The City of Dallas fell victim to a crippling ransomware attack on May 3rd, an event which it has only recently recovered from well over a month later. At its worst, the attack impacted a wide variety of city services including the municipal court systems, library networks, emergency services like police and fire rescue, and critical infrastructure systems. Police Sgt. Sheldon Smith said that in the midst of the disruption to emergency services and technology required the department to “work like it’s 1965.”
Dallas is not the only local government facing critical ransomware attacks. In the past few months, San Bernardino County, Oakland, California, Lowell, Massachusetts, and more have been hit by ransomware attacks, often coupled with data leaks. City and local governments are a target-rich option for malicious actors as they often spread across a range of departments with widely varying cybersecurity hygiene. Though it may be more difficult to break into a police department, hacking a library system that is fairly open by nature may prove an easier entry point into a broader network from which an attacker can move laterally.
These governments often have a treasure trove of sensitive information they are expected to keep safe, including information like PII (personally identifiable information), PHI (personal health information), criminal and financial records for individuals and businesses, and many others that can be used by threat actors for malicious activities.
City and local governments face the full gambit of cyber threats: state actors, criminal groups, insider threats, and hacktivists. With such an expansive array of threats, it is necessary for these governments to have a handle on the most pressing concerns for their cyber security so they can best equip themselves to deal with them.
State actors in cybersecurity include a range of groups including those which are state-permitted, state-sponsored, and state-run. For our purposes, we will not make a distinction and instead will put them all into the state actor bucket.
State actors are typically more sophisticated threat groups with specific strategic objectives that support the political, military, diplomatic, or economic goals of the state. These groups are often identified by cyber threat research groups as “Advanced Persistent Threats” or APTs. These groups are often the easiest to attribute attacks to because they are established groups that typically stay more-or-less the same over the years, often using and reusing tools, tactics, or procedures (TTPs) that researchers can learn and track.
With a majority of government information technology leaders naming foreign governments as their greatest cybersecurity concern, it is important to understand these threats to be able to combat them. While local governments are not always the primary target of state cyber activity, they provide an excellent vector to accessing affiliated organizations in the critical infrastructure, education, defense, or other space that does significant business and correspondence with a local government. This means that one of the best ways to understand the groups that pose the greatest threat to your organization is to know what industries you interact with the most.
For example, a city with a Navy base in its borders would need to be especially concerned with Chinese threat groups like APT 40, APT 23, and APT 14 which are all seemingly tasked with gathering information via cyber espionage about naval research and capabilities. The parish government for Bossier Parish in Louisiana which is home to a major Air Force base would need to give particular attention to groups like Iran’s APT 33 and China’s APT 31, APT 26, APT 18, and APT 27. Cities like Pensacola, Floria, which is home to a number of military bases for 3 different branches should give attention to all of these groups along with general defense-focused groups like APT 28 (Russia) and APT 12 (China).
Cities and counties with a heavy concentration of energy or oil/natural gas industry should stay up-to-date on any advisories for groups like Iran’s APT 35, APT 34 and APT 33, China’s APT 27, APT 26, APT 15, and APT 1, and the Russian groups Energetic Bear and Sandworm. Cities and counties with ports should focus on groups like APT 17 and APT 40 (China), APT 33 and APT 39 (Iran). Governments covering universities, especially research universities, should heed advisories on all Chinese groups and Russia’s APT 29 and Energetic Bear groups.
Localities with universities, especially those known for research should be aware of groups like Chinese groups Mustang Panda, Deep Panda, and APT40, as well as Iranian Silent Librarian, known for targeting institutions of higher education for espionage and research theft.
In 2021. 58% of local governments were victims of a ransomware attack, making up 44% of all ransomware attacks globally. While these numbers are a bit out of date, the trend has not only continued but escalated since the most recent studies were conducted. Criminal ransomware threats are the greatest cyber threat local governments currently face.
Criminal groups’ primary motivation for attacking any organization is financial gain. Because local governments often lack the resources to heavily invest in cybersecurity, they often make up a large part of the “lowest hanging fruit” that ransomware groups target. According to our research, many city and county governments not only have trouble pointing to a primary person responsible for cybersecurity, many do not even have one to point toward.
Unlike with state actors, knowing the enemy in the criminal space does not necessarily give significant insight or aid in preparation against ransomware attacks. Ransomware has become a booming business with different groups specializing in each stage of the process from initial access brokers to intrusion teams to negotiation specialists. The complex web of the ransomware market makes attribution very difficult (unless a group publicly claims the attack) and largely unhelpful. Even when groups become so well known that law enforcement can identify individual actors to arrest or a named group to take down, it is incredibly easy for the individuals within the group to reorganize under a new name and continue operations as usual.
The most important thing for organizations to keep in mind when defending against ransomware is that the vast majority of those hit by these groups are targets of opportunity. Criminal groups’ goal of financial gain means that they are generally target agnostic and will hold any group they can get a foothold in for ransom. This means that to best protect an organization, the main goal is to take care of the aforementioned low hanging fruit: consistently deploy multi-factor authentication, have good asset management and visibility practices, ensure consistent patch management, and backup everything.
Insider threats are those threats posed by employees and others working within an organization. While there are intentional insider threats, the majority of risk posed by this group is unintentional. Human error, or unintentional insider threat, is the leading cause of cyber attacks accounting for over 80% of incidents, according to the Harvard Business Review. These risks can include anything from clicking on phishing emails to falling into business email compromise schemes to accidental disclosure of confidential information.
Unintentional insider threats are those posed primarily by disgruntled employees or those looking to sell information for personal gain. These insiders may work with a criminal or state group to provide information about the organizations’ intellectual property and/or network vulnerabilities.
The best mitigations for insider threats, both intentional and unintentional, is regular cybersecurity training, data loss prevention (DLP) solutions, and internal network segmentation and properly configured access management. As part of efforts to cut down on accidental leaks, ensuring your organization has clear information sharing guidelines for cloud sites like GitHub and ChatGPT and tracking information shared through these websites is crucial.
Hacktivists use cyber operations as a way to advance political, religious, or other ideological goals. Many hacktivist activities resemble physical activism threats like defacement of websites or distributed denial of service (DDoS) attacks that prevent users from accessing a website. For the most part, these activities are used to draw attention to an issue the group finds important but will not cause long-term damage.
One of the longstanding hacktivist groups is the worldwide Anonymous Group. Anonymous is a loosely connected group of hacktivism cells that are all working toward similar political goals. The vast majority of Anonymous attacks are DDoS or defacement operations that do not leave lasting damage beyond sending a message.
However, the hacktivism threat landscape has expanded into data leaks, primarily of information that would be embarrassing or damaging to the company or organization that was targeted. Guacamaya is a well-known hacktivism group that was especially active last Fall with releases of information about Chile’s exploration of spyware, Australian police operations, various Central and South American governmental efforts to repress indigenous populations, and much more.
The United States was previously spared significant intrusion by hacktivist groups until recently. This month, the City of Fort Worth became the victim of a hacktivist-backed data breach and leak. The hacktivist group SiegedSec stated that its “intention throughout [the] operation was to make a statement and encourage others to do the same” following the passing of anti-trans legislation in Texas. Fort Worth denies that the information leaked was gathered through a cyber operation and that all of it was accessible via public records requests. Regardless, hacktivism has arrived in the United States and local governments may see an increase in this kind of cyber operation as domestic politics continue to polarize.
It Takes a Village
Private enterprises should lobby for cybersecurity funding for local and state governments where they rely on their critical infrastructure. Imagine the worst case if there is no water, energy, or transportation possible to key facilities. The funding request-to-implementation cycle which may take 18 months is a perfect opportunity to engage with the community and city councils. There should be funding that covers people, process, and technology as well as allows for dynamic decisions to address the threats stated above. Other opportunities are to assist local governments with training, joint cyber exercises, and RFI/RFP development.