Government entities were in the top five industries targeted by both ransomware and business email compromise (BEC) attacks in 2023, according to Arctic Wolf. Additionally, the FBI reported that government entities were the third most-targeted sector by ransomware in 2023, and Arctic Wolf’s own research saw the average ransom for government organizations top $1 million USD that same year.
It’s clear that cyber threats are plentiful for these entities. By understanding what risks exist and how and why other government organizations were breached, these entities can learn valuable information that can guide their hardening efforts and increase their security posture.
Why Government Entities are at Risk
Government organizations are lucrative targets for threat actors for a few reasons:
- They often rely on legacy systems and outdated software
- They lack the resources and internal expertise to improve their security posture
- There are a vast number of government entities of various sizes to target
- Government organizations are digitizing and connecting, allowing for supply chain attacks to take hold
While some of these factors are not unique to government organizations, there are three additional factors that pop out to threat actors: These organizations have a low tolerance for downtime, they store vast amounts of personally identifiable information (PII), and they use email constantly. These factors expose them to threats – especially ransomware and BEC – and act almost as lures to threat actors who know there is money and data to be had.
Governments and cyber warfare
There is a specific strain of threats that continue to increase for government entities: cyber espionage and cyber warfare. Government entities are consistently attacking and being attacked by rival nation-states and threat actors working under the direction of different governments. To put the threat in context, there were six major cyber incidents globally in which one nation-state was attacked by another in the summer of 2024 alone. As the United States enters an election cycle, there’s little doubt those threats will increase.
Learn more about cyber warfare incidents.
Top Government Cyber Attacks in The Last Ten Years
U.K National Health Services
Attack Type: Phishing, email account takeover (ATO)
Location: United Kingdom
Cost: Undisclosed
People affected: 139 employees and 1157 emails sent from hacked accounts
For over six months, email accounts used by 100 National Health Services (NHS) employees were also used by threat actors, who sent phishing emails out to obtain Microsoft credentials and other valuable information. The account takeover (ATO) and subsequent phishing attacks led to over a thousand fraudulent messages sent.
Researchers state that the attack did not originate from a server breach, but instead came from individually hacked accounts, highlighting the importance of individual user security awareness and identity security.
City of Oakland
Attack type: Ransomware
Location: Oakland, California
Cost: Unknown
People Affected: Unknown, at least 13,000
In February 2023, the City of Oakland suffered a ransomware attack that forced them to declare a state of emergency and impacted many non-emergency city services including permitting, payment collections, and more.
The fallout of the attack included the publishing of 600 GB of data on the dark web by PLAY ransomware group, a class action lawsuit filed by citizens of Oakland, and a lawsuit filed by the Oakland police union, as many of the records leaked contained confidential information about the police department.
UK Electoral Commission
Attack type: Vulnerability exploit
Location: United Kingdom
People affected: Millions of registered British voters
Cost: Unknown
In what was a long-running attack that originated back in October of 2021, it was publicly disclosed in August 2023 that the commission was the target of an attack that stole reference copies of electoral registers. These documents contained the personal information of any U.K. voter who was registered between 2014 and 2022. The threat actors also gained access to the organization’s email systems, further exposing data. In 2024, the British government stated that the Chinese government was behind the breach and issued sanctions to two individuals.
While the specifics of the attack are not fully known, it’s believed that it originated with a zero-day vulnerability.
Costa Rican Government
Attack Type: Ransomware
Location: Costa Rica
People affected: Unknown
Cost: Unknown
In May 2022, multiple Costa Rican government agencies were taken offline by a ransomware attack, led by the ransomware-as-a-service (RaaS) group Hive and the Conti ransomware gang. The attack was multifaceted and hit various agencies after the initial ransom demand of $10 million USD was not met, and over 600GB of data was leaked online by the attackers. Why exactly Costa Rica was targeted is unclear, but the damage was extensive. President Rodrigo Chaves Robles declared a state of national emergency after the first round of attacks, which saw Conti members making verbal threats to overthrow the government via repeated hacks.
Canadian Revenue Agency
Attack type: Credential stuffing
Location: Canada
Cost: Unknown
People affected: 48,500 personal accounts
A successful credential stuffing attack against the Canadian Revenue Agency’s online portal initially impacted 5,500 personal accounts and online portals related to COVID-19 relief programs, before the agency later increased the number of accounts exhibiting suspicious activity after the breach to 48,500.
Attackers used credentials from non-governmental data breaches and were able to gain access due to users recycling login names and passwords.
Bernalillo County, New Mexico
Attack type: Ransomware
Location: New Mexico
Cost: Unknown
People affected: Unknown
In the aftermath of a ransomware attack in New Mexico, prisoners incarcerated in Bernalillo County found themselves confined to their cells. The ransomware attack had taken cameras at a local jail offline and deactivated the jail’s automated doors, forcing officers to use manual keys to confine the prisoners.
In separate attacks following the attack against the county’s prison system, Albuquerque’s public school system was forced to close for two days, while computer systems of Bernalillo County went offline, resulting in the inability of residents to file for mortgage loans.
Pottawatomie County, Kansas
Attack type: Ransomware
Location: Kansas
Cost: $71,606.25
People affected: 150 desktop and laptop computers were breached
To regain control of servers encrypted in an attack on Sept.17, 2021, Pottawatomie County officials agreed to pay a ransom of $71,606.25, which could be seen as a bargain considering the initial asking price attackers demanded—a cool $1 million— to release control of the county’s data. The attack impacted the county’s driver’s license system and the tax department. It persisted for two weeks.
In the aftermath of the attack, the IT team deployed additional sensors on the county’s servers and continued their investigation to determine how the attackers breached their defenses.
The City of Chicago’s Department of Aviation
Attack type: Phishing
Location: Illinois
Cost: Not disclosed
People affected: Not disclosed
When an employee of the City of Chicago’s Department of Aviation received an email from Skyline Management, a provider of custodial services at Midway and O’Hare, nothing appeared out of the ordinary. The company was an established vendor that had earned over $250 billion by providing custodial services since 2008.
The employee followed the instructions in the email and changed the company’s bank account on file from US Bank to Wells Fargo Bank, and then initiated an electronic payment for $1,150,759.82 as requested .
When Skyline Management contacted the City of Chicago weeks later to complain about a missing payment, the department realized their error and contacted Wells Fargo to hold the funds. The city did not incur a loss as the funds were still in the account.
An investigation determined that a hacked email account belonging to an employee of Skyline Management may have facilitated the attack.
The city’s finance department now requires its employees to call a vendor to confirm a bank account change by phone instead of relying exclusively on an email.
City of Riviera Beach, Florida
Attack type: Phishing
Location: Florida
Cost: $600,000 ransom paid by insurance company; $941,000 for computer equipment
People affected: Not disclosed
An attack in May 2019, which began when an employee in the police department opened an infected email, took the City of Riviera’s main computer system offline, affecting every department. The city’s finance department was forced to manually issue payroll checks that would otherwise have been automatically deposited in employee accounts electronically.
To secure the safe return of stolen data taken during the ransomware attack, city council members approved the payment of a $600,000 ransom, payable in Bitcoin by the city’s insurance company.
Additionally, the city agreed to spend almost $1 million to upgrade computer equipment, including the purchase of 310 new desktops and 90 laptop computers. The city’s IT department also engaged consultants to add safeguards and redundancies to prevent future attacks.
City of Atlanta
Attack Type: Ransomware
Location: Atlanta
Cost: $17 million
People affected: Undisclosed
In March of 2018, a cyber attack against the City of Atlanta crippled government services. It took nearly a third of the city’s software programs offline and infected 3,789 computers. The attack impacted critical police services and the city’s court system, including the loss of police dash -cam recordings related to active prosecutions.
The attackers demanded a ransom of $51,000 to release the government’s data, payable in bitcoins, which the city declined to pay. A confidential report estimates a $17 million cost to taxpayers.
On December 5, 2018, the Department of Justice indicted Iranian nationals for their role in the attack.
City of Baltimore
Attack type: Ransomware
Location: Baltimore
Cost: $18.2 million
People affected: Undisclosed
Threat actors successfully deployed RobbinHood ransomware against the City of Baltimore in 2019, which ended up costing the city $18.2 million. The attack compromised the city’s networks, took its email system offline, and adversely impacted its dispatch system.
The attackers demanded a payment of $76,000, which officials declined to pay thanks to advice from the Secret Service and the FBI, plus the city’s leadership did not want to reward criminal behavior.
Ultimately, however, Baltimore experienced a loss that far exceeded the ransom request.
UK National Health Service
Attack type: WannaCry ransomware
Location: United Kingdom
Cost: £92 million (about $125 million USD)
People affected: 19,000 patient appointments
A 2017 ransomware attack involving the notorious WannaCry variant, launched by North Korea, inflicted losses of £92 million (about $125 million USD) and resulted in the cancelation of 19,000 medical appointments in the week following the attack.
The WannaCry attack is known as one of the most damaging ransomware attacks in modern history, infecting 200,000 computers in 150 countries, including devices owned by the U.K. NHS, Spain’s Telefónica, and several financial institutions.
The Public Sector and the MOVEit Vulnerability Exploit
MOVEit Transfer Service is a common choice among organizations for digital file transfer, and also contained a vulnerability, exposed as a zero-day vulnerability, in the summer of 2023.
The vulnerability became known only during and after the Cl0p ransomware group exploited it to attack over 169 organizations (169 were observed between June and July 2024). While the group targeted organizations of all sizes and industries, it also hit the U.S. government hard. Victims include the Department of Defense, the U.S. Air Force, the U.S. Army, the Army Corps of Engineers, the Department of Health and Human Services, the Department of Agriculture, and others.
How Government Entities Can Improve Their Cybersecurity
It’s clear that these threats aren’t going away, but that doesn’t mean government entities can’t continue their security journey and defend themselves. There are multiple actions any government organization can take to improve their security posture and put themselves in a better position when it comes to overall cybersecurity.
1. Implement security awareness training that focuses on phishing threats
Phishing is a main social engineering attack for threat actors targeting government entities because these users rely on email and are often undertrained to recognize social engineering threats. By investing in a security training solution that offers phishing simulations, phishing-specific trainings, and more, you’re both reducing human risk and turning your users into defenders.
2. Conduct basic file backups to limit the impact of ransomware
Basic file backups, alongside other incident response planning measures can reduce overall impact, downtime, subsequent ransom payment, and more if a ransomware incident occurs. In 71% of Arctic Wolf Incident Response engagements for ransomware in 2023, the victim organization was able to leverage backups in some capacity to restore their environment.
3. Secure the cloud
Government organizations are digitizing fast, but the cloud is often left behind when it comes to securing these new aspects of the attack surface, even as 44% of security incidents originate in the cloud. Work with a third party, your cloud provider, or with internal teams to ensure your cloud has the same level of defense as your on-premises servers to reduce the risk of a sophisticated attack.
4. Enforce identity and access management (IAM) best practices
Government organizations are comprised of their employees, and those employees are accessing email accounts, sensitive data files, and more all day, every day. By ensuring those users’ identities and access are protected through 24×7 monitoring, multi-factor authentication (MFA) and other measures, your organization can stop an initial attack before the hacker makes lateral movement or privileged escalation.
5. Work with a partner to employ 24×7 monitoring, detection, and response
Government organizations are often strained by budget and resources when it comes to cybersecurity, and threat actors are taking advantage of their struggles. By partnering with a third-party security operations provider, these entities can ensure there are eyes-on-glass 24×7 and both humans and technology solutions are ready to swiftly detect threats and respond before they turn into incidents.
Explore how Arctic Wolf offers comprehensive security operations for state and local government organizations.
Take a deep dive into what aspects of cybersecurity your government entity should focus on this year with our webinar.
