Adlumin’s Cybersecurity 2024: Threat Insights and Mitigation Strategies series highlights the evolving threats various sectors face and provides recommendations to enhance their security posture. This quarter, we examine government entities that face unique challenges in safeguarding sensitive data and maintaining stable and trustworthy operations.
Mitigating cybersecurity risks within the government sector is critical due to the highly sensitive nature of classified and personal information they handle and the essential role these agencies play in national security and public service. Government entities are prime targets for nation-state actors and cybercriminals seeking to exploit vulnerabilities for espionage, financial gain, or to disrupt essential public services.
Throughout 2023, the Center for Internet Security (CIS) found that cyberattacks increased by 148% in frequency on government entities. This demonstrates the growing sophistication and persistence of threat actors targeting this sector. In response to these threats, Adlumin’s Threat Research Team dove deep into top threats targeting government entities.
This industry spotlight highlights significant trends and developments in the threats and cyberattacks faced by the government sector and mitigation strategies in the U.S. observed by Adlumin’s Threat Research Team from March to May 2024.
Industry Spotlight: Government
Top Threat: Lockbit
Although a joint law enforcement operation partially took down Lockbit’s infrastructure in February 2024, it remains a top threat to many industries, including healthcare and local government. Operating as a Ransomware-as-a-Service (RaaS) provider, Lockbit is used by a wide range of attackers, all with different tools and techniques for carrying out attacks.
Notorious Attack in 2024: Fulton County, Georgia Attack
In January 2024, operators using the Lockbit ransomware struck computer networks in Fulton County, Georgia. The county released a statement that services were being taken offline to prevent the virus from spreading to other systems.1
Lockbit quickly claimed responsibility for the attack, stating that they had stolen classified documents as well as citizens’ personal data and would “aim to give maximum publicity to this information.”2
Lockbit operators also claimed to have data pertaining to Fulton County’s pending criminal case against former U.S. President Donald Trump.3 Fulton County took multiple systems offline to prevent the ransomware from spreading, and while many of them were back online the following day, some services remained inaccessible for multiple weeks following the initial incident as an investigation was completed.[34]
Lockbit also said they would release the data if a ransom was not paid. Although Fulton County reported that they did not pay,4 the data has not been released publicly as threatened by the ransomware operators.5 While waiting for the ransom, Lockbit’s infrastructure was partially taken down by a joint operation between the FBI and Britain’s National Crime Agency called “Operation Cronos.” This operation may have removed some or all of the data that Lockbit exfiltrated from Fulton County, so they could not release it as threatened.6
Notorious Attack in 2024: City of Wichita, Kansas
In May 2024, Lockbit operators also struck the City of Wichita in Kansas, encrypting systems and exfiltrating data regarding law enforcement operations — some containing personally identifiable information (PII) such as social security and driver’s license numbers, and credit card payment information.
To keep the attack from spreading, the city took multiple services offline, impacting their library network, some bill payment processing, and prevented public transport users from making electronic payments.
The city stated that essential services were still running throughout the attack and investigation, although logging was being done on paper rather than on computers.7
Some services that were shut off during the attack were offline for two weeks. Again, Lockbit quickly claimed responsibility for this attack, stating that the data would be publicly released if a ransom was not paid. The ransom waiting period has passed, and the data has not been released as threatened, with Lockbit claiming that the data was instead sold to someone else.8
Threat Actor: Kimsuky
Kimsuky is a threat actor group connected to North Korea’s intelligence program. Within the past quarter, they have been involved in multiple attacks against government organizations and think tanks in the U.S. to gather further information on the U.S.’s plans to be involved in Asia.
The group has also been linked to GuptiMiner, a backdoor malware that acts as a Monero cryptocurrency miner, channeling funds back to the attackers.9
Kimsuky was involved in using ToddlerShark malware, a backdoor program, after abusing the ConnectWise ScreenConnect flaw that was first reported in mid-February.
ToddlerShark is polymorphic malware that is challenging to detect. Its primary function is to act as an infostealer, collecting and sending various data from the infected computer back to the attacker. This data includes:
- Computer settings
- Known network routes
- Startup programs
- Installed programs
- Installed antivirus software
- Recently opened files
The malware communicates with a web server, checking for new commands every minute. If a command is available, it executes it.10
In May 2024, the NSA released a statement warning about this group’s TTPs.
Kimsuky has been reported to send phishing emails to government organizations and think tanks. The goal is to understand thought leaders’ positions regarding East Asia. This effort aims “to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications.11
Mitigation Strategies and Adlumin Recommendations
Insights
Ransomware payments are at an all-time low after years of declining payments. While ransomware is and continues to be a major threat, many organizations are now better prepared for these attacks, and paying a ransom is now of less concern.12
Twice now, Lockbit, a major ransomware group, has struck large organizations and failed to follow through on threats to leak data. With paying ransoms being (possibly) a criminal offense in the United States, there is further incentive not to pay.13
Mitigation Strategies
The primary way to prevent attacks is to ensure your organization’s systems are properly patched. In recent months, major VPNs and other service providers have reported exploitable flaws in their software that attackers have quickly exploited.
Additionally, attackers are exploiting older, known vulnerabilities in unpatched software.
Another important measure is to maintain better account hygiene. This involves disabling and removing inactive accounts and auditing user privileges.
Explore the Platform
Adlumin ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.
