everyone “inside and outside the region” to be ready for and respond to disruptive cyber activities. The Russian government may be considering expanding its operations to countries outside of Ukraine because of the “economic expenses imposed on Russia by the U.S. and our friends and partners,” according to the threat. Shields Up advises doing the following steps:
If working with outside vendors, enhancing immediate detection capabilities through logging, anti-malware software, and traffic isolation.
Making preparations for incident response in advance by establishing a crisis-response team, assuring the availability of key individuals, and regularly conducting tabletop exercises to go over roles and duties.
Strengthening cyber resilience through manual control testing, isolation of backups from network connections, and testing of backup operations in the event of a network failure.
Developing cyber resilience: Identity Security as the New Perimeter
The importance of developing cyber-resilient infrastructure and systems was emphasised in President Biden’s national security message from last summer. To assist critical infrastructure sectors in launching their security initiatives in response to this publication, NIST and CISA jointly released new Cybersecurity Performance Objectives (CPGs). The CPGs offer actionable goals on the subjects of account, device, and data security. CISA describes them as a minimum set of best practices.
The identity surface serves as the starting point for account, device, and data security. This surface widens, making high-value industries more open to identity-based exploitation as more of them shift to remote workforces and establish digital identities to share information and interact. Businesses can reduce their attack surfaces by identifying threats in their earliest stages by viewing identification as the new network perimeter.
Enterprises that can identify over-privileged users, decrypted credentials, and other identity-related cyber hygiene issues can stop the first breach from occurring altogether before the data loss stage. As threat actors employ vulnerable endpoints and social engineering strategies to gain access to networks, the significance of identity threat detection and response will only increase.
By implementing identity authentication security solutions (such as MFA), endpoint detection and response (EDR), remote access validation, privileged account audits, and strict password regulations, governments managing massive databases in particular need to lower the chances of a cyber-breach.
Conclusion
In 2022, advanced cyber threats including ransomware, phishing and whaling operations, and DDoS attacks plagued governments all around the world, preying on their lax rules and organisational silos. Governments have found themselves at the number two rank in the most attacked sectors this year, up against specifically motivated threat hacktivists and data-hungry cybercriminals.
Attacks that have been reported this year alone show that this crucial industry has to improve its cyber resilience and put cybersecurity best practices in place to lessen its attack surface. Given the variety of data networks that governmental and non-governmental organisations manage and process, solutions that offer total visibility are the most efficient.
Solutions should use identity-based security tools with artificial intelligence (AI) and machine learning (ML) capabilities to combat ransomware and sophisticated social engineering schemes. By removing limited network visibility, governments can more effectively monitor endpoints and data while detecting and responding to security events in real-time before they cause disaster.
While no entity is immune to cyber-attacks, governments can use the top attacks reported in 2022 as a learning tool to better secure the data of those who rely on their services. Contact us today to learn more about how eScan can help enterprises build cyber resilience through autonomous endpoint protection.
