In the Crosshairs: A Detailed Look at 4 Cyberattacks Targeting Government Data

Government and public sector organizations are exposed to more and more sophisticated cyberattacks than any other sector.

Unlike private organizations, which almost exclusively face financially-motivated attacks, government and public sector organizations are targeted by the full spectrum of criminal, ideological, state-sponsored, and espionage groups—with an equally broad range of motivations.

The 2023 Data Breach Investigations Report (DBIR) identified system intrusion (hacking), lost and stolen assets, and social engineering as the most prevalent threats to government organizations. These threats are consistent with the fact that attackers are often seeking more than profit—government and public sector organizations often hold highly valuable and sensitive data, and threat actors will often go to extreme lengths to obtain it.

This article discusses why cyberattacks against government targets are so common and examines four serious breaches.

Why are Cyberattacks an Issue for Government Organizations?

Government and public-sector organizations differ from private-sector organizations in many ways. Some—such as local governments—perform a far greater number of functions than any private-sector organization, making them extremely complex entities with technology profiles to match.

Naturally, this makes security a constant challenge and provides attackers with a much broader range of options when it comes to choosing targets and attack vectors.

Similarly, government organizations are targeted by a broader range of potential attackers compared to the private sector. According to the DBIR, roughly 30% of attacks against public sector targets are motivated by espionage, 2% are ideological, and the remaining 68% are financially motivated. As you’d expect, the tactics and techniques used in each of these categories vary significantly, creating further difficulties for cyber defenders.

And then there’s cost. The 2023 Cost of a Data Breach study found that government organizations spent an average of $2.6 million to recover from a data breach in 2023—an increase of over 25% from $2.07 million in 2022.

The study also determined that the government and public sector is the 6th most targeted overall, accounting for 7% of all data breaches.

4 Recent Government Cyberattacks

1. City of Oakland Declares State of Emergency

In February 2023, the City of Oakland, California, declared a state of emergency after a ransomware attack. Essential services such as 911 were unaffected; however, many non-emergency systems were taken offline while the City’s IT department worked to resolve the incident, and some government buildings were forced to close temporarily.

In a statement issued shortly after the attack began, the City stated: “The network outage has impacted many non-emergency systems, including our ability to collect payments, process reports, and issue permits and licenses. As a result, some of our buildings are closed. We encourage the public to email the service counters they want to visit before coming to City buildings.”

The update also stated that the City was “following industry best practices and developing a response plan to address the issue,” although its specific response actions were not specified. The City sought help from “a leading forensics firm” and “some of the industry’s top experts” to support its response efforts, and the investigation includes multiple local, state, and federal agencies.

The attack had significant ongoing consequences for the administration. In an update more than 10 weeks after the initial incident, the City was still in the process of restoring some non-essential systems. Staff were also still dealing with a significant backlog of resident requests, some of which had been submitted prior to the attack.

“This has been challenging for our community and our staff, and we extend our deepest gratitude to everyone for their support in the face of this cyber threat,” said Oakland’s CIO, Tony Batalla.

The attack was later attributed to the threat group Play, which publicly claimed responsibility and published around 10 gigabytes of files stolen from the City of Oakland on its website. During the attack, the group stole a decade’s worth of sensitive data from the City’s servers, including data related to employees in the police and other sensitive roles.

2. 40 Million Voters’ Data Stolen in Attack on UK Electoral Commission

In mid-2023, the UK Electoral Commission publicly disclosed that it had been targeted by a “complex cyberattack.” The attack resulted in the theft of personal data relating to everyone in the UK who registered to vote between 2014 and 2022—roughly 86% of all British adults as of 2022.

The affected data included information belonging to millions of UK citizens who had opted out of public registers, making this one of the largest breaches suffered by a UK Government organization.

Incredibly, the attackers had managed to dwell in the Electoral Commission’s systems for 15 months while remaining undetected. It’s been hypothesized that this implies the attackers were motivated by more than simple financial gain and were instead searching for something specific.

In a series of statements through its official Twitter account, the UK Electoral Commission claimed it had taken almost a year to disclose the attack because:

“We needed to remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public.”

When asked if the attack might result in manipulation of the next UK General Election, the Commission stated:

“There has been no impact on the security of UK elections. The data accessed does not impact how people register, vote, or participate in democratic processes. It has no impact on the management of the electoral registers or on the running of elections.”

As to whether this attack demonstrated highly sophisticated tactics on the part of the attackers… the evidence suggests not.

Following the Electoral Commission’s announcement, it was reported that the organization had received an automatic failure during an audit for Cyber Essentials, a UK Government scheme that aims to bring organizations up to a minimum level of cyber readiness. A whistleblower brought this revelation to the attention of the BBC.

3. Chinese Hackers Breach U.S. Government Email Accounts

According to reports from U.S. officials and Microsoft, Chinese hackers covertly accessed email accounts belonging to individuals at over two dozen U.S. organizations, including at least two U.S. Government agencies—the State and Commerce Departments. Official government statements put the number of affected agencies “in the single digits.”

A Microsoft statement claims the attacks lasted around a month, starting in mid-May 2023. They appear to have been a highly targeted spying operation, possibly sponsored by the Chinese Government.

While motivations can only be guessed at, it appears the attackers attempted to gain access to email accounts belonging to members of the House of Representatives. It’s unclear who was targeted or which accounts were breached. Secretary of Commerce Gina Raimondo’s email account was also hacked, making her the only known Cabinet-level official to be affected.

Microsoft attributed the attacks to “a China-based actor” which it designates Storm-0558. The hacking group is well known to target government agencies in Western Europe using espionage, data theft, and credential access tactics. Microsoft did not state whether the group is funded or directed by the Chinese government, although historically, most sophisticated groups operating out of China have been associated with the government to some degree.

The attackers used forged authentication tokens to access targeted email accounts using stolen  Microsoft Account (MSA) consumer signing keys. This tactic—essentially, a simple credential misuse attack—is extremely common in espionage campaigns, as accessing email accounts is among the easiest and best ways to acquire large amounts of highly sensitive information.

In a July statement, the Cybersecurity and Infrastructure Security Agency (CISA), said it learned of the attack campaign in mid-June 2023. In an advisory published on its website, CISA stated:

“In June 2023, a Federal Civilian Executive Branch agency identified suspicious activity in their Microsoft 365 cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.”

As is often the case with espionage campaigns, the consequences of this attack remain unknown. The group responsible may or may not have accessed highly sensitive information that could be used by one or more hostile government agencies.

4. Federal Agencies, State Governments, and More Breached by Russian Cybercriminals

A massive attack campaign conducted by Russian cybercrime group Clop in mid-2023 targeted organizations worldwide that were customers of Progress Software. Victims included large enterprises and government agencies worldwide, including multiple U.S. state governments and federal agencies.

CISA did not confirm specifically which U.S. federal agencies were affected by the attack, although CISA director Jen Easterly stated she’s confident there won’t be “significant impacts.” Sadly, the same can’t be said for many other government entities in both the U.S. and Europe.

The Maine state government was among the most severely compromised U.S. targets. Via its website, it disclosed that social security numbers, birthdates, and driver’s license numbers of up to 1.3 million individuals had been accessed as a result of the MOVEit attack.

To conduct the widespread attack, Clop exploited a zero-day vulnerability in the widely used enterprise file-transfer application MOVEit. Ironically, many large enterprises and government entities chose MOVEit because of its strong cybersecurity profile.

In the immediate aftermath of the attack, CISA ordered federal civilian agencies to implement a security patch issued by Progress Software. Progress went on to issue several more security patches in the following months that were not directly related to the initial vulnerability but addressed similarly exploitable weaknesses in MOVEit.

However, in many cases, data had already been stolen—either directly from the affected organization or due to the compromise of trusted third-party partners and vendors. One example of the latter was U.S. government services contractor Maximus, which confirmed attackers had accessed protected health information (PHI) relating to 11 million individuals.

Protect Your Government Organization from IoT Threats

Securing a government or public sector organization is far from straightforward. So, while the attacks described here are concerning, they’re hardly surprising.

So, what can you do?

One major cause of cybersecurity risk in the public sector is the high prevalence of connected devices and IT systems—everything from online registration systems and smart cities to staff-owned mobile devices, vehicle trackers, and more.

Securing network access and managing vulnerabilities across such a diverse network environment is tough. But that’s where we come in. Asimily’s platform streamlines IoT security, making it easy to lock down traffic, monitor traffic sources, and identify unusual connections. 

Government and public-sector organizations can use Asimily’s Risk Simulator to assess mitigation options for individual vulnerabilities and devices before implementing fixes. This can help them prioritize their efforts, identify high-risk devices, and avoid wasted effort.

Asimily understands your unique environment and provides real-time, actionable remediation steps to reduce risk and save time—making our customers 10X more efficient at resolving IoT security risk.

To find out how Asimily can help minimize the risk of connected devices at your organization, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.

IoT Device Security in 2024 The High Cost of Doing Nothing | Asimily

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.