ACID Technologies helps state and local government agencies protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted agencies to implement effective preventive measures

How essential is cyber security for state and local government agencies?

Governmental entities are increasingly being targeted by cybercriminals. Between the second half of 2021 and the parallel period in 2022 the number of attacks against the government sector nearly doubled (CloudSek).

Ukraine is a particularly noteworthy case in point. Although distinct in its circumstances, it is by no means the only example of cybercrime directed at government agencies. The country has suffered cyberattacks since 2014, when Russia annexed Crimea. However, on January 23, 2022, a day before the Russian invasion, it intensified its cyberwarfare by attacking about 200 government systems. According to the European Parliament Think Thank, Ukrainian “public, energy, media, financial, business and non-profit sectors have suffered the most. Since 24 February [2022], limited Russian cyber-attacks have undermined the distribution of medicines, food and relief supplies. Their impact has ranged from preventing access to basic services to data theft and disinformation, including through deep fake technology. Other malicious cyber-activity involves sending of phishing emails, distributed denial-of-service attacks, and use of data-wiper malware, backdoors, surveillance software and information stealers.” In response to the invasion of Ukraine by Russia, the number of cyberattacks against the aggressor increased by 600%.

Cybersecurity State and local government

In its Global Risks Report 2022, the World Economic Forum states that cybersecurity measures implemented by governments, businesses and individuals are becoming increasingly obsolete due to the growing sophistication of cybercriminals. This concern is reflected in the US government’s decision to allocate nearly US$ 11 billion to cybersecurity (this sum excludes the Department of Defense’s allocation for this purpose).

The World Economic Forum’s report further states in its Global Risks report: “Greater cyberthreats will also hamper cooperation between states if governments continue to follow unilateral paths to control risks. As attacks become more severe and broadly impactful, already sharp tensions between governments impacted by cybercrime and governments complicit in their commission will rise as cybersecurity becomes another wedge for divergence – rather than cooperation—among nation-states.”

According to an IBM report, there was a 7.25% increase in the average total cost of a breach in the public sector in the year commencing in March 2021, bringing the cost in March 2022 to US$ 2.07 million.

Between 2021 and 2022, the number of cyberattacks against the government sector nearly doubled

The cost per breach in the public sector in 3/2022 reached $2.07 M

What makes the government sector attractive to cybercriminals, justifying heavy investment in cybersecurity for state and local government?

Government agencies collect and store enormous amounts of sensitive data. This data, if stolen and sold, can be used to perpetrate attacks for financial gain, and can also be used by foreign governments and/or terrorist groups.

As in all industries, growing digitization, cloud-based environments and the shift to remote work during the Covid-19 pandemic provide more opportunities for cyber attackers, including nation-state entities, to exploit.

State sponsored economically motivated cyber espionage (EMCE) is also a worrying phenomenon, with China being a prominent player. A report published by the Swedish Security and Defense Industry Association quotes a Mandiant Intelligence Center report indicating that “the Communist Party of China (CPC) is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world.” It adds that of 20 specific Advanced Persistent Threat groups that it has studied, the one it labeled APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (613989). Mandiant further adds that AP1 has “systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries. The industries APT1 targets match industries that China has identified as strategic to their growth.”

In 2022 hacking for political purposes (“hacktivism”) is also on the rise, with 9% of reported incidents occurring in the government sector (CloudSek report, quoted by CSO). The report states that “these statistics are suggestive of the fact that cyberattacks in this particular industry are no longer limited to financial gains; rather, they are now used as a means to express support or opposition for certain political, religious, or even economic events and policies… Threat actors have started developing and advertising services of dedicated criminal infrastructure which can be bought by governments or individuals and used for various nefarious purposes.”

India, the USA, Indonesia and China were the most targeted countries in the past two years, accounting for 40% of the total reported incidents in the government sector, CSO reported. It elaborated that the attacks on the Indian government were due to hacktivist group Dragon Force Malaysia’s #OpIndia and #OpsPatuk campaigns; that nearly all the attacks on the Chinese government were attributed to the AgainstTheWest’s campaign Operation Renminbi, which began as retaliation for China’s activities against Taiwan and the Uyghur community. Later on, when China was accused of being responsible for the Covid-19 pandemic, there was an additional increase in attacks against the country.

Cyberattacks that highlight the urgent need for effective cybersecurity for state and local government

The most noteworthy cyberattacks affecting government agencies in recent years are:

  • US government (and others): The SolarWinds attack, believed to have originated in March 2020 and detected only months later, is attributed by most experts to a group of hackers affiliated with the Russian government. It demonstrates the disastrous, far-reaching consequences of a successful software supply chain attack, for which most organizations are unprepared. According to its own reports, SolarWinds customers include all branches of the US military, the Pentagon, the State Department, 425 of the US Fortune 500 companies, the top ten US telecommunications companies, the top five US accounting firms, and also hundreds of universities and colleges worldwide.
    The hackers gained access to many SolarWinds clients through a compromised update to the company’s Orion software. Those affected included US government agencies – the Treasury, the Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon the State Department and the Department of Energy; as well as large companies, including, among others, Intel, Microsoft and Cisco.
  • US Marshals Service: In mid-February 2023, the US Marshals Service reported that its systems had been breached in what it referred to as a “major incident”, stating: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.” The Service clarified that the breach did not affect the Witness Security Program database.
  • Washington DC Metropolitan Police Department: Cybercriminals carried out a ransomware attack in April 2021 against the police department, and claimed to have gained access to 250 GB of data, including large amounts of personal data of police personnel and informers, as well as a “gang database.” They demanded a ransom of US$ 4 million, however the police department only agreed to pay US$ 100,000. The hackers rejected the offer and proceeded to leak the data they had stolen onto the Internet.

    According to the New York Times, this was the third attack on a police force within six weeks. It added that 26 US government agencies had been hit by ransomware since the beginning of 2021, and explained that police computers were especially vulnerable to ransomware because many run ancient systems and software. 

Some other attacks:

  • German government websites: In January 2023, following Germany’s announcement that it would send Leopard tanks to Ukraine, Russian cyber attackers launched a DDoS strike against German government sites. German airport sites and banking sites were also attacked, although with little effect, as protective measures had been implemented.
  • Australian Fire & Rescue Service: Fire Rescue Victoria (FRVP), which operates 85 stations in the state of Victoria and employs some 4,500 operational and corporate personnel, was targeted in a cyberattack in mid-December 2022. The attack caused widespread IT outages and the theft of data on employees, contractors and more, but reportedly did not impact emergency response services.
  • US federal agencies: At least two federal agencies were targeted from mid-June to September 2022 in a widespread cyber campaign that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. The attacks were financially motivated; however, the perpetrators can weaponize the access to information to carry out additional malicious activities, including selling the access to other hacking crews (The Hacker News).
  • Bernalillo County, New Mexico, USA: The State of New Mexico’s most populous county was targeted in a ransomware attack that took place in January 2022, and whose impact was still felt months later. The county was forced to close its downtown headquarters for several days, as well as to lock down its metropolitan detention center. Additionally, it was unable to provide services involving legal documents and real estate. The County managed to recover from the attack without paying the ransom.
  • Belgian Ministry of Defense: In December 2021, the Ministry informed that its computer network had been attacked. It provided no further information, other than that the attack resulted from exploitation of the Log4j vulnerability, which according to Microsoft, state-sponsored hackers from China, Turkey, Iran and North Korea have started testing and exploiting.
  • Canadian government: In August 2020, the Chief Information Officer of the Canadian government announced: “…a CRA (Canadian Revenue Agency) portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing”, adding that the portal was shut down out of an abundance of caution. According to Canadian officials, about 300,000 attempted attacks aimed at accessing accounts on at least 24 government systems took place over the same weekend.
  • Belgian police unit: CPO Magazine reported in late 2022 that the Belgian police unit of Zwijndrecht sustained a ransomware attack by a group that mistook it for the town’s municipality. The source added that the leaked data included investigation reports, criminal records, thousands of license plates, traffic fines, personnel files, telephone research, and crime files, including child abuse images. The leak also exposed traffic camera recordings that could uncover people’s whereabouts at specific times, thus violating their privacy and endangering their safety, as well as names, phone numbers, and subscriber and SMS metadata of people under covert police investigation. This information could alert the suspects of ongoing investigations, allowing them to destroy evidence and eliminate potential witnesses. Although the data accessed was of a small police unit, it covered 18 years of operation, affecting thousands of people and a large number of cases.
  • Costa Rica government bodies: In May 2022, the Costa Rican president declared a national emergency following a ransomware attack by the Conti group against multiple government bodies. The most hard hit was the country’s Ministry of Finance. The attackers then proceeded to publish almost all of the 672GB of data it had stolen.

ACID offers cybersecurity for state and local government agencies

ACID offers effective cybersecurity services for state and local government entities: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first hint of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such an intent is detected, ACID alerts the targeted entity in real time, transferring all the available information to it – including screenshots of threats detected on the dark web and deep web, to provide the most comprehensive and accurate information. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a very large number of sources, additional ones can be easily included in the search.

The real time alerts provided by ACID at the first sign of an attack, and the subsequent updates with additional information as it becomes available, enable the IT teams of the targeted state or local government entity to prepare and implement countermeasures that will mitigate the impact of the attack, or possibly thwart it altogether.