According to Check Point research, the second-most targeted industry in the world is the government sector. In the third quarter of this year, governments were on the receiving end of 1,564 weekly attacks on average, representing a 20% increase YoY.
This tracks what is seen in the headlines. The Center for Strategic and International Studies has documented every significant cyberattack against a government since 2006.
The list the Center keeps is incredibly comprehensive and remarkable to look at. Nearly every major country is involved in one way or the other; they range from phishing emails, malware, account takeovers and more.
These are large-scale attacks, often aimed at key infrastructure.
We wanted to see what the smaller, yet still damaging, daily attacks look like. For these average of 1,564 weekly attacks, what is the scope? What are the types of attacks featured?
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers target the government sector in a small nation located in the Western Hemisphere.
Attack Profile
The country highlighted in this brief is a small nation in the Western Hemisphere, with a population under 100,000.
The government as a whole–meaning all its employees across all its departments– sees a daily average of 93 phishing attacks–about 651 a week. On a yearly basis, that comes out to about 34,000 phishing attacks in total. Of these attacks, 5% will make it past default security. That’s 1,700 phishing attacks per year that make it to end users, across the entirety of the government.
However, some departments are hit far more often than others. By far, the Bureau of Standards–responsible for things like ensuring standardization across measurements, safety and more–is the most attacked department and its leaders are the most attacked people.
Why this department was targeted more than others is not clear. In fact, some of the departments that were targeted the least were Foreign Affairs and the Attorney General’s office.
By far, hackers tended to use the same methodology. In this case, financial attacks were the most-used attack method. Credential harvesting was a distant second.
Email Example #1
This is one of the many emails from threat actors that targeted leaders at the Bureau of Standards. This email starts with a .htm file claiming that there is a voicemail transcription. We see .htm files often to send malicious documents, and in this case, it’s no different. The idea of this email is to get the user to click on the voicemail link. Though office phones aren’t as popular as they once were, voicemails are still connected to email, so this is not a surprising email to see. Clicking on it, the end-user assumes, will bring them to an important voicemail.
Email Example #2
As analyzed by Check Point, this file is indeed malicious. It’s a Trojan that would work to take over the user’s computer. With high confidence, Check Point deemed this a critical risk.
Email Example #3
This email seems much more basic, but it’s not. This is a variation of a typical Business Email Compromise attack. There’s no malicious link or attachment, no payload. Just text. That makes it incredibly difficult for security services and end-users to identify and block. If the user was to follow up on this message, it would create a string of replies that would eventually lead to the threat actor asking for payment of some kind.
Techniques
Cyberwar. Hacktivism. Nation-states and groups acting like nation-states. The average country is playing in the middle of an unprecedented cyber battlefield. Some countries are more aggressive than others, but all countries are targeted in one form or another.
Besides the potential for political destabilization, or to gain a potential strategic advantage, these attacks are also valuable because governments hold an incredible amount of personal data. From identification numbers to health information, criminal history and tax information, governments the world over are a repository of personal information.
This combination of information and political calculation makes governments an incredibly attractive and valuable target.
In this profile of attacks on a country, threat actors have focused on financial-based attacks that tend to target the standards bureau. However, we see most departments attacked, and in a variety of different attack types.
Every government will have a different attack profile–that will depend on its size, geopolitical considerations and more. But this is a good, general guide of what countries experience. That will allow them to tailor their defenses accordingly.
