Why Governments and Agencies Are Targeted by Cyber Attacks | A Deep Dive into the Motives

Cyberattacks documented throughout this year have shown an increasing interest in targeting global governments and agencies. Fraught with hit after hit, governing bodies were not spared by ransomware operators in 2022 even though, out of all other sectors, they are least likely to pay out ransom demands.

Threat actors are typically driven by financial gain, but with many states considering no-ransom bills and official directives from the FBI reminding governments to refrain from paying ransom demands, what could be the motives behind the rise in public sector-focused attacks?

This blog post explores why more cyber attacks are directed at the public sector and what defenses government agencies can implement to protect against them.

Why Governments and Agencies Are Targeted by Ransomware Attacks A Deep Dive into the Motives (9)

Attacks on the Rise | Government Is Amongst Top-Targeted Sectors

Government agencies are responsible for mass amounts of sensitive data ranging from personal information about citizens to classified information pertaining to national security. In our data-centric world, information remains a hot commodity in dark marketplaces and thus paints a target on its custodians.

While attacks on businesses, healthcare providers, and educational and financial institutions make news headlines regularly, governments and their agencies have risen to the top as one of the most targeted sectors. Research in Q3 said that the government was the second most attacked industry with an attack average sitting at 1564 cases each week. This marks a 20% increase compared to the same period last year.

Some of the top cyberattacks on governments have occurred throughout 2022.

  • January – In a cyberattack targeting the Ukrainian government, malicious software was deployed to damage dozens of computers in government-run agencies. The Informatic Directorate of the Greek Parliament identified an attempt to compromise 60 parliamentary email accounts. Threat actors breached the Canadian Foreign Ministry, disrupting the operation of some internet-connected services.
  • February – Cybercriminals breached the networks of the U.K. Foreign Office and an Iranian-linked group conducted cyber operations, including espionage against local and federal governments. A Pakistani-linked group deployed a remote access trojan (RAT) to spy on the Indian military and diplomatic persons of interest. As a precursor to the Russian invasion of Ukraine, the latter’s Defense Ministry suffered DDoS attacks and the websites of the Ukrainian Cabinet of Ministers and Ministries of Foreign Affairs, Infrastructure, and Education experienced major disruptions.
  • March – Governing entities of at least six U.S. states were hacked by a Chinese-backed group. In Canada, the country’s largest state-funded research agency declared it suffered a data breach. Greenland’s parliamentary authority reported an apparent espionage operation, which slowed social benefit payments. Actors linked to the Pakistani government targeted Indian government employees using fake websites to deliver malware.
  • April – Ukrainian government officials were targeted on their Telegram accounts through a phishing campaign. Websites belonging to the Finnish Ministries of Defense and Foreign Affairs were hit with a DDoS attack and the U.S. announced sanctions against a DPRK-based hacking group after it attacked their Treasury Department’s Office of Foreign Assets Control. Cyber researchers discovered a new Russian-linked campaign using phishing emails to deliver malware to diplomats and embassy officials from Portugal, Poland, France, and more.
  • May – A phishing campaign launched against the Jordan Ministry of Foreign Affairs was attributed to an Iranian cyber espionage actor. Russian-linked threat actors hit Italian websites with a DDoS attack, which included the sites for the Senate, Ministry of Defense, and the National Health Institute.
  • June – A DDoS attack hit Norwegian public institutions with the specific intent to disrupt government websites. Actors breached Chinese government networks to find and leak evidence of human rights abuse committed against the Uyghur population. Isreali officials, military personnel, and a former U.S. Ambassador to Israel were targeted by attackers through phishing emails. A Russian-based group claimed responsibility for attacking Lithuania’s government ministries and state-run airport, railway, and media companies.
  • July – Threat actors disrupted access to public services in Albania and took down websites belonging to the Albanian Prime Minister’s Office and the Parliament. A state-owned energy provider in Lithuania suffered a targeted DDoS attack.
  • August – Both government and private Estonian institutions reported a DDoS attack on their government websites. Russian-linked groups were formally suspected of being responsible for a breach of Montenegro’s government institutions. DDoS attacks temporarily took down the Taiwanese presidential website and attempted the same on the Taiwanese Foreign Ministry’s main portal. Threat actors targeted the Ukrainian government’s state energy agency responsible for the country’s nuclear power plants.
  • September – ‘Anonymous’ group claimed responsibility for a series of cyberattacks against the Iranian government. The Mexican Defense Ministry reported that six terabytes of internal communications, criminal data, and citizens’ personal health information was accessed in an attack. Main state websites and government information platforms in Montenegro were targeted as was the state-level parliamentary website of Bosnia and Herzegovina.
  • October – Government websites across Colorado, Kentucky, and Mississippi were taken offline by pro-Russian hackers. Another Russian-linked hacking group claimed responsibility for targeting Bulgarian sites belonging to its presidential administration, Defense Ministry, Interior Ministry, Justice Ministry, and Constitutional Court.

Data Is The Prize | Why Governments Are In the Crosshairs

This year, it was reported that only 32% of state and local governments paid out cybercriminals to restore their encrypted data; a marked decrease from 42% in 2020. Compared across all other sectors which averaged at 46% in 2022, this was the lowest reported rate. Though less government bodies are paying ransoms, the number of threat campaigns is still rising, indicating that threat actors have their eyes on goals other than monetary gain.

Government entities sit atop a wealth of data due to the many services provided by the state to businesses and citizens. Even one successful breach on a government could result in leaked state-level intelligence, classified assets, and personal identifiable information (PII) to cyber criminals. In dark marketplaces, the stolen data is often sold to create forged documents, steal identities, gain initial access to organizations, or take over privileged accounts.

The Threat of Hacktivism & Cyber Terrorism

State-sponsored threat actors are motivated by special causes other than financial gain. Other than selling stolen data, sometimes their goal is to disrupt essential services, destroy national assets, encourage protests, expose political-level wrongdoing, or simply erode trust and provoke embarrassment.

Considered ‘soft targets’ by threat actors, state and local governments often run on small, publicly-funded budgets that save little room for robust cybersecurity programs. Government agencies may not employ dedicated security professionals and rely mainly on general-service IT or small SOC teams. Legacy technology used by this level of government may not be advanced enough to contend with the large-scale ransomware threats they are up against.

If breached, government institutions could potentially become a gateway for cyber threat actors to access thousands of other enterprises, third-party vendors, and significant amounts of the civilian population. Successful attacks on governments can have profound effects and destabilize the people they govern.

Attacking government entities can be a valuable tactic for hostile state-sponsored threat actors in political cyber warfare. Undertaking an ‘influence operation’ through malicious cyber techniques allows actors to position false narratives in the public domain and amplify a story in line with their goals.

Digital Security Red Flags in Governmental Infrastructure

Many government IT systems are three for three when it comes to digital security red flags:

  • They are widely trusted by users and reach a large audience. Researchers this year noted that attackers were leveraging legitimate government domains to distribute malware to many at once since site visitors implicitly trust them.
  • Systems can be complex, housing large amounts of sensitive information and shared with multiple third parties and contractors. This complexity and access increase the external risk the governing body bears.
  • State and local governments are less funded than their federal counterparts. This often means they are forced to make do with outdated software incapable of standing up against modern, advanced cyber threats.

These red flags are typically the result of a weak IT and cybersecurity infrastructure – a common problem that plagues poorly-funded government agencies. Though the public sector is often the victim of opportunistic attacks, governments are also being targeted by sophisticated attackers who are abusing their weak infrastructures to deploy malware, lateral movement tools, ransomware, and phishing.

The Critical Need for Cybersecurity Professionals

The global shortage of cybersecurity expertise is compounding the issue of weak government IT systems. Based on a recent study released by The International Information System Security Certification Consortium, known as (ISC)², the current cybersecurity workforce gap amounts to 3.4 million open roles needing to be filled. The study described today’s threat landscape as being a volatile one; directly shaped by this year’s macroeconomic and geopolitical turbulence.

As state and local governments work around tighter budgets, this usually means there are scarce (if any) cybersecurity resources dedicated to supporting agencies. Lack of security expertise leaves the agencies susceptible in the long run. Without cybersecurity expertise embedded in leadership and collaborating with technical teams, poorly-funded governments face the risks of:

  • Falling behind in adopting emerging technologies,
  • Missing changes in regulatory requirements and/or critical trends in tactics, techniques, and procedures (TTPs), and
  • Mishandling security incidents and post-incident processes.

What’s Next for Government Security Strategies?

Governments offer many public services, which all feed into the complexity and size of their attack surface. For governing bodies to continue providing those services safely, CISOs need to consider leveraging a simple, streamlined, end-to-end security strategy that can cover all of the inherent risks they face in the current landscape.

Following the conflict between Ukraine and Russia, the CISA issued a Shields Up alert warning all “within and beyond the region” to be prepared and responsive to disruptive cyber incidents. The warning cites the “economic costs imposed on Russia by the U.S. and our allies and partners” as a potential reason for the Russian government to consider escalating its actions to nations outside of Ukraine. Shields Up recommends actions such as:

  • Improving immediate detection capabilities through logging, anti-malware software, and traffic isolation if working with third-party vendors.
  • Planning ahead for incident response, such as designating a crisis-response team, ensuring the availability of key personnel, and conducting tabletop exercises often to review roles and responsibilities.
  • Hardening cyber resilience by testing backup procedures, isolating backups from network connections, and testing manual controls should a network become unavailable.

Identity Security | The New Perimeter in Building Cyber Resiliency

President Biden’s national security memorandum from last summer underscored the need for building cyber-resilient infrastructure and systems. In response to this release, NIST and CISA  jointly released new Cybersecurity Performance Goals (CPGs) to help critical infrastructure sectors kickstart their security efforts. Described by CISA as a minimum set of best practices, the CPGs provide actionable goals on the topics of account, device, and data security.

At the root, account, device, and data security all start at the identity surface. As more high-value sectors move towards remote workforces and create digital identities to share information and collaborate, that surface widens, leaving them vulnerable to identity-based exploitation. By looking at identity as the new network perimeter, enterprises can scale down that attack surface by detecting threats in their earliest stages.

Before the data loss stage, enterprises that can identify over-privileged users, cached credentials, and other identity-related cyber hygiene issues can prevent the initial breach from happening at all. The importance of identity threat detection and response will only grow as threat actors leverage weak endpoints and social engineering tactics to find their way into networks.

Governments managing immense databases especially need to reduce the changes of cyber intrusion by implementing identity authentication security solutions (e.g., MFA), endpoint detection and response (EDR), remote access validation, privileged account audits, and stringent password policies.


Advanced cyber threats such as ransomware, phishing and whaling campaigns, and DDoS attacks have beleaguered governments globally in 2022, taking malicious advantage of their sluggish policies and departmental silos. Up against uniquely motivated threat hacktivists and data-hungry cybercriminals, governments have found themselves at the number two spot in most attacked sectors this year.

Reported attacks from this year alone clearly indicate that this critical sector needs to advance its cyber resiliency and implement cybersecurity best practices to reduce its attack surface. Solutions that provide complete visibility are most effective, given the breadth of data networks managed and processed by governments and agencies.

Solutions should leverage identity-based security tools capabilities leveraging artificial intelligence (AI) and machine learning (ML) to fight back against ransom operators and sophisticated social engineering schemes. Removing limited network visibility ensures governments can monitor endpoints and data more effectively while detecting and responding in real-time to security events before they can lead to catastrophe.

While no entity is immune from cyber attacks, governments can examine the top attacks reported in 2022 through an educational lens to secure better the data of those relying on their services. Learn how SentinelOne can help enterprises build cyber resilience through autonomous endpoint protection by contacting us today.