This article is featured in the magazine, Protecting Against Cyberattacks: A Guide for Public Safety Leaders. Download it now.
By Dr. Harry Cooper, Faculty Member, Cybersecurity and Information Technology, American Military University
There has been a significant and steady surge in online criminal activities. For the past decade, Verizon Enterprise Solutions has released a yearly Data Breach Investigations Report (DBIR) that tracks data breaches across all sectors. We can use these reports, along with examples of recent cyberattacks against organizations in the public sector, to better understand how cybercriminals are targeting governmental bodies, and what can be done to identify and protect against threats.
Hackers Want More than Credit Card Information
In 2008, hackers primarily focused on stealing payment card data. Verizon’s DBIR reported that in 84 percent of breaches, credit cards were the top item of interest to hackers. This is because it was very easy at the time to monetize credit cards with little risk of exposure to the perpetrator. Credit card theft was especially lucrative for organized crime groups who orchestrated an estimated 50 percent of all credit card breaches.
But organized crime groups are no longer just after credit card data; they are after personally identifiable information or PII. This critical information often lives within government agency databases, so public-sector entities are a highly desirable target. Their networked systems hold valuable PII collected from tax submissions, financial benefits, healthcare information, and more.
The 2018 DBIR showed that of the 304 confirmed data disclosure cases that it reviewed from the public sector, 55 percent had been targeted for PII. Another 24 percent of cases were targeted for “secrets” that are believed to also contain PII.
Role of Personnel in Security Breaches
The DBIR determined that personnel are one of the leading causes of information breaches. In the majority of these cases, personnel are “unwitting participants.” An unwitting participant is an individual who works for an organization and carries out actions that, while seemingly legitimate or benign, actually enables a perpetrator to gain access to the organization’s systems and data.
Perpetrators use many different types of malicious tools to target personnel and carry out their attacks. Phishing, for example, is the act of getting someone to give up their credentials via an email solicitation. Phishing attacks were used in roughly 74 percent of the breaches reviewed in the DBIR. Phishing can be very convincing and presented in a way that looks completely legitimate. For example, phishing can appear to be real emails sent from human resources asking personnel to update their beneficiaries on their retirement plan or to submit their vacation schedule. The goal of a phishing attack is to get personnel to provide sensitive personal information without questioning the request.
Another common tool used by perpetrators is malicious files. Malicious files come in many shapes and forms, but the underlying goal is to get personnel to open a seemingly legitimate file often attached to an email. Unfortunately, the malicious file contains more than what is expected; it includes exploits that will infect the user’s computer and install a backdoor malware that gives the perpetrator complete access to the user’s computer, as well as the organization’s network. Once a perpetrator has gained access to a network through a foothold in a single machine, they work to gain access to and compromise other machines, servers, routers, and any other networked device.
What Happens After a Breach?
After accessing a network, the perpetrator must decide what their end goal is for the attack. They may choose not to take any noticeable action in any of the machines they have gained access to and instead passively monitor information flowing throughout the network. This strategy allows them to spend time evaluating information to determine what is critical and valuable and then silently collect, package, and exfiltrate data on a schedule that matches periods of increased network traffic in order to elude detection from the organization’s IT department.
This type of an attack is called an Advanced Persistent Threat (APT). Because of the low-key manner in which the malicious code acts, APTs are capable of running for very long periods of time, from weeks and months to even possibly years.
The other strategy a perpetrator might employ after a breach is to immediately strike. There are many ways for a perpetrator to harm an organization in extremely destructive ways, such as wiping hard drives or blowing up industrial systems. Less destructive and more common actions include the use of malware and ransomware, which was used in 45 percent of attacks.
Ransomware is a malicious attack against an organization’s data where the malicious program surveys the contents of a machine’s hard drive along with any network-attached or network-accessible drives. It then encrypts all the data using high-grade encryption methods and algorithms. Once the data has been encrypted, the underlying encryption key is sent to a server controlled by the perpetrator and a message notifies the user of the encryption and demands a ransom payment for access to the encryption key.
When this happens, organizational leaders must decide whether to pay the perpetrator for the encryption key or lose all the locked information. For organizations that have exceptionally strong IT departments with up- to-date backups of critical systems and data, the decision will be not to pay the ransom and instead to rebuild the affected machines.
Unfortunately, many organizations do not have such robust IT departments, so they are often forced to pay the ransom. Once the payment is received, the perpetrator will either release the encryption key or they may simply ignore the victim. It is estimated that only about 20 percent of organizations that pay actually get their files back unharmed. Many ransomware variants have bugs in the code that corrupt the encrypted files, making them impossible to be restored regardless of whether the organization has the key or not.
Citizens want their government to be more accessible, but this comes at a price that many would not have anticipated when e-government systems were first developed. There is no perfect solution when it comes to data security, and security measures are often guided by risk assessments and limited budgets. Therefore, it is important for government agencies to do everything they can to lessen vulnerabilities and deter perpetrators from taking advantage of security flaws.
Agencies Struck by Ransomware
Numerous governmental bodies have fallen victim in the past few years to costly ransomware attacks. These attacks aren’t just affecting organizations’ digital assets; they are also harming their physical systems.
- San Francisco, California (November 2016) – San Francisco Municipal Transportation Agency was hit by a massive ransomware attack that shut down its ticketing and management systems for railways and buses. The agency was unable to accept fares and was forced to allow passengers to ride for free for at least two days. Attackers demanded $73,000 to restore data.
- Leeds, Alabama (February 2018) – Leeds was hit by a ransomware attack that locked all city computers and data, including those in fire and police Reportedly $8,000 in bitcoin was paid.
- Baltimore, Maryland (March 2018) – City’s CAD system that supports 9-1-1 and emergency calls was hacked, forcing officials to resort to manual operations to handle calls. An undisclosed amount was demanded/paid.
- Atlanta, Georgia (March 2018) – Municipal systems were attacked causing widespread outages and halting many city services. Attackers demanded $50,000 in digital currency, but recovery costs are estimated to be much higher.
- Port of San Diego, California (September 2018) – Ransomware compromised the port’s information technology systems, disrupting administrative operations at the shipping hub. An undisclosed amount of bitcoin was demanded.
About the Author: Dr. Harry Cooper is an instructor in the STEM school at American Military University, focusing on cybersecurity and information technology with experience in both academics and as a practitioner. Dr. Cooper has taught at various colleges and universities on a wide range of technology topics. Before entering academia, Dr. Cooper served as CEO/partner for Thimbleweed Consulting and TWC Security. Dr. Cooper received his D.Sc. in Cybersecurity from Capitol Technology University, where his research focused on the Mosaic Theory of Intelligence, its role in today’s society, and how it has become available to most average users. He also completed his M.S. in cybersecurity, intelligence, and forensics at Utica College and his B.A. in political science at the University of Pittsburgh. To contact the author, email IPSauthor@apus.edu. For more articles featuring insight from industry experts, subscribe to In Public Safety’s bi-monthly newsletter.