Why phishing attacks are increasingly targeting the public sector (and what you can do about it)

CERT-LatestNews ThreatsStrategic

phishing (wk1003mike/Shutterstock.com)


Why phishing attacks are increasingly targeting the public sector (and what you can do about it)

One need only look at the news to know cyberattackers are targeting government with renewed vigor. The massive 2015 breach of the Office of Personnel Management and reported hacks into the Democratic National Committee emails all dramatically underscore the fact that government and political organizations are a large and rapidly growing target for political hacktivism and cyber espionage.

But while cyberattacks on the largest agencies have received the lion’s share of the headlines, cybercriminals are also putting rejuvenated effort into attacks against smaller, lesser known public-sector agencies. While clearly not as sensational as the OPM hack, attacks against the Kansas Commerce Department, which leaked millions of Social Security numbers across 10 states, and against the Oklahoma Office of Management and Enterprise Services, compromising the personal information of more than 430,000 people in that state, have had a dramatic and far-reaching impact on public-sector security.

Perhaps surprisingly, these lower-profile attacks are garnering cybercriminals lucrative returns. And here’s why — by targeting the low-hanging fruit in the commercial space they can eventually reach their desired targets. Initially, hackers interact with the supply chain or whatever “weak link” gets them in the door of larger organizations where they can then access a bounty of sensitive data.

Attackers take a similar approach with government agencies, targeting smaller organizations that typically lack adequate security defenses and are deemed easy targets.  These vulnerable, smaller government organizations also house an abundance of personal citizen data, including Social Security information and tax returns. While valuable on its own, this kind of highly sensitive user information opens the door for bigger, more sophisticated and expansive attacks that could lead to even more lucrative returns. Consequently, attackers see less reason to go after the highly defended Defense Department, when attacking a smaller agency can give them just as big a bang for their buck.

Phishing for targets: Infiltrating the government network

While it might be surprising in light of the sophisticated security landscape, today’s cyberattackers are still relying on age-old phishing attacks to infiltrate government networks. Government agencies, particularly small ones, often lack adequate email security defenses designed to combat increasingly stealthy threats. All too often, antivirus software — a cornerstone of most small agencies’ security infrastructure — won’t even recognize the latest cyberthreats.

Meanwhile, despite the fact that malicious attachments are the primary cause of network compromise, file-based malware largely remains an enigma to most public-sector organizations. Less than two percent of malicious PDFs contain “just” an embedded file, while around 40 percent of Excel and 27 percent of Word malware have no macro or embedded file. This means that organizations that attempt to identify macros as their primary phishing attack defense strategy can easily miss malware in related attachments. All it takes is a click on one malware-bearing file for the attacker to successfully get in the door to compromise an entire government or public-sector network.

What’s more, phishing attacks  have been proved effective time and time again because employees repeatedly fall victim to them. According to Glasswall research, the vast majority (82 percent) of employees open email attachments if they appear to be from a known contact, despite learning about sophisticated social engineering attacks from their security training. Of those, 44 percent opened these email attachments every time they received one.

These days, it’s easier than ever for attackers to acquire personal details of government employees. A  simple social media search can uncover location, employment information and other personal interests. These details in turn can be leveraged with other types of data found in documents containing personally identifying information on government websites. From there, attackers use the combined information to craft an email that appears to be from a friend or colleague, often addressing the user with a subject that appears to have immediate relevance or requires action.

Criminals then hide malicious code — such as a macro or JavaScript — in the structure of what appears to be a common Office document or an attached functional element, which is accompanied by a socially engineered email designed to trick employees into clicking or downloading. Government employees who aren’t trained in email security best practices will often automatically open on the infected attachment, unintentionally downloading malware that can compromise the entire network and steal valuable data.

Even those employees who have been trained in network security become victims. Unlike phishing attacks in years prior, today’s social engineering is so sophisticated that it can often successfully deceive even the savviest of security experts.

Bolstering the government security arsenal

Like many industries, the public sector is having a tough time protecting itself from phishing attacks. And perhaps one of the most significant challenges agencies face is that their approved legacy security infrastructure is becoming alarmingly less effective at combatting advanced threats. 

Email security solutions, in particular, have become less effective over time. Initially created to identify and reduce spam, they still leave many organizations susceptible to more malicious attacks, such as ransomware, botnets, viral worms and information-stealing Trojans.

One of the reasons for these diminished returns is that most of solutions on the market are reactive – that is, based on detection of malicious code. The result is that they often unable to defend against an attack that doesn’t meet predefined parameters.