Back to Blog4 Cyberattacks on State/Local Government and What We Can Learn from Them
There’s something very compelling and fascinating about bad news. Maybe that’s why so many people consume media like true crime podcasts and TV drama series. This might also explain why so many of us find cyberattacks—especially ones that affect critical infrastructure and large-scale operations—so interesting. But as a leader at a state or local government level, these types of stories might go beyond fascination; they might also spark uneasiness and even a bit of fear.
Luckily, we don’t have to read these cautionary tales from a place of panic. We can look at past situations and use them to learn and grow, starting with these four stories from the past few years. Instead of causing panic, news of cyberattacks in the public sector can serve as lessons learned, spurring teams to evolve their security mindsets and take positive steps to improve their organizations.
Why state and government entities are targeted
There are a few reasons why public sectors are particularly susceptible to cyberattacks. For one, many government organizations tend to lean on legacy technology due to limited resources.
The public sector tends to have staffing gaps as well. The Office of Veteran Affairs reported that there were 40,000 cyber jobs open across the federal, state, and local governments. For state and local government organizations, this shortage might mean they have a small security team or no dedicated security personnel at all.
To combat cyber threats, public sector organizations need to get strategic with their approach to cybersecurity, leveraging solutions and processes that enable them to work “smarter, not harder.” Let’s cover four examples of state and local government cyberattacks and discuss some practical tips that other public sector organizations can leverage to avoid these situations.
1. Colorado’s Department of Transportation
In 2018, Colorado’s Department of Transportation was forced offline by ransomware. According to the Colorado Sun, the attack started when the intruders found a temporary server being used for testing. The team hadn’t implemented any of their standard security controls on this system.
Then, the attackers moved laterally to reach the main systems in the DOT and started to shut down databases and applications. Although they didn’t pay the ransom, Colorado spent around $1.7 million to clear the over 2,000 affected computers and get systems back online.
Lesson learned: Public sector organizations must implement proactive measures to stop ransomware attacks early on.
Your team can start with a low-cost scanning tool that detects signs of an attacker performing reconnaissance on your system or attempting a break-in. These signs often include the presence of network scanners, software removal programs like Process Hacker, active directory access tools, MimiKatz, or Microsoft Process Explorer. Small-scale test attacks are also a red flag.
Deploying honeypots is also a good idea. They entice attackers to take action, revealing their location in your system and preventing further lateral movement.
2. Quincy, Illinois
In early 2022, Quincy, Illinois, faced a significant cyberattack that compromised and encrypted city files. They faced repercussions for months after the initial incident. According to a news article, many of the departments were still not fully functional six months after the incident. For example, the Planning and Development department still couldn’t handle credit card payments when issuing building permits.
Lesson learned: State and local governments should guard against data breach damage by following standard security guidelines and keeping system backups.
Public sector organizations can lower the chance of a successful data breach by using resources like cybersecurity frameworks or security playbooks to follow security best practices. These pre-written guidelines minimize guesswork and make it far easier to cover your bases, reducing the overall attack surface.
Quincy’s cautionary tale also shows the importance of maintaining system backups—especially backing up assets important to business functions and services. To save costs, start with those key assets! No need to back up your entire environment. If a data breach does successfully occur, a system backup makes it far easier to restore business continuity as quickly as possible.
3. Ft. Lauderdale, Florida
The city of Fort Lauderdale received an invoice from a known contractor called Moss Construction requesting a payment of $1.2 million. The email seemed legitimate to officials. The Fort Lauderdale mayor said, “[the scam] wasn’t just an email, like, ‘Hey, this is Moss Construction. Send me $1.2 million,’ It was followed up with full documentation, multiple paperwork.”
The city officials authorized the payment, only to find out later that it was a fraudulent request. Unfortunately, the city never got its money back.
Lesson learned: It’s critical to deploy periodic, organization-wide training on identifying phishing schemes.
A few specific education areas to focus on include:
- Telltale signs of a malicious email, such as an abnormal subject line or repeated focus on a specific subject, such as urgent financial alerts
- Steps to take to confirm whether or not an email is legitimate
You can leverage Blumira’s free Phishing 101 guide as a simple way to educate your employees on the basics.
4. Alaska Department of Health and Social Services
On May 2, 2021, the Alaskan Department of Health and Social Services (DHSS) saw signs of an intrusion. Three days later, Alaska’s Office of Information Technology (Security Office) notified the DHSS about unauthorized computer access, and they immediately shut down systems to prevent the attackers from further lateral movement.
But in the three-day window between the first signs of intrusion and the state’s action steps, personally identified information (PII) from across the state was available to the intruders, who were later discovered to be sophisticated nation-state level attackers.
This situation violated the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA). According to an official press release, “Before DHSS implemented the shutdown, the attackers potentially had access to the following types of individuals’ information: full names, dates of birth, Social Security numbers, addresses, telephone numbers, driver’s license numbers, internal identifying numbers (case reports, protected service reports, Medicaid, etc.), health information, financial information, and historical information concerning a person’s interaction with DHSS.”
Lesson learned: Cyberattacks can happen quickly, so it’s important to establish security automation for containing threats.
In many cases, such as in this situation, an attack happens so quickly that it’s tricky for humans to find and fix it manually. Security automation helps with rapid containment and multiplies the efforts of a lean and time-pressed team. You can use automation to block malicious source IPs/domains automatically or cut off an affected endpoint’s access to your network.
By containing threats near-instantaneously, you can prevent significant repercussions from an attack and have the time to investigate the incident safely.
How Blumira Supports Public Sector IT Teams
As crazy as these stories are, there’s still good news: your team is in the perfect position to turn these cautionary tales into smart, preventative security measures.
As you move forward with these recommendations, Blumira is here to help. Our platform was purpose-built for lean IT and security teams, making us an excellent fit for resource-strapped state and government organizations. We provide a centralized platform for simplified security with:
- Logging and monitoring for early signs of ransomware and other suspicious activity
- Resources that make it easier for small IT teams to adhere to security best practices, such as security playbooks and 24/7 SecOps support
- Security automation for containing threats as soon as they appear
Read more about how we help public sector teams meet NIST requirements.