FBI flags ransomware attacks straining local government agencies, public services in US

The Federal Bureau of Investigation (FBI) warned the government facilities sector (GFS) partners of hackers conducting ransomware attacks on local government agencies that have resulted in disrupted operational services, risks to public safety, and financial losses. 

“Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities, and other services overseen by local governments, making them attractive targets for cyber criminals,” the FBI said in a private industry notification on Wednesday. Victim incident reporting to the FBI between January and December 2021 indicated local government entities within the GFS were the second highest victimized group behind academia, it added. 

Recent reporting indicates ransomware incidents against local governments resulted in disruptions to public and health services, emergency and safety operations, and the compromise of personal data. These types of attacks can have significant repercussions for local communities by straining financial and operational resources and putting residents at risk for further exploitation.

In January, a U.S. county took computer systems offline, closed public offices, and ran emergency response operations using ‘backup contingencies’ after a ransomware attack impacted local government operations, the FBI notification said. The attack also disabled county jail surveillance cameras, data collection capabilities, internet access, and deactivated automated doors, resulting in safety concerns and a facility lockdown. 

Cyber hackers infected a U.S. county network with ransomware last September, resulting in the closure of the county courthouse and the theft of a substantial amount of county data, including personal information on residents, employees, and vendors. The hackers posted the data on the dark web when the county refused to pay the ransom. 

In May 2021, cyber actors infected local U.S. county government systems with ‘PayOrGrief’ ransomware, making some servers inaccessible and limiting operations, the FBI said. The attack disabled online services, including scheduling of COVID-19 vaccination appointments, and the attackers claimed to have 2.5 gigabytes of data, including internal documents and personal information.

The FBI notification said that hackers infected last January local U.S. county government systems with ransomware that compromised jail and courthouse computers in addition to election, assessment, financial, zoning, law enforcement, jail management, dispatch, and other files. The attack impacted the sheriff department’s records management program and county clerk, treasurer, and supervisor of assessment and public defender office computers. The ransomware note stated files would be deleted after two weeks if the ransom was not paid.

Ransomware tactics have and will continue to evolve as noted in the joint cybersecurity advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC-UK) in February. 

The top three initial infection vectors in 2021 were phishing emails, remote desktop protocol exploitation, and software vulnerability exploitation. These were likely exacerbated by the continued remote work and learning environments which expanded the attack surface and challenged network defenders. 

Last year, hackers expanded their targeting tactics and widened the scope of victimization potential by implementing service-for-hire business models, sharing victim information among actor groups, diversifying extortion strategies, and attacking upstream/downstream accesses and data sources, such as cloud infrastructure, managed service providers, and software supply chains. 

In the next year, local US government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities, the FBI said in its notification. “The FBI has an opportunity to disrupt some of this activity by leveraging partnerships with domestic and foreign governments, as well as the private sector, to more effectively identify actors, finances, and infrastructure,” it added.

Last month, cybersecurity firm Mandiant identified that the persistent effort of a prolific Chinese state-sponsored espionage group, APT41, allowed them to compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. The group has targeted a zero-day vulnerability in the USAHerds application and the zero-day vulnerability detected in the Log4j vulnerabilities. Mandiant has, however, not named the state governments which were affected.

These cybersecurity incidents underscore that state governments are just as attractive, if not even juicier, targets for malicious hackers as the federal government or any other organization. The attacks have led to state governments stepping up their efforts to bolster their cybersecurity protections, launching task forces, hiring advisors, creating security centers, and boosting cybersecurity spending.

Among a host of remediation and mitigation recommendations, the FBI notification encourages local government agencies to proactively initiate contingency planning, to the degree possible, for operational continuity in the event of a ransomware attack and systems are inaccessible.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.