On November 13, cyber-security researchers reported that FBI email servers were compromised and used to distribute spam emails spoofing the law enforcement agency. The emails contained warnings, purportedly from the FBI, of a “sophisticated chain attack” whereby the recipients’ network was breached and data had been stolen. 

Although this is a somewhat unusual example of targeting government bodies, attacks and breaches to this industry are common. According to The 2021 Verizon DBIR, there were 3,236 incidents within public administration, with 885 leading to breached data. Social engineering was responsible for over 69% of breaches. Digital Shadows (now ReliaQuest)’ data, outlined in the following sections, shows further evidence of targeting of the public sector.

Governments can be an enticing target

Government bodies hold plenty of valuable data, which makes them an enticing target to threat actors. This is especially so for those that may hold personal data, such as passport numbers and social security numbers. The breach of the U.S. Office of Personnel Management (OPM) in 2015, where state-sponsored actors stole Social Security numbers, fingerprints, names, dates and places of birth, and addresses.

Governments and public bodies are also targeted by cybercriminals. According to the 2021 Verizon DBIR, the most common stolen data was credentials. 

Once stolen, credential lists are widely sold and traded on cybercriminal forums and marketplaces, or used for brute-force (in 2020, over 80 percent of breaches related to hacking involved brute-force cracking or the use of lost or stolen credentials).

Ransomware targeting of Government

In March 2021, Ryuk ransomware infected computers with the Spanish Government labor agency offices (shown below). In May, the D.C. police department had data dumped online by the Babuk ransomware group. In July, the Bristol police department similarly suffered from a ransomware attack. 

Source: Bleepingcomputer.com


However, the targeting of government and public bodies is a global trend that extends beyond these examples. According to Digital Shadows (now ReliaQuest) reporting on ransomware sites, there have been 82 government entities that have had their data posted to ransomware dump sites. This targeting is spread across many ransomware variants; among the ransomware variants targeting this industry were Clop, Avaddon, Ryuk, NetWalker, Conti, DopplePaymer, Egregor, and PYSA.

Cybercriminals selling access to Governments

We have previously discussed how Initial Access Brokers (IABs) provide access that can be highly valuable for ransomware actors. There have been numerous cases where weaknesses in RDP and VPNs have enabled ransomware. 

It’s no surprise, therefore, that we’ve seen IAB actors offering access to government bodies. Of the 22 instances we detected in 2021, 5 were for VPN and 3 for RDP.

Previous research by Photon, An Excess of Access, found government access for an average of $4,386.

Gain industry-specific intelligence with SearchLight

Data exposure on ransomware dump sites and initial access brokers have merged as some of the top dark web monitoring use cases. SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) users can subscribe to all of this intelligence while making it specific to their industry and geography.

Filtering by target location and target geography in the threat actor library


You can explore a large selection of our intelligence within Test Drive, which you can sign up for for free for seven days.