State And Local Government
ACID Technologies helps state and local government agencies protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted agencies to implement effective preventive measures
ACID Technologies provides state and local government agencies with 24/7/365 dark web monitoring services, while also continuously monitoring the deep web and multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted organization to effectively respond to the threat and mitigate its harmful impact.
How essential is cyber security for state and local government agencies?
Governmental entities are increasingly being targeted by cybercriminals. Between the second half of 2021 and the parallel period in 2022 the number of attacks against the government sector nearly doubled (CloudSek).
Ukraine is a particularly noteworthy case in point. Although distinct in its circumstances, it is by no means the only example of cybercrime directed at government agencies. The country has suffered cyberattacks since 2014, when Russia annexed Crimea. However, on January 23, 2022, a day before the Russian invasion, it intensified its cyberwarfare by attacking about 200 government systems. According to the European Parliament Think Thank, Ukrainian “public, energy, media, financial, business and non-profit sectors have suffered the most. Since 24 February [2022], limited Russian cyber-attacks have undermined the distribution of medicines, food and relief supplies. Their impact has ranged from preventing access to basic services to data theft and disinformation, including through deep fake technology. Other malicious cyber-activity involves sending of phishing emails, distributed denial-of-service attacks, and use of data-wiper malware, backdoors, surveillance software and information stealers.” In response to the invasion of Ukraine by Russia, the number of cyberattacks against the aggressor increased by 600%.
In its Global Risks Report 2022, the World Economic Forum states that cybersecurity measures implemented by governments, businesses and individuals are becoming increasingly obsolete due to the growing sophistication of cybercriminals. This concern is reflected in the US government’s decision to allocate nearly US$ 11 billion to cybersecurity (this sum excludes the Department of Defense’s allocation for this purpose).
The World Economic Forum’s report further states in its Global Risks report: “Greater cyberthreats will also hamper cooperation between states if governments continue to follow unilateral paths to control risks. As attacks become more severe and broadly impactful, already sharp tensions between governments impacted by cybercrime and governments complicit in their commission will rise as cybersecurity becomes another wedge for divergence – rather than cooperation—among nation-states.”
According to an IBM report, there was a 7.25% increase in the average total cost of a breach in the public sector in the year commencing in March 2021, bringing the cost in March 2022 to US$ 2.07 million.
Between 2021 and 2022, the number of cyberattacks against the government sector nearly doubled
(CloudSek)
The cost per breach in the public sector in 3/2022 reached $2.07 M
(IBM)
What makes the government sector attractive to cybercriminals, justifying heavy investment in cybersecurity for state and local government?
Government agencies collect and store enormous amounts of sensitive data. This data, if stolen and sold, can be used to perpetrate attacks for financial gain, and can also be used by foreign governments and/or terrorist groups.
As in all industries, growing digitization, cloud-based environments and the shift to remote work during the Covid-19 pandemic provide more opportunities for cyber attackers, including nation-state entities, to exploit.
State sponsored economically motivated cyber espionage (EMCE) is also a worrying phenomenon, with China being a prominent player. A report published by the Swedish Security and Defense Industry Association quotes a Mandiant Intelligence Center report indicating that “the Communist Party of China (CPC) is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world.” It adds that of 20 specific Advanced Persistent Threat groups that it has studied, the one it labeled APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (613989). Mandiant further adds that AP1 has “systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. The industries APT1 targets match industries that China has identified as strategic to their growth.”
In 2022 hacking for political purposes (“hacktivism”) is also on the rise, with 9% of reported incidents occurring in the government sector (CloudSek report, quoted by CSO). The report states that “these statistics are suggestive of the fact that cyberattacks in this particular industry are no longer limited to financial gains; rather, they are now used as a means to express support or opposition for certain political, religious, or even economic events and policies… Threat actors have started developing and advertising services of dedicated criminal infrastructure which can be bought by governments or individuals and used for various nefarious purposes.”
India, the USA, Indonesia and China were the most targeted countries in the past two years, accounting for 40% of the total reported incidents in the government sector, CSO reported. It elaborated that the attacks on the Indian government were due to hacktivist group Dragon Force Malaysia’s #OpIndia and #OpsPatuk campaigns; that nearly all the attacks on the Chinese government were attributed to the AgainstTheWest’s campaign Operation Renminbi, which began as retaliation for China’s activities against Taiwan and the Uyghur community. Later on, when China was accused of being responsible for the Covid-19 pandemic, there was an additional increase in attacks against the country.
Cyberattacks that highlight the urgent need for effective cybersecurity for state and local government
The most noteworthy cyberattacks affecting government agencies in recent years are:
- US government (and others): The SolarWinds attack, believed to have originated in March 2020 and detected only months later, is attributed by most experts to a group of hackers affiliated with the Russian government. It demonstrates the disastrous, far-reaching consequences of a successful software supply chain attack, for which most organizations are unprepared. According to its own reports, SolarWinds customers include all branches of the US military, the Pentagon, the State Department, 425 of the US Fortune 500 companies, the top ten US telecommunications companies, the top five US accounting firms, and also hundreds of universities and colleges worldwide.
The hackers gained access to many SolarWinds clients through a compromised update to the company’s Orion software. Those affected included US government agencies – the Treasury, the Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon the State Department and the Department of Energy; as well as large companies, including, among others, Intel, Microsoft and Cisco. - US Marshals Service: In mid-February 2023, the US Marshals Service reported that its systems had been breached in what it referred to as a “major incident”, stating: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.” The Service clarified that the breach did not affect the Witness Security Program database.
- Washington DC Metropolitan Police Department: Cybercriminals carried out a ransomware attack in April 2021 against the police department, and claimed to have gained access to 250 GB of data, including large amounts of personal data of police personnel and informers, as well as a “gang database.” They demanded a ransom of US$ 4 million, however the police department only agreed to pay US$ 100,000. The hackers rejected the offer and proceeded to leak the data they had stolen onto the Internet.
According to the New York Times, this was the third attack on a police force within six weeks. It added that 26 US government agencies had been hit by ransomware since the beginning of 2021, and explained that police computers were especially vulnerable to ransomware because many run ancient systems and software.
Some other attacks:
- German government websites: In January 2023, following Germany’s announcement that it would send Leopard tanks to Ukraine, Russian cyber attackers launched a DDoS strike against German government sites. German airport sites and banking sites were also attacked, although with little effect, as protective measures had been implemented.
- Australian Fire & Rescue Service: Fire Rescue Victoria (FRVP), which operates 85 stations in the state of Victoria and employs some 4,500 operational and corporate personnel, was targeted in a cyberattack in mid-December 2022. The attack caused widespread IT outages and the theft of data on employees, contractors and more, but reportedly did not impact emergency response services.
- US federal agencies: At least two federal agencies were targeted from mid-June to September 2022 in a widespread cyber campaign that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. The attacks were financially motivated; however, the perpetrators can weaponize the access to information to carry out additional malicious activities, including selling the access to other hacking crews (The Hacker News).
- Bernalillo County, New Mexico, USA: The State of New Mexico’s most populous county was targeted in a ransomware attack that took place in January 2022, and whose impact was still felt months later. The county was forced to close its downtown headquarters for several days, as well as to lock down its metropolitan detention center. Additionally, it was unable to provide services involving legal documents and real estate. The County managed to recover from the attack without paying the ransom.
- Belgian Ministry of Defense: In December 2021, the Ministry informed that its computer network had been attacked. It provided no further information, other than that the attack resulted from exploitation of the Log4j vulnerability, which according to Microsoft, state-sponsored hackers from China, Turkey, Iran and North Korea have started testing and exploiting.
- Canadian government: In August 2020, the Chief Information Officer of the Canadian government announced: “…a CRA (Canadian Revenue Agency) portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing”, adding that the portal was shut down out of an abundance of caution. According to Canadian officials, about 300,000 attempted attacks aimed at accessing accounts on at least 24 government systems took place over the same weekend.
- Belgian police unit: CPO Magazine reported in late 2022 that the Belgian police unit of Zwijndrecht sustained a ransomware attack by a group that mistook it for the town’s municipality. The source added that the leaked data included investigation reports, criminal records, thousands of license plates, traffic fines, personnel files, telephone research, and crime files, including child abuse images. The leak also exposed traffic camera recordings that could uncover people’s whereabouts at specific times, thus violating their privacy and endangering their safety, as well as names, phone numbers, and subscriber and SMS metadata of people under covert police investigation. This information could alert the suspects of ongoing investigations, allowing them to destroy evidence and eliminate potential witnesses. Although the data accessed was of a small police unit, it covered 18 years of operation, affecting thousands of people and a large number of cases.
- Costa Rica government bodies: In May 2022, the Costa Rican president declared a national emergency following a ransomware attack by the Conti group against multiple government bodies. The most hard hit was the country’s Ministry of Finance. The attackers then proceeded to publish almost all of the 672GB of data it had stolen.
ACID offers cybersecurity for state and local government agencies
ACID offers effective cybersecurity services for state and local government entities: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first hint of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such an intent is detected, ACID alerts the targeted entity in real time, transferring all the available information to it – including screenshots of threats detected on the dark web and deep web, to provide the most comprehensive and accurate information. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a very large number of sources, additional ones can be easily included in the search.
The real time alerts provided by ACID at the first sign of an attack, and the subsequent updates with additional information as it becomes available, enable the IT teams of the targeted state or local government entity to prepare and implement countermeasures that will mitigate the impact of the attack, or possibly thwart it altogether.
What makes state and local government organizations attractive targets for cybercrime?
Governments, both state and local, are attractive targets in the eyes of cybercriminals and cyberterrorists alike. The main reasons they direct their attention to these targets is the potential effect of the damage their cyberattacks can inflict, taking into account that government organizations also control a variety of critical infrastructures; and the wealth of sensitive data they possess. Cyber terrorists find these state and local government bodies attractive as they can constitute an arena for politically motivated cyber attacks, with any large attack affecting many citizens and gaining wide media coverage.
What are the main cybersecurity challenges faced by government institutions?
The main cybersecurity challenges are:
- Skilled opponents: In the case of state-level institutions in particular, but not only, those perpetrating the cyberattacks are often hacktivists, who are usually highly motivated; state-sponsored attackers, who have access to considerable resources and have often accumulated expertise and experience; and organized crime gangs, which are capable of investing sizeable resources to increase their chances of success.
- Multiple organizations operating under the umbrella of the government: When multiple agencies are involved, they often differ in their infrastructure, vendors, the systems they operate and the solutions they choose, as well as in how updated their defenses are. This makes it more difficult for state and local governments to ensure they are adequately protected.
- Limited resources: In view of the characteristics of their adversaries, local and state government bodies need to invest significant resources to protect themselves – resources that smaller organizations in particular do not always have at their disposal.
What are the potential cyber threats that governments need to protect themselves from?
The required protections, based on Check Point’s analysis, are:
- Internet of Things (IoT): IoT devices, often used to operate and control critical infrastructure, present considerable risks. These arise from a variety of factors, among them unpatched vulnerabilities. IoT devices must be managed with great care to prevent them from becoming access points to networks and creating dangerous vulnerabilities.
- Data security: To fulfill their functions, state and local governments hold massive amounts of sensitive confidential and classified information. Failing to appropriately safeguard this information will not only encumber their ability to provide the necessary services, but also lose them the trust of their citizens.
- Cloud security: Cloud services offer a variety of benefits, among them resiliency and scalability. This explains the increasing migration to the cloud of government data and applications and the increased reliance of government agencies on these services. However, they can also present risks if access control is not properly managed, configuration errors are made, or third-party risks are inadequately managed.
- Network security: Without effective network security, cyber attackers have a better chance of penetrating an organization’s systems and potentially wreaking havoc.
- Application security: Critical services provided to citizens by government agencies can be severely impacted, even shut down, if the applications used to provide these services are not properly protected.
- Endpoint security: Endpoint security solutions are essential to protection, in view of the fact that many government employees work on laptops and mobile devices provided by their employer.
- Mobile security: Mobile devices are increasingly targeted due to their growing use. Therefore, mobile security solutions are more essential now than ever to prevent the unintended downloading and installation of malware.
- Consolidated security architecture: Consolidated security architecture with the required security capabilities in a single solution is infinitely preferable to protection with standalone solutions which together form unmanageable security architecture.
What are some examples of cyberattacks demonstrating the need for effective cybersecurity for state and government agencies?
- In October 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) were requested by the U.S. House Committee on Homeland Security to brief them on an attack perpetrated by a hacker group backed by the People’s Republic of China (PRC). The group targeted large internet providers, including Verizon, AT&T and Lumen Technologies. The Committee voiced concerns that “the PRC could influence communications by rerouting internet traffic, or gain valuable information by accessing systems for lawful wiretapping requests. In other words, this intrusion would significantly jeopardize Americans’ right to privacy and broader U.S. national security interests.” According to some indications, the “Salt Typhoon” hack commenced years earlier, perhaps already in 2020, raising concerns over the state of the USA’s cyber resiliency.
- In July 2024, at the end of a three-year investigation, Germany accused China of having executed a cyberattack against its Federal Office for Cartography and Geodesy (BKG) in 2021. The BKG is the agency responsible for the entire country’s precision mapping. Germany subsequently announced that it intends to replace its Chinese telecommunications infrastructure, citing security concerns.
- In August 2024,it was reported that diplomats were targeted by Russian cyber criminals, apparently in order to steal data and conduct surveillance and reconnaissance. The attack consisted of an email offering a used car for sale with an attachment – supposedly innocent photos of the car, but in fact intended to distribute HeadLace backdoor malware. It seems that the attack began about five months earlier.
- Also in August 2024, the website of POLANDA, Poland’s anti-doping agency crashed following an attack. It was revealed that more than 50,000 files containing confidential data were leaked as a result. The attack was attributed to hackers “supported by the services of [a] hostile state”.
- On the local level, the city of Columbus, Ohio, USA, was targeted in an attack that took place in August 2024. An immense amount of data was stolen – reportedly three terabytes – including the personal files of the city’s employees. After two failed attempts to auction the data, the Rhysida ransomware group dumped the files on the dark web.
ACID helps state and local government organizations maintain business continuity and provide uninterrupted services to their citizens. Clusters of robots are deployed and sophisticated algorithms implemented to continuously monitor the dark web and numerous additional sources in order to detect signs of impending attacks while still in their planning stage, attacks that are in progress, and leaked data indicating a breach. Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results. Once a threat is detected, ACID sends real-time alerts to the targeted organization, to enable it to implement countermeasures to diminish the effects of the attack, or perhaps even foil it altogether. By offering a cost-effective solution centering on dark web monitoring, ACID helps even small government bodies to overcome the challenge of insufficient resources for effective protection.