Top 10 Cyber Attacks on Defence and Government Organizations in 2021
2021 is slowly coming to a close. It has been, by all accounts, a turbulent year in the world of cyber security – especially when it comes to the network safety of defence and government organizations, which have been, as it seems, under almost constant pressure.
Cyber attacks against government organizations most often consist of subtle network infiltrations and exfiltrations of sensitive data to be used for ransom later on; but there are also the rare cases in which the threat actors decide to “play around” further with the access privileges they acquired.
In such cases, the consequences can be huge – from disabling the normal functioning of an entire public sector branch, to spreading dangerous misinformation to an audience of millions.
Seeing as October is Cyber Security Month, we’ve put together a list of some of the most prominent cyber attacks targeting defence and government organizations during the previous 10 months, as a reminder of the level of threat they can pose.
1. New Zealand’s Central Bank Breach
2021 promised to offer no respite from the rise of cybercrime at its very beginning, with New Zealand’s central bank reporting a malicious breach of one of its data systems in January.
Although not strictly a government department, the Reserve Bank of New Zealand (RBNZ) has been in the ownership of the government of New Zealand since 1936.
Its purpose is threefold: (1) to formulate and implement monetary policy; (2) to promote the maintenance of an efficient financial system; (3) to meet the currency needs of the public. Therefore, it’s easy to imagine the consequences this breach could have had for the economy of New Zealand, were it not discovered in time.
The attackers of RBNZ remain unidentified – what we do know is that they accessed the bank’s data through a third-party file-sharing software application Accellion FTA. Once the breach was detected, the responsible parties quickly secured and closed the application – but the damage was already done.
As the breach was done through file-sharing software, the hackers had insight to all data being transferred through this application – including various files containing sensitive information of both the bank’s customers and the bank’s internal operations.
In a statement following the attack, released in May this year, RBNZ estimated the cost of the breach to be $3.5 million.
This included:
- 17,500 hours of internal resources redirected to assist with the response
- $1,800,000 spent on specialist external resources, such as cyber security services, an independent security review, legal help, and additional customer support.
2. Misinformation Hacker Campaign in Poland
One dreaded outcome of government network breaches are targeted ransomware campaigns using stolen data as leverage; in other cases, the breach can be used to spread false information while using the officials’ “voices”. This is precisely what happened in March, when hackers infiltrated the websites of Poland’s National Atomic Energy Agency and Health Ministry to spread false alerts of a completely nonexistent radioactive threat.
DFR Lab’s report of this misinformation operation details the number of steps of its deployment:
- Creating a clone website of the Lithuanian State Nuclear Power Safety Inspectorate (VATESI) website
- Repeating the false information on websites that were hacked into: the Polish National Atomic Energy Agency and the European Healthcare Funds webpages
- Taking over a Twitter account of political analyst Marek Budzisz, Facebook pages of politician Andrzej Rochmiński and those of the Polish ruling party, Law and Justice (PiS), and several Facebook groups
This message apparently did not receive much attention from the public, but that doesn’t decrease the threat it carried – that is to say, the levels of public panic it could have caused, and all actions that would have followed.
3. Hackers Exploit Microsoft Exchange Vulnerabilities and Infiltrate More Than 30,000 Networks in the U.S.
The same month, KrebsOnSecurity reported a story of more than 30,000 U.S. small businesses and local government organizations being the focus of an unusually large hacking campaign that targeted the victims’ emails. This was accomplished by exploiting flaws in the Microsoft Exchange Server email software, which all of these organizations used – giving the threat actors complete control over the breached systems.
The news of this attack, understandably, upset the very core of the U.S. government cyber security, leading White House press secretary Jen Psaki to release an official statement concerning the scale of the threat.
And this is not even the first time Microsoft Exchange Server’s flaws were used with malicious intent, with previous attempts performed by a Chinese-based hacker group Hafnium.
The number of those affected by this cyber attack is simply too large to number precisely; the web shell (web-based backdoor foothold), the only evidence of a system breach being executed was found within the networks of thousands of U.S. banks, credit unions, telecommunication providers, public utilities and police, firefighter and rescue units, as was stated in one of KrebsOnSecurity’s anonymous sources.
The results of the hack can be best summarized as an instantaneous breach of privacy and theft of sensitive information – leading the way to potentially hugely profitable ransomware campaigns.
In the following days, Microsoft did report that a variant of ransomware called
DearCry was circling vulnerable Exchange servers. Another product of this huge breach were incidents involving cryptocurrency mining botnets.
4. Spear-Phishing Email Targets Russian Defence Contractor
While cyber attacks on the government organizations that are on the more administrative side certainly carry enormous consequences in terms of private correspondence and sensitive data being stolen, more focused attacks on defence organizations, depending on their level, can often have more immediate, devastating effects.
In late April, Cybereason reported that one major Russian defence contractor was breached via a spear-phishing email. The media was quick to speculate whether this breach had anything to do with the recent projects of this submarine design agency – especially the “Poseidon” vessel made to carry nuclear weapons.
As the threat intelligence team assigned to the case determined, the attack was carried out through leveraging the “Royal Road” Rich Text Format (RTF) weaponizer, which delivered a seemingly new Windows backdoor, now named “PortDoor”.
PortDoor is said to possess a wide range of features: from escalating privileges, data encryption and exfiltration, carrying out payloads made by the attackers, to exporting the results back to the server.
Fortunately, the computer systems that were breached in this attack were far from the networks that are used to control and launch weapons of any kind – making this case a classic example of cyberespionage, thankfully without any instantaneous consequences.
5. Shut-down of Ireland’s Health Services Due to Ransomware Attack
One particularly impactful attack occurred in May, targeting Ireland’s national health service – Health Service Executive (HSE).
After the discovery of the attack, government officials shut down the complete HSE system – meaning that many services were disrupted due to the attack. Outpatient visits were canceled and cancer treatments postponed – endangering both individuals, and, in the context of the Covid-19 pandemic, public health.
Additionally, during this cyber attack, personal and medical information of private citizens was accessed and stolen. While the issue was being investigated, hospital staff had to resort to paper scheduling, causing appointments in certain areas of the system to drop by a full 80 percent.
And, what’s worse: five months later, HSE is still dealing with the ramifications of this particular attack. As per BBC’s news report from September, many x-ray appointments remain canceled and staff still can’t access their emails.
The cyber attack on HSE is attributed to the RaaS hacker group behind Conti ransomware, known as Wizard Monkey. The ransom note received by the HSE executives stated the full scale of the system infiltration – the threat actors encrypted file servers and SQL servers, downloading over 700GB of personally identifiable information (PII). This included patient and staff addresses and phone numbers, payroll information and employment contracts.
Reports have claimed that the hackers demanded a ransom of $19,999,000 – yet this particular story, at least, had a somewhat happy ending. HSE was, for no clear reason, given the decryption key without having to pay this extortionate sum.
6. Massive DDoS Attack Affects Belgium’s government and 200 institutions and organizations
A large-scale incident that occurred in May had Belnet and other internet service providers sent into a tailspin, following a wave of internet disruption that struck across a large swath of government, scientific, and educational institutions in Belgium.
Internet service provider Belnet managed to restore service after this massive DDoS attack, but not before the outage struck the country’s parliament and several law-enforcement agencies. Some 200 organizations and institutions that use the services of this ISP were affected. Not to mention a large number of important governmental meetings being canceled due to them not being able to be streamed properly, with the government’s IT network almost completely down.
According to Belnet’s technical director Dirk Haex, the incident was made worse by the perpetrators constantly changing tactics during the attack. Haex added, however, that there were no indications that the cybercriminals have actually infiltrated any of the networks they targeted, but were rather just aiming to saturate the network with such a gigantic data flow.
7. REvil Attacks U.S. Government Contractor Sol Oriens
Similar to another case already mentioned in this article, Sol Oriens, a U.S. government contractor, was targeted by REvil cyber terrorist group. The 50-person firm, based in Albuquerque, New Mexico, consults the US federal government over such security-related projects, working closely with the Department of Energy’s National Nuclear Safety Administration.
While the nuclear safety contractor did not disclose any details of the attack, it has stated that unauthorised individual(s) had acquired certain documents from their system. Sol Oriens did not state anything as to the nature of the stolen documents, other than underlining that there are no indications that “client classified or critical security-related information” was leaked.
However, a few sample documents were leaked showing parts of a presentation on recruiting, hiring, and training a contractor workforce at the Los Alamos National Lab. These documents, marked “Official Use Only”, included financial details, wage reports, and even social security numbers for five of the company’s employees. REvil threatened to leak this data to whichever organization they deem fit, including military agencies.
8. Tallinn-based Hacker Steals Almost 300 Thousand ID Photos from Estonian Government Database
Earlier this year, Estonian officials have released a statement saying that a suspect was apprehended for involvement in the theft of close to 300 thousand government ID photos. The July 2021 attack saw 286,438 ID photos stolen from a government database managed by the country’s Information System Authority. The culprit
The perpetrator, described only as a “Tallinn-male”, had already acquired ID codes and personal names of citizens, and was able to acquire the photos by making individual requests for them from thousands of different IP addresses.
The data, in and of itself, was still not enough for the criminal to access e-state services, which means that the usual authentication tokens – ID cards, mobile ID, and SMART ID – had not been compromised at any point.
9. Slovak Government Spear-Phished by Russian Intelligence Forces-Linked Group
A good example of a cyber attack being carried out not as an isolated incident, but a through a number of infiltrations, is the series of spear-phishing attempts targeting the Slovak government. These attacks, which lasted from February to July, have been linked with the Russian-based hacker group that goes by the names of Dukes, Nobelium, and APT29, which, in turn, several sources connected to the Russian Foreign Intelligence Service, or the SVR.
ESET and IstroSec, the Slovak security firms that announced the attack had occurred, explained how SVR pulled it off. The attackers had sent emails to Slovak diplomats posing as the Slovak National Security Authority. These emails contained documents, such as an ISO image file, which would download and set up a Cobalt Strike backdoor on the systems that got infected.
The same attack tactic was, supposedly, used in recent attacks on Volexity and Microsoft, as well as officials in 13 other European countries.
10. Norway Under Attack from Chinese Hackers
Norway has recently linked a whole series of malignant behavior and cyber attacks, against both state and private IT infrastructure, to “bad actors” operating from China. Judging on technical and other types of evidence collected by their intelligence agencies, the government of Norway blamed these individuals – funded, sponsored, and operating from China – for the series of cyber attacks on state administration centers in 2018. The National security agency of Norway (PST) has also concluded that the same group was responsible for a malware attack against the Visma business software group.
PST’s investigation revealed that the attackers had gained administrator rights that provided them with access to centralized computer systems used by all state administration offices in Norway. PST investigators had not, however, found any evidence that Chinese hackers have absconded with personal information of Norwegian citizens or any state secrets.
Looking for a handy resource to protect your business from cyber security issues and attacks? We’ve got you covered.
Download ATS’s exclusive Cyber Security Fundamentals: Weakness Checklist.
