Analytics

The public sector plays a key role in the functioning and development of society by providing citizens with access to essential services such as healthcare, education, security, and social protection, as well as performing regulatory functions, infrastructure development, and business support. In today's world, government institutions are also responsible for managing vast amounts of data, including citizens' personal information, financial records, and strategic information crucial for national security.

Introduction

To adapt to the digital age and leverage its advantages for maximum efficiency, the public sector in many countries is undergoing digital transformation. In 2022, almost all countries (29 out of 30) in the Organisation for Economic Co-operation and Development reported that they were developing and implementing national digital government strategies. In Europe, according to the Digital Decade strategic program, the goal is to make all essential government services available online by 2030 and provide digital identification to all citizens. By 2030, Russia is planning for 100% of employees of executive authorities to use government communication services in their work, all government services to be available online, and 90% of mandatory reporting documents to be collected and stored electronically.

The higher the level of digital development, the more dependent the government becomes on technology. The rapid pace of technological advancement is not always matched by a corresponding increase in cybersecurity. Cyberthreats such as cyber espionage, hacktivism, and cyberattacks aimed at extortion or disruption pose a serious threat to the public sector. Malicious actors, whether individuals, organized criminal groups, or hacktivists, seek to gain access to confidential information, disrupt government systems, and obtain economic, political, or strategic benefits from this.

The large volume of data accumulated in government information systems and the critical importance of government functions make the public sector the most frequent target for cybercriminals: our data shows that over the past six years, the public sector has been the most hit by successful cyberattacks. In 2023, 15% of all successful attacks on organizations were in the public sector. This trend continued in the first half of 2024, with the figure standing at 14%.

Figure 1. Share of attacks on organizations (percentage of total attacks on organizations)

About this study

This study presents the current landscape of public sector cyberthreats, based on data on successful cyberattacks from 2022 through the first half of 2024. During our investigation into the shadow market, we analyzed 213 sources, including Telegram channels and dark web forums with a total of over 38 million users and more than 155 million messages. The sample included major platforms in various languages with a variety of different topics and themes. For the access market analysis, we reviewed advertisements published in 2023–2024.

In this study, we will look at how malicious actors operate and the consequences faced by government institutions, the role of the shadow market, why the public sector remains the leader in the number of incidents, what events are considered non-tolerable¹for government organizations, and how to prevent them.

1. A non-tolerable event is an event caused by a cyberattack that prevents the organization from achieving its operational or strategic goals or leads to significant disruption of its core business.

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations, and reputable sources. This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the glossary on the Positive Technologies website.

How attackers operate

The most popular targets for attackers over the entire period under review were computers, servers, and network equipment, which were the focus of 80% of successful attacks.

Government institutions employ a large staff, who are also vulnerable to attacks: in almost half of the incidents (47%), attackers exploited human errors using social engineering methods. People are increasingly becoming the targets of attacks: the number of incidents grew from 43% in the first half of 2023 to 49% in the second half and 57% in the first half of 2024.

Web resources were targeted in 36% of successful attacks. In the strained geopolitical climate, the threat of attacks from hacktivists has increased significantly. Their favorite methods include mass DDoS attacks and website defacements, which we will discuss in more detail later.

Figure 2. Targets of attacks (percentage of successful attacks)

The most common method used by attackers is malware. Over half of successful attacks (56%) were carried out using malware, and the popularity of this method is only increasing (48% of incidents involving malware in 2022, 57% in 2023, and 68% in the first half of 2024).

Malware attacks can have devastating consequences and lead to serious disruptions and data breaches. In April 2023, a ransomware attack by Royal on the computer servers of the Dallas city administration caused system failures for the police, courts, 911 services, online bill payments, and public libraries. As a result of the breach, the attackers accessed 1.2 TB of confidential data of more than 26,000 individuals.

Figure 3. Methods of attacks (percentage of successful attacks)

One of the main reasons why malware is so frequently used in attacks is its simplicity and effectiveness. Many types of malware include automated tools for performing various malicious actions, such as remote code execution, movement within the perimeter, encryption, and data theft. This allows attackers to reduce their workload and focus on planning and coordinating attacks, developing targeted phishing campaigns, and utilizing stolen data.

Another important factor is the shadow market, which contains both offers for buying and renting ready-made malware and for developing it to order. In our malware research, we found that on shadow platforms, the price of malware starts at $50 and can go up to $80,000 for a program. Both simple stealers and complex multifunctional loaders and custom spyware are available for sale. The availability and variety mean each attacker can find a tool that best suits their goals and budget, and provides a low entry threshold for novice attackers.

Figure 4. Types of malware (percentage of successful malware attacks)

Ransomware has been the most popular type of malware in attacks on government institutions year on year. However, this popularity is decreasing: the share of successful ransomware attacks in the first half of 2024 was 43%, which is 4% lower than in 2023 and 14% lower than in 2022. Also, ransomware attacks are less common in the public sector compared to others. Throughout the period under review, ransomware was used in almost half (49%) of cyberattacks using malware on the public sector, which is less than the same indicator for the medical, industrial, financial, and other sectors. Key factors influencing this trend include the shutdown of major criminal groups and the leakage of source codes for popular tools. Additionally, many countries are legislating against paying ransoms to attackers, making government institutions less attractive targets for financially motivated criminals. This practice has proven to be effective, so implementing bans on ransom payments at the government level is recommended for reducing ransomware attacks.

Despite government institutions being least likely to meet criminals' ransom demands, they remain targeted by attackers, not so much for financial gain but for disrupting operation, destruction and theft of data.

In 2022, the activities of the Conti group led to large-scale disruptions. One of the most significant incidents attributed to the Conti ransomware was the attack on the Costa Rican government in April 2022. Attackers breached the networks of several government departments, including the Ministry of Finance, the Ministry of Science, Innovation, and Technology, among others. The hackers demanded a ransom of $20 million, but the government announced it would not pay the attackers. The President of Costa Rica declared a state of emergency. This was the first time in world history that a country declared a state of emergency due to a cyberattack. Another notable victim of the Conti ransomware was the Scottish Environmental Protection Agency (SEPA), which took over a year to recover from the attack. In 2022, the group's activities were reported to have ceased.

Another popular ransomware, Lockbit, continues to be used by attackers and has led to disruptions and breaches in government institutions in 2024. In February of this year, a cyberattack on the California State Workers Union resulted in network disruptions and the theft of about 306 GB of personal data, including social security numbers and home addresses.

While ransomware is gradually declining in popularity, attackers are increasingly using remote access malware. In the first half of 2024, the share of successful attacks using remote access trojans was 37%, which is 4% higher than in 2023 and 8% higher than in 2022. Such malware can be used to steal, modify, or delete information on a device, as well as serve as an entry point into the network and to further develop the attack. Most remote access trojans have spyware features: such programs can secretly record users' screens, track their location, and log keystrokes.

In the first quarter of 2024, experts from the Positive Technologies Security Expert Center (PT ESC) detected a series of attacks targeting Russian and CIS government agencies, with the main goal being the theft of employee accounts from various government services. The attacks used the simple but effective stealer LazyStealer, written in Python, which was distributed via phishing and sent the collected data from the device using the Telegram messenger.

Attackers use both simple malware, such as LazyStealer, and tools with sophisticated evasion techniques and protective mechanisms. For example, in April 2024, an attack by the BlackTech group, operating since 2007, was discovered targeting the technology, research, and government sectors in the Asia-Pacific region. The attacks used the updated modular backdoor Waterbear and its new version Deuterbear for covert access and monitoring of target systems. The attackers modified router firmware and used encryption to conceal their actions and maintain constant access to the victims' networks.

Both types of malware, remote access trojans and spyware, are used in attacks on the public sector more frequently than in most other industries. Throughout the period under review, trojans were used in one third of successful attacks on government institutions — 1.5 times more frequently than in attacks on financial organizations and almost four times more than in attacks on medical institutions.

Figure 5. Use of remote control malware and spyware by industry for the entire period under review (percentage of incidents)

This trend can be explained by several factors:

With the growth of digitalization and the integration of information systems in the public sector, more data and processes are being converted to electronic formats, motivating attackers to stay online as long as possible. Prolonged network presence allows attackers not only to collect and analyze large volumes of data but also to manipulate it at the right moment, influencing decision-making and gaining advantages in information warfare. Financially motivated criminals sell the obtained data and access to infrastructure on shadow platforms. We will examine the activities of attackers on such platforms in detail below.
These malicious programs are very stealthy and can remain undetected for a long time, making them ideal tools for espionage. They can record users' screens, log keyboard input, and even determine device locations, providing attackers with a wide range of data to analyze and use for their purposes.
Among all industries, the public sector is the most targeted by APT groups². Throughout the period under review, more than a quarter of successful targeted attacks were aimed at government institutions. These groups, often state-sponsored, focus on long-term and covert attacks aimed at information gathering and cyber espionage. Remote access trojans and spyware provide them with extensive opportunities for continuous monitoring and control over compromised systems, allowing them to not only steal sensitive data but also use compromised devices as a basis for further attacks.
Although APT activity against government institutions varies from quarter to quarter, certain key features can be identified. In APT attacks on the public sector, criminals very frequently use malware (in 83% of incidents throughout the period under review), particularly the above-mentioned remote access trojans (in 65% of incidents) and spyware (in 35% of incidents).

2. APT groups are criminal organizations specializing in APT attacks — well-organized and carefully planned multi-stage targeted cyberattacks. These groups are characterized by high levels of skill and generally possess significant financial resources and technical capabilities.

Figure 6. Successful APT attacks on government institutions (percentage of total successful attacks on government institutions)

To deliver malware, attackers may use various methods: exploiting vulnerabilities, publishing trojans in official app stores, guessing passwords, and buying access to accounts. However, the most popular method for spreading malware is phishing emails, which attackers used in 64% of successful attacks.

The second most popular method for delivering malware to devices is using various tactics to compromise computers, servers, and network equipment. This method was employed by attackers in almost one-third of successful attacks over the entire period under review (28%). Attackers often exploit vulnerabilities and compromise credentials to load malware onto devices.

Figure 7. Methods of malware distribution in successful attacks (percentage of attacks using malware, by year)

In 11% of successful attacks on government sector organizations, attackers used various methods of compromising credentials to gain access to infrastructure, such as brute-forcing or obtaining them through network reconnaissance or open data in the public domain. In some attacks, attackers use specialized paid and free tools for credential brute-forcing. One well-known case occurred in Ecuador, where the automated remote access tool TMChecker compromised a government organization's server.

To execute an attack, attackers do not always need to obtain administrator credentials. In some attacks, using email accounts in the domain of a government agency was sufficient. For example, in 2023, fraud led to the theft of about $7.5 million from the U.S. Department of Health and Human Services grant payment system. The attackers gained access to domain email accounts of grant recipients and used targeted phishing to deceive U.S. payment processing staff into providing access to grant recipient accounts.

Attackers also buy or trade compromised device credentials on the dark web. Every sixth post (15%) on shadow platforms concerned access to the infrastructure of compromised government organizations. In 62% of these posts, attackers offer access for sale, in 25% they offer it for free, and in 13% they express a desire to purchase a certain access.

Figure 8. Cost of initial access on shadow markets

The price of access sold can depend on various factors: the size of the compromised organization, the level and type of access. The most common listings are for email data (17% of sales ads) and access via web shells³ (16%). Access to administrator accounts (which make up 6% of all sold accesses) generally costs more. As they are harder to obtain and offer more opportunities to further develop an attack.

3. A web shell is a file that an attacker can upload to a server and then use to execute OS commands through its web interface and gain access to other files.

The cost can range from twenty dollars to several thousand for high-privilege access. More than a third of listings do not contain prices, and buyers and sellers negotiate the cost directly. Most listings are priced between $100 and $1,000, while expensive accesses (over $10,000) make up only 4% of all sales messages.

Sometimes, the price is determined through an auction, as in the listing below. Here, a forum user offered VPN access to a Jordanian ministry, with prices starting at $1,000 and potentially reaching $50,000.

Figure 9. Advertisement offering access to Jordanian ministry infrastructure

4. Translation of image text: "Key ministry (let's say, a database of all citizens and other goodies). 20,000+ computers Starting bid: $1,000 Bid increment: $1,000 Buy now price: $50,000 End: 48 hours after the last bid increment"

To protect against malware, use and regularly update antivirus programs, set up email security gateways, sandboxing solutions and endpoint protection, regularly update operating systems and applications, conduct employee cybersecurity training, and back up data. These measures will help minimize the risk of infection and data loss. Detailed recommendations, technical, and organizational measures for protecting against malware can be found in our study.

Employment in government agencies across different countries reaches up to 30% of the total workforce, with the three largest employers in the world being government organizations: the Indian Ministry of Defence in first place and the U.S. Department of Defense in second place. Government institutions typically have a large number of employees, many of whom interact frequently with the external world via email and other communication channels. This creates numerous entry points for attackers seeking to access confidential information or disrupt government systems.

Basic cybersecurity skills and employee awareness of phishing attacks in government institutions often leave much to be desired. Ivanti researchers found that at least 5% of government employees surveyed in 2023 fell victim to phishing attempts — either by clicking on links or sending money. Furthermore, 36% of government employees did not report phishing emails they received at work. Only 27% of government employees feel "very prepared" to recognize and report threats such as malware and phishing. Over a third of all leaders in government organizations reported clicking on phishing links — four times more than among regular office employees.

All this has led to social engineering being the most frequently used method in attacks on the public sector each quarter. In the first half of 2024, the number of incidents where attackers used social engineering increased to 57%, which is 11% higher than the figure for 2023. Globally, phishing campaigns target government organizations more frequently than other industries.

Almost half (47%) of attacks on government institutions involved social engineering methods, with email being the most popular channel (94% of cases).

Figure 10. Social engineering channels (percentage of incidents)

Mass leaks of personal data allow attackers to create detailed digital portraits of victims. Attackers use cunning and well-thought-out schemes, and with the gathered information, it becomes easier for them to gain the trust of the victim. For example, in an attack on government agencies, the group Shedding Zmiy created a fake account of a cybersecurity specialist in Telegram and tricked an employee into revealing access credentials to internal nodes. In another case, attackers exploited trust between partner companies: by hacking a telecom provider's network, they sent dozens of malicious emails to other organizations in the provider's name. The consequences of these attacks included leaks of data that criminals used in subsequent attacks and posted on Telegram.

APT groups that use political circumstances for their own purposes employ social engineering techniques for cyber espionage and gathering confidential information from government institutions. For example, the group TransparentTribe targets Indian government organizations, military personnel, and defense contractors with sophisticated cyberattacks aimed at compromising security and collecting confidential information. The group uses various tactics, such as creating fake websites and documents that mimic legitimate government entities to deceive targeted users into revealing their credentials or downloading malware. Additionally, TransparentTribe utilizes platforms like YouTube, where they create fake profiles and encourage people to download malicious applications.

An example of a phishing email recorded by specialists from the Positive Technologies Expert Security Center (PT ESC), sent in 2024 to various organizations, including governmental ones, is shown in Figure 11. The email looks like a resume with an attached archive of photographs. Instead of a genuine archive, the email contains a link leading to an attacker-controlled website distributing data-theft malware.

Figure 11. Example of a phishing email with malicious attachment

Increasing vigilance, cybersecurity awareness, and regular employee training (including simulated phishing campaigns) are critically important for reducing government institutions' vulnerability to such threats.

Information security researchers and attackers regularly discover new vulnerabilities, and exploits for already known ones are published on shadow forums, allowing even low-skilled attackers to use ready-made scripts. Throughout the period under review, nearly one-third (31%) of successful attacks on government organizations involved the exploitation of vulnerabilities. In 6 out of 10 such incidents, attackers used software vulnerabilities, while in the rest, they used web vulnerabilities.

The most exploited vulnerabilities during the review period were:

CVE-2023-34362, CVE-2023-35036 — vulnerabilities in the MOVEit Transfer data transfer software, frequently used in attacks by the Cl0p group;
CVE-2021-32648 — a vulnerability in October CMS, the exploitation of which led to widespread defacements of Ukrainian government websites;
CVE-2018-0798 — a vulnerability in the mathematical formulas and equations editor in Microsoft Word.

We previously reported on the exploitation of CVE-2018-0798 in attacks, but it remains popular among attackers. In 2023, the Sharp Panda group exploited it in attacks on government institutions in Vietnam, Thailand, and Indonesia. Attacks like these, involving long-known vulnerabilities, indicate that government institutions often delay updating their systems, which attackers actively exploit.

To protect against such attacks, organizations should regularly update software and promptly install patches and updates for operating systems and applications. Periodic vulnerability scanning and security assessments help in identifying weak points and taking measures to address them. It's also recommended to conduct cyberexercises that simulate real attack scenarios, allowing teams to practice incident response skills, and implement bug bounty programs that attract a wide range of specialists to test security and identify vulnerabilities that might have been missed in internal checks.

Target regions: Government institutions in Asia under threat

Analyzing listings from shadow platforms for 2023–2024, we found that government organizations in Asia (33%), Africa (12%), and North America (12%) are of the greatest interest to attackers. Among individual countries, the leaders are the USA (10% of all listings), India (9%), and Bangladesh (8%).

Figure 12. Distribution of messages on shadow markets by location of compromised organizations

In our study of current threats for Asian countries, we noted that the Asia-Pacific region was the most attacked in 2022, accounting for 31% of the global number of attacks, and from 2022–2023, government institutions were the most frequent targets (22% of all attacks on organizations). The public sector is the most targeted sector in the region. Throughout the review period, 21% of successful attacks in Asia targeted government institutions. This interest from attackers in the region is not coincidental and is driven by several factors.

Firstly, in recent years, Asian countries have been among the global leaders in technological innovation, with digital transformation affecting the public sector as well. According to the E-Government Development Index, 22 Asian countries are in the very high index group. South Korea, Singapore, the United Arab Emirates, and Japan are in the highest class and are among the global leaders in e-government development. Asia significantly increased its average index value from 2020 to 2022, remaining the second most advanced region in terms of digital government development. South Korea, Singapore, the United Arab Emirates, and Japan are world leaders in e-government development.

However, with the advancement of digital technologies and increasing volumes of data accumulated by the public sector, there is also a growing need to set up and implement effective cybersecurity strategies. Despite the rapidly evolving digital infrastructure and the readiness to invest in cybersecurity, cybersecurity laws still offer room for improvement.

Secondly, the level of cybercrime in the region is directly influenced by current geopolitical issues. Rivalry between states inevitably manifests itself in cyberspace, leading to complex, carefully planned targeted cyberattacks. In Southeast Asia, the activity of cybercriminals is largely driven by territorial disputes in the South China Sea between ASEAN countries and China, as well as the US-China rivalry for dominance in the region. In South Asia, the motivations of attackers are often racial and religious and largely involve the relationships between India, Bangladesh, and Pakistan.

Figure 13. Message about a defacement attack on the website of the Ministry of Education of Bangladesh

In Asia, the majority of ads on shadow platforms are announcements about defacements of government websites (44%) and ads for the sale, distribution, or purchase of databases stolen from government organizations (32%).

Figure 14.png — Figure 14. Topics of messages on shadow markets in the context of attacks on Asian countries

Overall, the analysis of cyberattacks on government institutions in Asia showed that they most frequently lead to leaks of confidential information — in 62% of successful attacks over the entire period under review. First and foremost, attackers manage to steal personal data (33%) and trade secrets (30%). For example, as a result of a cyberattack in South Korea, the personal email of the president's office administrator was hacked. The attackers gained access to correspondence and information about the president's foreign trips, including schedules and details of official events. This information might have been needed by criminals to interfere in upcoming parliamentary elections, influence their outcome, or spread disinformation.

Figure 15. Advertisement on a shadow forum about the sale of data stolen from the Thai Ministry of Industry

Government institutions in the region are targeted by both hacktivists and highly skilled APT groups: nearly half (48%) of all successful attacks on government organizations in Asia were targeted. Our research into APT groups in Southeast Asia has shown that they all target government organizations. Their primary goal is espionage or the destabilization of the political situation in the region. For instance, in 2024, the Earth Krahang group, which attacks government organizations worldwide, was found specifically targeting government entities in Southeast Asia. The criminals used targeted phishing to gain initial access to infrastructure by sending emails on geopolitical topics. They then placed malware on compromised web servers. After that, they sent phishing emails from government email accounts to further infect government structures and conduct espionage.

Attack consequences and hypotheses of non-tolerable events

The increase in digital dependency at the governmental level worldwide means that attacks on government institutions can pose a serious threat to the security and stability of states. The implementation of non-tolerable events in the public sector can destabilize social and economic structures, cause political instability, and undermine citizens' trust in digital government services, leading citizens to stop using them and thus increasing the costs of public administration. Each government organization defines non-tolerable events independently; there is no universal list. Let's consider the consequences of cyberattacks, hypotheses of non-tolerable events for various government institutions, and how they were implemented in real cases.

Figure 16.png — Figure 16. Consequences of successful attacks on government organizations

Disruptions and damage to state interests

Successful attacks most frequently lead to disruptions in the organization's core activities (48% of incidents): loss of access to infrastructure and data, service failures for citizens, and disruptions in internal processes.

Figure 17.png — Figure 17. Consequences of organizational disruptions

Government services provide essential services to citizens, making them attractive targets for attackers seeking to cause disruptions and chaos. Attackers know that even a brief disruption in government services can have serious consequences, motivating them to carry out sustained attacks. If the duration of service failure or disruption exceeds a set threshold, this can be considered a non-tolerable event for the government institution. Throughout the examined period, more than a quarter of successful attacks (27%) led to various types of damage to state interests — most often to disruptions in government services and the disclosure of confidential information.

Figure 18.png — Figure 18. Consequences of damage to state interests

For the government and ministries, such non-tolerable events can manifest as disruptions in communication systems and internal management systems. For local authorities and municipal offices, it can mean disruptions in the operation of key urban and municipal infrastructure facilities. Attackers might implement a non-tolerable event by, for example, disrupting emergency service phone lines. This occurred as a result of a cyberattack in Israel, when citizens were unable to report emergencies to the fire, police, and ambulance services for over an hour.

A non-tolerable event can also be disruption or unavailability of information services or government services for citizens. For example, such a non-tolerable event occurred in July 2023. As a result of a cyberattack by the group Anonymous Sudan, Kenya's eCitizen portal was blocked, making over 5,000 online government services unavailable. Citizens could not apply for passports, travel visas, driver's licenses, ID cards, and medical records, and mobile banking and transportation services were also down.

Service outages caused by cyberattacks can last for several days or even weeks. In February 2024, a cyberattack on the Malawi Immigration Department meant no new passports were issued for three weeks, causing widespread public outcry and concern among citizens. The incident significantly hindered Malawians' ability to travel and seek employment abroad, particularly impacting young people seeking to emigrate for better opportunities.

Another form of non-tolerable event is disruption or unavailability of emergency alert systems. If an emergency event occurs at the government level and the alert systems fail, this can have devastating consequences, including putting health and lives at risk. Conversely, a false alarm can cause fear, panic, unnecessary resource costs, and loss of trust in authorities. An example of such an non-tolerable event is a probable cyberattack that led to false alarms in Jerusalem and Eilat.

Another possible non-tolerable event is the unavailability of information systems or services at a critical moment for the government institution. For example, the unavailability of tax services for citizens during tax filing periods can reduce government budget revenues. Disruptions in online voting systems or unavailability of official party or candidate websites during elections can lead to public discontent and even affect election outcomes. For instance, as a result of likely cyberattacks during the national elections in Ecuador, citizens living abroad faced difficulties with online voting, and some were unable to vote within the designated timeframe. Problems with the overseas voting system caused anger and suspicion among the diaspora and led to protests by Ecuadorians in Madrid.

To achieve their goals, often hacktivist ones, attackers organize distributed denial-of-service attacks and carry out attacks aimed at data integrity on websites by altering their appearance (conducting so-called website defacements). Among all sectors of the economy, government agencies are subjected to the longest and most massive DDoS attacks due to increasing tensions in cyberspace. In the first half of 2023, government institutions experienced the longest attacks with an average attack duration of 4 hours and 20 minutes. In the second half of the year, the attack duration increased to an average of nearly 18 hours.

Figure 19. Announcement of a forthcoming DDoS attack on the UK government website

On the shadow market, more than a third of messages (35%) concern defacement attacks — a key distinguishing feature of attacks on the public sector. Due to the complex geopolitical situation and the increased number of conflicts in various parts of the world, hacktivists attack websites to express their political, religious, or social positions, damage the reputation of specific organizations and entire states, generate societal unrest, and trigger riots and protests. Defacements result in disruptions to the functionality of official websites, making it impossible for the organization to provide its services, but the most significant damage is inflicted on the reputation of the organization and the state.

Figure 20. Topics of messages on shadow platforms in the context of attacks on government organizations

Attacks by the most active groups, such as team1722 and TurkHack Team, are primarily targeted at Middle Eastern countries and are driven by the tense geopolitical situation in the region. In the Middle East, government agencies are the most attractive targets for cybercriminal attacks, accounting for 22% of the total number of attacks on organizations in 2022-2023. The main consequences of such attacks were disruptions to core activities and leaks of confidential information. A distinguishing feature of attacks on government institutions in this region is that they are mostly carried out by APT groups.

Figure 21. Announcement of a defacement attack on the Lebanese government website

Distortion of information on official resources of government institutions can be a non-tolerable event for a government organization and even for a country. It can lead to a loss of public trust in government entities and worsen political and diplomatic relations between countries. A real example of such an incident is the attack by Malaysian hacktivists on Indian websites. The group DragonForce Malaysia carried out defacements of several governmental and private websites in India, resulting in official websites displaying messages in support of the hacktivists. This caused significant operational disruptions and reputational damage, as the sites were taken offline to address the issue. This incident exacerbated political and diplomatic relations between Malaysia and India, highlighting the geopolitical risks associated with cyberattacks driven by ideological disagreements.

To reduce the risk of website compromise, including defacement, it is recommended to implement standard security measures. These include: regularly updating third-party software used to operate the website, identifying and addressing vulnerabilities in website components such as scripts and databases, and using unique and complex passwords for administrator accounts. It is also recommended to use WAF (web application firewall) tools to protect the website from various types of attacks, such as SQL injection, XSS, and other threats.

Financial losses

As a result of a cyberattack, an organization can suffer financial losses. If financial losses exceed a certain threshold, such damage can become non-tolerable for a government organization; the budget must be replenished through taxpayer funds, and there will be legal and economic consequences such as reduced investments and economic downturn. The consequences of particularly large losses can affect other sectors, as well as regional and national economies.

Financial losses can result from fraudulent transfers of funds from the company's accounts. For example, in 2023, attackers stole around $7.5 million from the U.S. Department of Health and Human Services' grant payment system in a series of cyberattacks, including targeted phishing. The amount of damage was only a small portion of the total HRSA budget (about 0.05%), but it is roughly comparable to the entire budget of some programs, such as the SPRANS program aimed at combating sickle cell anemia. Such financial loss could lead to substantial changes in the allocation and management of funds, especially for certain programs or in the immediate aftermath of the incident.

A non-tolerable event may occur during a ransomware attack if the organization's management decides to pay the ransom. Additionally, a government institution may incur losses in mitigating the consequences of the attack, restoring systems, and recovering lost data. For example, a series of cyberattacks by the group HomeLand Justice on Albania's digital infrastructure led to significant consequences including a major data leak, unavailability of internet portals and several government websites, as well as disruptions to border crossing points. Among other things, there were financial losses estimated at several billion dollars. This incident was so severe that the Albanian authorities severed diplomatic relations with Iran, making it a non-tolerable event for the state.

Data breaches

Government organizations hold vast amounts of data due to the many services provided to businesses and citizens. Even a single successful breach into a government system can lead to the compromise of high-level intelligence, classified assets, and personal identity information. On shadow markets, stolen data is often bought for the purposes of creating fake documents, gaining initial access to organizations, or hijacking privileged accounts.

We've already reported that government institutions faced the highest number of breaches of confidential information among all sectors for the first half of 2024. Successful attacks result in the compromise of confidential information stored in public sector organizations in 41% of incidents. Moreover, this figure has shown a continuous increase. In 2022, it was 37%, in 2023 — 41%, and in the first half of 2024 — 48%. The situation in Russia differs from the global trend, with data breaches being the most common consequence of successful attacks on government institutions throughout the examined period.

The primary targets of attackers during the period under review were personal data (38%) and trade secrets (24%). There has been a rapid increase in the number of breaches containing trade secrets: in the first half of 2024, this share was 36%, which is nearly 1.5x more than in 2023 and almost three times more than in 2022. This is due to increasing geopolitical tensions and growing activity of APT groups. As noted earlier, attackers are increasingly using malware designed for cyber espionage and gaining access to highly sensitive information.

If a cyberattack results in the copying of confidential databases, it can become an non-tolerable event for a government organization, as such data may contain sensitive information and classified documents, the disclosure of which could cause significant harm to national security and international relations. An example of such an incident is the hacking of police servers in Xinjiang, China. The hacker attack exposed thousands of graphic images and videos showing the abuse of Uyghur detainees. The materials included images of torture devices, heavily armed guards, and detailed police schedules. The breach also contained high-level speeches and documents implicating Chinese top leadership in the systematic suppression of the Uyghurs. These documents triggered international outrage, with many countries condemning China's actions and the US imposing sanctions on several Chinese officials due to their involvement in the repression of the Uyghurs.

A leak of a database containing citizens' personal data can lead to the realization of a non-tolerable event. As a result, the government institution may face financial consequences. In many countries, organizations are fined if personal data is leaked. For example, in the European Union, under GDPR regulations, organizations responsible for data leaks can be fined up to 20 million euros or up to 4% of their annual turnover, whichever is higher. In Japan, under the Act on the Protection of Personal Information (APPI), non-compliance and data leaks can result in fines of up to 100 million yen for companies, as well as public disclosure of the names of violators. Leaks of biometric personal data can be particularly significant. Attackers who gain access to biometric data can impersonate digital identities and commit fraud. Biometric data cannot be changed, which exacerbates the consequences. We have previously reported on such a non-tolerable event in El Salvador. As a result of the alleged compromise of the government's Chivo crypto wallet used by the Salvadoran government, a database containing information on 80% of the country's population appeared on the dark web It included high-resolution photographs of the country's residents, each marked with a corresponding identification document number. Additionally, the database contained names, surnames, dates of birth, phone numbers, email addresses, and residential addresses.

The leakage of confidential documents can become an unacceptable event for a government institution and lead to irreversible consequences. A leak of information and documents related to court proceedings can impact the outcomes of judicial processes. Disclosure of information about special categories of citizens may lead to attacks on these individuals, public outcry, and societal unrest. A real example of such a non-tolerable event is the leak of 100,000 records concerning criminal offenses and convictions of Russian residents from 1993 to 2022, which occurred due to a hack of the Russian Prosecutor General's website by the hacktivist group RGB-TEAM.

The leak of classified protocols and documents can threaten national security and international relations. Such a non-tolerable event occurred as a result of a cyberattack on the General Staff of the Portuguese Armed Forces (EMGFA), in which NATO secret documents were leaked. The leak of such documents can undermine trust between allies and weaken a country's strategic position on the international stage.

Analysis of the shadow market shows that, most frequently (74% of advertisements), criminals offer stolen databases on shadow forums for free. They may have various goals and motives: improving their reputation, making political or social statements, creating chaos, releasing data after ransom demands are refused, or seeking revenge for personal grievances. In 11% of ads, the price is not specified and is negotiated between the buyer and seller.

Figure 23. Cost of databases on shadow markets

If a price is mentioned in an advertisement, it averages slightly over $8,500. The price depends on the volume and content of the stolen data and the size of the organization whose data was stolen. For example, one of the more expensive offers (priced at 5 bitcoins) is a database of nearly 9 MB from a Florida state government website containing personal data of citizens and residents, including their full names, professions, addresses, business license numbers, and contact details. The attacker who bought this data could use it to create fake documents, commit fraud, and carry out phishing attacks: they could use the contact details to deceive people into giving additional confidential information or money.

Figure 24. Advertisement on a shadow forum selling data from a Florida government website

Recommendations

Cyberattacks can lead to a wide range of consequences. Unfortunately, it is impossible to protect an organization from absolutely all threats. However, by building results-driven cybersecurity, it's possible to strengthen the organization's cyber resilience so that even if an attacker penetrates the organization's perimeter, they cannot inflict irreparable damage or cause non-tolerable events.

The consequences of a cyberattack on a single government institution can affect not only that institution but also other organizations and the entire state. For example, the theft of personal data as a result of an attack on one government institution can lead to unauthorized access to both other governmental resources and commercial services. Additionally, the reputational damage resulting from such attacks is not limited to that government institution but extends to the entire administration; that is, if services of one government organization become unavailable due to a cyberattack, citizens will be dissatisfied with the performance of the entire government. Therefore, when building results-driven cybersecurity for government institutions, it's crucial not to limit the context to a single organization: a comprehensive approach across the entire state is crucial.

Block 1 Defining non-tolerable events and primary targets of impact on infrastructure

Defining non-tolerable events

The first step towards cyber resilience is to identify and approve a list of non-tolerable events for the organization. For example, for a court, this might include interference with court proceedings or leakage of data about judicial cases; for local authorities, it might involve the unavailability of emergency service phones for several hours and losses amounting to a significant portion of the budget. To form a complete list with specific thresholds and criteria, it is necessary to understand what constitutes truly irreparable damage for that government institution. Management is usually in a position to create such a list. Next, with the help of IT and cybersecurity experts, potential scenarios for these events and target systems should be identified.

When assessing non-tolerable events in government institutions, it is necessary to analyze additional structural factors, such as the type of consequences, the timing of their occurrence, or the dynamics of their emergence. The damage from some non-tolerable events will be fully manifested at the moment of the attack, such as interference in elections, misinformation, or false alarms.

Other types of non-tolerable events may have delayed, extended consequences; for example, stolen personal data can be used by attackers for identity theft and fraud for years to come.

Furthermore, the damage from some non-tolerable events will increase with extended service unavailability or an increase in the frequency of their occurrence. For example, prolonged unavailability of government digital service portals will lead to reduced use of government digital services, which, in turn, will increase costs for providing offline services, physical queues, and dissatisfaction — resulting in financial and reputational losses, which can be costly for the state to recover from.

Understanding non-tolerable events with delayed losses is necessary in determining measures to mitigate long-term negative impacts. Knowing what consequences may arise over the long term helps the development of various action algorithms and even legislative measures to reduce possible delayed damage. For example, if it is known that an individual's passport data has leaked, the individual can be informed and given the opportunity to block transactions, document signing, or loan applications in their name through a government service until the data is changed.

The resulting list of unacceptable events must be prioritized and the events themselves must be detailed. For example, the theft of different types of personal data can have varying significance: it's one thing when phone numbers are leaked, and quite another when biometric data is involved.

Mapping non-tolerable to the IT infrastructure

The second step involves conducting an inventory of the IT assets of government institutions to identify key systems and points of entry that are primary targets for attackers. The obtained information should be correlated with business processes to reduce the attack surface and minimize protection costs. After this, the sequence of steps can be determined, and a cybersecurity transformation program for the state can be formulated.

Block 2 Cyber transformation

Cyber transformation must be carried out comprehensively for the entire state, coordinated among all government organizations. If a vulnerability in one government institution is not addressed and this leads to consequences for citizens, it will not matter which government structure is to blame: the state as a whole will suffer the damage.

Hardening IT infrastructure

To strengthen the protection of IT infrastructure components, it is essential to ensure the secure and effective configuration of target and key systems, as well as points of entry. To do this, attention should be paid to operating systems and applications, web resources, domain infrastructure, virtualization environments, and cloud services.

Employee training

Regular training of employees and managers with knowledge assessments reduces the number of successful cyberattacks on an organization. Every government employee should understand cybersecurity issues such as strong passwords, phishing protection, software updates, information confidentiality, safe use of public wireless networks, secure channels and mobile devices.

Incident monitoring and threat response

To prevent non-tolerable events, it is necessary to create a threat response center. This could be a global center for automated collection of non-tolerable events for the state in one place. Such a center would monitor events and promptly identify and respond to suspicious activities or other deviations from the norm that could be indicators of attacks, as well as take measures to counter attackers.

Security checks

To check the effectiveness of implemented security mechanisms, a method should be chosen based on the organization's goals and level of information security maturity. The feasibility of non-tolerable events can be understood through such testing and by conducting cyberexercises.

Building processes

It is necessary to identify critical government business processes and upgrade them to improve quality, performance, and security, as well as reduce their cost. It is also crucial to properly organize work and communication between IT and cybersecurity departments.

Performance assessment

To determine the current state of security and understand whether further steps are needed, it is necessary to define metrics for results-driven cybersecurity and regularly assess performance using these metrics.

Block 3 Verifying cyber resilience

Maintaining cyber resilience

Given the constant emergence of new vulnerabilities, the development of attack techniques and tactics, and the digital transformation and expansion of IT infrastructure, it is essential to maintain the high level of cyber resilience achieved by each government organization individually and the state as a whole.

Running Bug Bounty programs

The final step in building cyber resilience processes is to run bug bounty programs for all government organizations in the country in the format of implementing non-tolerable events. Continuous and comprehensive assessment of the security of all government institutions significantly strengthens the cyber resilience of organizations and the entire country.

Conclusions

The public sector plays a key role in the economy, performing vital functions and ensuring peace and public order, and its importance is only growing. Government institutions regulate market relations, enforce laws, provide public goods and services, and support economic stability through fiscal and monetary policy.

Additionally, the public sector is actively evolving and undergoing digital transformation. Increasingly, data and services are becoming available to citizens in the information space, which brings with it more restrictions and responsibilities for protecting this information. Digitalization enhances the efficiency and accessibility of government services but also increases vulnerability to cyberattacks.

Government institutions are primary targets for various types of hackers for several reasons:

Serious consequences of disruptions
Attacks on government institutions can lead to catastrophic consequences and non-tolerable events, including the shutdown of critical infrastructure and services, which immediately impacts the lives and safety of citizens.
Public sector data
Government institutions hold vast amounts of sensitive information, including personal data of citizens, data related to national security, and other important information. This makes them an attractive target for cybercriminals.
Public attention and public exposure
Attacks on government institutions receive significant public and media attention, which increases the motivation of hackers seeking to gain public recognition and demonstrate their political, religious and social positions.
Geopolitical situation, APT groups, and hacktivists
Government institutions often become targets of APT attacks and hacktivists motivated by political and ideological reasons. Geopolitical conflicts only exacerbate this threat.
Outdated technologies and security measures
Many government institutions use outdated technologies and security systems that are vulnerable to the latest cyberthreats. Updating such systems is often a lengthy and costly process.

Given these factors, it can be anticipated that the public sector will remain a highly targeted area for at least the next year. Ensuring its security requires significant effort, investment, and a strategic and comprehensive approach to achieving results-driven cybersecurity.

Cyberthreats in the Public Sector