Cyber-attacks are typically used to steal or expose data. This is why ransomware is the most popular form of cybercrime. Stealing private information gives hackers leverage and can be used to extort victims. However, some hackers have more ambitious goals than a simple bank deposit. Cyber-attacks against governments are uniquely more complicated and risk potentially devastating effects on a country’s economy and public. This is why the recent MOVEit ransomware attack has now taken a much more sinister route as it targets US and state governments.
Recent MOVEit Breach and Clop Ransomware Gang
The MOVEit ransomware attack started on the 27th of May 2023 when the Clop, or Cl0p ransomware gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer software.
The software was used by multiple businesses – and US state agencies - to securely move files around company systems. On the 6th of June, the Cl0p ransomware gang took credit for the MOVEit breach by emailing all the affected organizations.
The group warned that all the stolen data would be exposed on the dark web if the companies did not email them – presumably to discuss a ransom. On the 14th of June, the Cl0p gang listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw.
The victim list was posted to the group’s dark web leak site and includes the UK-based BBC, British Airways, Shell, and Zellis companies, Netherlands-based Landal Greenparks, the Swiss insurer OKK, and US-based First National Bankers Bank, the University System of Georgia, and Putnam Investments.
Meanwhile, Progress Software has hastened to patch a new vulnerability impacting MOVEit Transfer. The vulnerability - tracked as CVE-2023-35708 - could lead to unauthorized access to customer environments according to the company’s advisory.
US Governments and Agencies Suffer After MOVEit Breach
However, the Cl0p group also reassured BleepingComputer that it had deleted any data stolen from governments, the military, and children's hospitals during the MOVEit attacks.
CNN reported that several US federal government agencies were hit by the MOVEit breach – including the Department of Energy. While the hacks have not had any “significant impacts” on federal civilian agencies, CISA Director Jen Easterly told reporters that the hackers have been “largely opportunistic” in using the software flaw to break into networks.
Easterly added that “these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information,” and that the attack “is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks.”
A department spokesperson further told CNN that one of the Department of Energy victims is Oak Ridge Associated Universities, a not-for-profit research center, while the other is a contractor affiliated with the department’s Waste Isolation Pilot Plant in New Mexico which disposes of waste associated with atomic energy.
TechCrunch reported that a dozen other US agencies have active MOVEit contracts, according to the Federal Data Procurement System. This includes the Department of the Army, the Department of the Air Force, and the Food and Drug Administration.
The Cl0p group reiterated its claims that all government data had been deleted saying that they are only financially motivated and not interested in politics.
We got a lot of emails about government data, we don't have any government data and anything directly residing on exposed and bad protected not encrypted file transfer we still do the polite thing and delete all.
A message on the hacking group’s leak site
Despite all of this, the US State Department's Rewards for Justice program announced in a tweet that a US$ 10 million bounty is being offered for information linking the Cl0p ransomware attacks to a foreign government.
Sourced from @RFJ_USA
While the Cl0p hackers claim to have erased government data, it would be irresponsible of the federal agencies to simply take their word for it. The Rewards for Justice program gives people the incentive to provide information that could prevent government data from being misused or leaked to foreign governments.
The issue of ransomware against governments is no new thing. CSO found that cyber-attacks against governments jumped 95% in the last half of 2022 alone. According to the report, the dramatic increase can be attributed to rapid digitization and the shift to remote work during the pandemic. These broadened the attack surface of government entities and paved the way for an increase in cyberwarfare waged by nation-state actors.
Costa Rican Government
The Conti Ransomware Attack pushed the small Central American country into a frenzy in April of 2022 when multiple cyber-attacks shut down its economy - affecting several branches of government and the general public.
Rodrigo Chaves declared a state of emergency due to the attacks. After a few days, the notorious hacking group CONTI took responsibility for the ransomware attack.
Pakistani Government
Sangfor FarSight Labs captured and analyzed a malware sample used in an attack against the Pakistan government in June which was presumably carried out by the SideWinder APT group. The group used targeted spear-phishing emails to attack government organizations masquerading as a security advisory issued by the Pakistani Cabinet Division.
By exploiting DLL side-loading, the threat actors could hijack both the local OneDrive program and its update program - leading to the deployment of Cobalt Strike. This is a remotely controlled program in penetration testing used to then take control of the compromised machine.
Tasmanian Government
Another victim to the Cl0p ransomware group, the Tasmanian government announced that it was caught up in a data theft incident in April of 2023. The government revealed in a precautionary statement that its investigations “indicate a risk that financial data from the Department for Education, Children, and Young People may have been accessed in the global incident."
According to the statement, the data included names, addresses, invoices, and bank account numbers. The breach was made possible through the GoAnywhere hack by the Cl0p ransomware group.
Why are Cyber-Attacks Against Governments So Popular?
Essentially, governments hold valuable roles and host critical information for a country’s survival. This makes them a ripe target for cyber-attacks.
Cyberespionage
Information is the most powerful weapon in the landscape of politics. Cyberespionage uses cyber-attacks to exfiltrate confidential data and information from governments. This is then sold to other governments or leaked online.
Cyber Warfare
Governments can also be targeted by other governments. Some groups are sponsored by rivaling countries to carry out malicious cyber-attacks to damage their opponent. The Russia-Ukraine conflict is a huge example of this as the cyber-attacks between the two countries continue till now to destabilize the other’s regime.
Hacktivism
Stemming from the word “activism”, hacktivism is the infiltration of government computer systems for personal or political agendas. Typically, hacktivists will expose presumably unethical organizations or activities to the general public. Usually, governments tend to be on the receiving end of these witch-hunts.
Gateway Attacks
Government infrastructure also houses the private information of thousands of companies and individuals alike. Being a trusted and wide-reaching platform for the public, governments have access to a lot of data. This means that a cyber-attack on a government agency could potentially be a treasure trove of victims for hackers.
Complexity of Systems
Most government agencies use complicated and contrived systems within systems that increase the risk factor of an external party gaining access.
Local Loopholes
While the national government agencies might be more airtight when it comes to cybersecurity, local and state governments are less funded than their federal counterparts. This means that these agencies have to make do with outdated software, systems, and cybersecurity measures. This makes them an attractive target for hackers.
How Can Governments Stay Prepared
Governments can stay prepared for a cyber-attack by investing in and encouraging better cybersecurity measures and practices - from the leadership roles down to the common citizen.
Launching National Cybersecurity Strategies
A national cybersecurity strategy kickstarts the way a country approaches cyber-attacks and prepares itself for data breaches. In Italy, the National Cybersecurity Agency launched its national cybersecurity strategy stating that the country will devote 1.2% of gross national investment a year to cybersecurity. The country also has numerous funds earmarked to encourage the digitization of businesses and the protection of their business.
Issuing Warnings to the Public
This includes when the Cybersecurity Council of the United Arab Emirates advised its private and public sectors alike to be more cautious to avoid the risk of cyber-attacks. The council also asked that a cyber emergency response system be put into place in cooperation with the authorities to share data and proactively prevent malicious attacks.
Funding the Change
Governments have deep pockets – which is also why they get targeted by cyber-attacks. However, to prepare your country’s critical infrastructure for malicious attacks, you need to be willing to invest in the right cybersecurity measures.
Malaysia’s Finance Minister announced at the 2023 budget meeting that an allocation of RM73 million will be put towards CyberSecurity Malaysia (CSM). According to Statista, the US government also proposed a US$ 10.89 billion budget for cybersecurity in 2023.
Governments are responsible for the well-being and protection of thousands of people and as such it is their duty to prevent cyber-attacks from happening by making use of advanced and leading cybersecurity.
Sangfor has the only complete, holistic security solution to prevent and mitigate cyber-attacks in real time. With a range of integrated and evolved tools and platforms, Sangfor can offer an elite form of cybersecurity that will keep governments and their people safe.
For more information on Sangfor’s cyber security and cloud computing solutions, visit www.sangfor.com.
