Thanks to its vast collection of private data, the public sector is often a top target for cybercriminals. Federal, state and local governments collect Social Security Numbers, contact information, health information, work history, financial information and many other data points. This can make their databases full of attractive information for cybercriminals, such as those who want to commit SSN theft. Data breaches can result in the theft of millions of individual records.

Some criminals want to target the government directly. They may try to steal information about private citizens or steal government secrets that they sell to the highest bidder. In other situations, sensitive information is stolen in order to commit tax fraud. 

Complex Malware

Cyberattacks on public sector organizations can occur in many different ways, but they are often part of complex criminal networks that exploit vulnerabilities in systems. One notable tool that cybercriminals have used is called TrickBot, which originated as a banking trojan but evolved to provide a number of tools to conduct various cyber crimes, such as credential harvesting, crypto-mining, ransomware deployment and point-of-sale data procurement. Domain Name System tunneling was also used as an associated tool, which sent and received data from compromised victim machines.

BazarLoader and BazarBackdoor used similar technology in early 2020 and infected victim networks. Many of these attacks involved the introduction of ransomware — a type of malware that demands ransom payment for personal files or private data.

Another popular form of ransomware that has been used on these types of organizations is called Ryuk, which first appeared in 2018 as a derivative of another popular type of ransomware. This tool was used to steal credentials and encrypt files and then lock out legitimate users.

Detect and Defend

Governments may be able to implement a number of strategies that can help identify, detect and respond to potential cyberattacks. Some of the most effective strategies include:

• Establishing strong passwords and regularly changing passwords to avoid giving hackers access to multiple accounts
• Using multi-factor authentication whenever possible
• Disabling unused remote access to devices and networks
• Installing security patches
• Operating the latest version of software, operating systems and firmware
• Controlling which individuals will have access to sensitive information
• Identifying sensitive data and updating backups for this data
• Automatically updating antivirus and anti-malware programs
• Regularly backing up data
• Providing training to key personnel on cybersecurity threats

In addition to following these best practices, public sector organizations are encouraged to create a cyber incident response plan that recognizes the nature of the interconnectedness of the web and the organization’s function to society. A response plan can identify key figures who should be notified in case of an attempted data breach, as well as the physical and virtual tools that can be used to respond to the security threat.

If you have been the victim of a data breach attack, report this immediately to management. Then, take all mitigation steps that are part of your data breach plan. By developing a cyber incident response plan and recovery plan before there is ever an attack, you can minimize damage to your organization and have a concrete plan in place to assist you.

Cooperate with authorities to try to find the wrongdoers and prevent similar attacks in the future. You may also wish to join a healthcare information sharing organization or similar organization with which you can share best practices and information. Generally, governmental agencies do not recommend paying ransoms to regain access to sensitive data because there are no guarantees the hacker will relinquish control even if you do pay the ransom.

The public sector contains a treasure trove of sensitive data, so those responsible for safeguarding these networks must take all potential threats seriously. By increasing cybersecurity efforts and recognizing signs of attempted attacks, you can help protect your organization against the latest threats. 

David Lukić is an information privacy, security and compliance consultant at IDstrong.com.