WP Why Attackers Target the Government Industry | Imperva

Why Attackers Target the Government Industry

Why Attackers Target the Government Industry

Key Takeaways:

  • Government sites are full of information attackers want, so it’s crucial to defend them properly.
  • DDoS is an easy tool for attackers to use to disrupt government sites, which can have far-reaching consequences, as we saw early in the Russia-Ukraine war.
  • Remote code execution (RCE) attacks can give attackers access into the entire system, and allow them to exfiltrate vast amounts of data.
  • Shadow APIs are a widespread issue in government APIs, at almost 20% of all API traffic.
  • An attackers’ access to third-party software, like Solarwinds or GoAnywhere, can have lasting and devastating effects.

Background

Government sites are a wealth of sensitive data that attackers can access. On top of sensitive data, government agencies often hold sensitive information such as human rights complaints, internal communications, or even, if an attacker is lucky, classified information. On top of the huge financial motivation to target these sites, government agencies offer a prime opportunity for a hostile state actor, or even a motivated hacktivist, to gain political leverage. For example, a few years ago attackers targeted the US government with targeted malware known as X-Agent, which spread via spear phishing to Democratic campaign officials, NGOs, political organizations, and government agencies. The malware was designed to steal data and capture video and audio from infected computers in an attempt to capture embarrassing information about the party to influence the 2016 elections.

Government is a broad category, and includes a wide variety of agencies and organizations. This category can include high-level agencies like the FBI, the White House, or the State of California. It can also include a local waste collection agency or police department. Because there are so many moving parts in government work, there are lots of access points – not to mention the incredibly varied security controls and cyber sophistication levels. Variances in funding and job openings mean that these agencies often rely on contractors to defend their systems, which creates another access vector for a savvy attacker. Any third-party access, like contractors, adds an additional layer of access that may or may not have the same level of security as the original agency, and an attacker able to access the contractor’s systems could work their way up.

Government sites are also federally mandated to protect against cyber threats. The Federal Information Security Modernization act, or FISMA, requires federal agencies to implement information security programs. The Federal Risk and Authorization Management Program (FedRAMP) sets security standards for cloud service providers used by government agencies. Federal agencies are required to follow government standards to maintain proper cyber defense, but these standards aren’t perfect. 

Government sites’ widely varied access points and security controls mean an attacker can have a field day with the right target. Read on to learn more about common attacks and what government agencies can do to defend their networks, applications, and data.

DDoS

DDoS is a relatively common attack on government sites. DDoS services are widely available, and can cause massive damage. In the early stages of the Russia-Ukraine war, for example, hacktivists and government cyber agencies on both sides used coordinated DDoS attacks to temporarily disable or deface government sites publishing important information.

Application DDoS attacks on Imperva-protected government sites were relatively stable in the past year, aside from or a large targeted attack in June 2022 that was quickly mitigated by Imperva.

DDoS_Maximum RPS

On the network DDoS side, attacks were more varied. There were multiple large spiked attacks, which mostly correlated to a government software company which was targeted multiple times throughout the year. This company provides software for hundreds of government agencies, so accessing their software could cause supply-chain issues, providing attackers with a way to access loads of government data.

Gov DDoS_Maximum BW

DDoS is often leveraged as a relatively cheap and accessible attack. In the beginning of the Russia-Ukraine war, Imperva saw DDoS attacks on Ukrainian sites shoot up by over 1000%, as both Russia and its supporters saw an easy way to take down Ukrainian communications, payment systems, and more. Network DDoS attacks on Ukraine never again reached the peak they had in February 2022, but application DDoS attacks remained active and peaked in July with an almost 400K RPS attack on a Ukrainian bank.

Web Application & API Protection

Government sites need to have effective defenses against attacks on APIs and other vulnerabilities in web applications for many reasons. Government applications are often interconnected to make federal communication easier, and accessing one database could open up a world of knowledge to a savvy attacker. Malicious attacks that prevent the site from being accessible could cause widespread damage in an emergency situation where important information needs to be conveyed. Personal or internal data like sensitive data or HR communications are devastating if compromised in any industry However, for government sites specifically, a loss of classified information could damage the country’s reputation, cause international incidents, or even lead to mass casualties if troop locations or movement is stolen in a wartime scenario.

In the last year, remote code execution was the leading attack against government targets. RCE is a flexible attack that, if successful, can be leveraged to steal information, leave backdoors, or conduct other attacks. It’s used in many situations by bad actors.

Gov Industry_OWASP Top 10

In 2020, the high-profile SUNBURST attack hit the news. This attack exploited access in Microsoft, Solarwinds, and VMWare software to break into at least twelve US federal government agencies, including the Pentagon, and four local governments. This level of access undoubtedly stole huge amounts of important data, and had lasting consequences as the government remediated and recovered from the attack. 

In March, attackers conducted a targeted attack against sites belonging to a US State government. The majority of these were data leakage attacks, which attempt to exfiltrate data from internal databases. The attackers used bots coming from just under 4K distinct IPs, almost entirely based in the US. This attack, at over 100M requests, is the single largest data leakage attack on US government sites in the past year, and the attack was four times larger than the previous attack record. 

The 2015 Office of Personnel Management data breach is probably the most well known example of government data leakage attacks. A Chinese hacking group accessed millions of federal employees’ records, including SSNs, security clearance information, and fingerprints. 

Critical vulnerabilities are also a frequent access vector for attackers looking to target government sites. Recently, many local governments have been in the news with data breaches related to the GoAnywhere CVE (CVE-2023-0669). In the last year, the number one CVE Imperva saw attackers looking to exploit on government sites was, unsurprisingly, Log4Shell (CVE-2021-44228), followed by a PHPUnit RCE vulnerability from 2017.

Gov Industry_Top 3 CVEs

Government agencies are also federally mandated to make data more accessible via the use of web APIs, through regulations such as the 2009 Open Government Directive and the 2014 DATA Act. On top of these regulations, the API.gov initiative promotes resources and guidance to agencies looking to use web APIs safely. 

In addition to known attack vectors and critical vulnerabilities, APIs are at risk to additional threats, including business logic abuse and shadow APIs. Shadow APIs, or APIs that are undocumented and not maintained by normal IT management and security processes, but not removed, present a threat to government sites. In the last six months, 17% of all API traffic Imperva protects went to API endpoints flagged as a shadow API. These forgotten and unmaintained APIs give attackers a leg up into the rest of the system, which can have devastating consequences.

Bad Bots

Bots account for an average of 26% of traffic to government websites. Bad bots – malicious automated software applications capable of high-speed abuse, misuse, and attacks – account for 22% of all traffic to government websites, and is the majority of automated traffic (22%). Good bots, at just 4%, may help manage things like online appointments or local government updates, but they can also be exploited by bad actors.

Gov Industry_Requests by Client

In 2020, Imperva saw bots potentially scalping vaccine appointments in order to resell them at higher prices. This use case is similar to one that commonly is seen in the entertainment industry with tickets, despite the government’s 2016 BOTS Act to restrict reselling practices. The government industry has also experienced scalping — related to National Park ticket lotteries and DMV appointments. It’s not unfathomable to think that bots could potentially be snatching up important government appointments, or other scenarios, that would affect citizens’ ability to get documents or services in a timely manner. 

Account takeover (ATO) is another common automated attack in which bots gain access to accounts with the purpose of compromising valuable personal or financial information and more. In 2022, ATO spiked towards the end of the year due to two targeted attacks on a New Jersey government site and an Israeli defense site.

Gov Industry_ATO Logins

In the New Jersey attack, attackers targeted the login and online payment portals in an attempt to access the personal and financial information of New Jersey residents. Most attacks came from the US, followed by Canada and Puerto Rico. The Israel attack, on the other hand, mostly targeted API sites and admin logins, probably to access backend data and allow a more permanent residence on the system. These attacks came from a more varied range of IPs, including Israel, the US, France, Russia, and even Iran.

Early this year, over 100K Australian government credentials were discovered on a Dark Web forum. The credentials were not stolen directly from government sites, but rather from instances where employees used their .gov.au email addresses to log into other sites–which, if they reuse passwords, can have devastating consequences. 

Conclusion

Government sites, with their wealth of data and connectivity, will always be an extremely tempting target for malicious hackers. It’s important to protect your sites inside and out. Invest in proper security measures and have a cybersecurity plan, but also make employees aware of cyber threats and how to detect phishing scams, as well as monitoring activity and ensuring the least privilege required. 

Learn more about how Imperva products and solutions can protect the government industry.