Attackers waited until holidays to hit US government

The government industry in the United States dealt with heavy hitting breaches against local, federal, and state government networks, primarily during the first quarter of 2021.

Our telemetry revealed a small spike in a generic backdoor detection, known as Backdoor.Agent, during March of 2021, mainly focused in Memphis, Tennessee. This data coincides with the attack on the Azusa Police Department in California; however, it reveals even more about the attacks observed the following month.  

During April of 2021, at least three notable attacks against government services made the news, this included the New York Metropolitan Transport Authority (MTA), the Illinois Attorney General’s office, and the Washington DC Police Department. During this same month, we also observed the beginning of a surge of exploits and AI detected threats that dominate the rest of 2021.

easset upload file17739 228182 e

Our top spike for the period follows the detection of the exploit CVE-2021-21551 (Dell System Driver) and all the nasty threats it brought with it. Despite this, we were unable to correlate any newsworthy breach to this month. So, we can assume that the increase in detections was an onslaught of attempts to breach networks, shortly after the release of the Dell driver exploit. We can also make assumptions about this effort leading to numerous breaches and installations of backdoor malware, waiting dormant until later in 2021 and 2022 before launching a full attack.

Those most hammered by these exploit attempts were government organizations in Michigan and New Jersey.

The detection of this exploit slows as the year goes on, dwindling to almost nothing by May of 2022. This matches up with our detections of unidentified, AI detected malware. Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data.

easset upload file7478 228182 e

In addition to the push of exploits, the notorious TrickBot trojan has been lurking in the detections of this industry, staying mostly steady with only a 1.2 percent share of threats during the analyzed time period. Despite this, the small spikes of this threat in March, June, and November of 2021 seem to mostly align with major reported breaches.

Based on our data, there is a case to be made about government industry targeting, mainly taking place during the beginning and end of the year, a time notoriously known for vacation, reorganization, and reduced security staff.

Our best recommendation for this industry, beyond ensuring that proper patching and threat detection software are deployed on every endpoint, is to consider to major factors when planning for a cyber-attack. First is timing, the second is reducing operational disruption. 

Timing can be addressed by understanding not only when the attackers are coming after an organization, but also when an organization might be most vulnerable. For example, if you know that your staff will be reduce to only 25 percent during November, December, and January, for the holidays, you might not need to keep as many security staff on hand since there are fewer users.  This is a perfect opportunity for an attack that may have breached the network months prior, to finally achieve its purpose and attack the network while it’s less guarded.

So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. This might be achieved by bringing in additional security staff for the season, allowing for security staff to take vacations around the usual holidays, if possible, and in some cases, making it possible for security and IT admin to remotely investigate threats through a cloud-based remote console.

The second recommendation is reducing operational disruption. When a restaurant gets hit by ransomware, it takes down the restaurant’s operations for a time, but the damage typically doesn’t go far beyond the restaurant’s walls. When a state or local government network is breached and hit by ransomware, because of the interconnected nature of government and public services, such an attack can disrupt entire cities and states, quickly creating chaos. It’s imperative to ensure that in the case of any type of cyberattack, there is some way to continue operations, be it at a backup site, using pen and paper, or having employees work remotely. The more pressure an organization is under to get things back to normal, the more leverage the attackers have against that organization.

Following these tips will not only reduce the damage done by these attacks, but likely increase the confidence that civilians have in the security of their government organizations.