Top 5 Cyberattacks Against Governments on the Deep and Dark Web
Senior Cyber Analyst
The rise in the number of cyberattacks over the past few years has seen more and more governments becoming prime targets for cybercriminals worldwide. This is largely because cybercriminals seek to exploit the government’s large repositories of sensitive information for financial gain.
In addition, with the rise of cyber warfare, like the ones we’ve seen in the Russia-Ukraine cyber war, politically motivated entities or rival countries may launch attacks against governments to engage in espionage and gain a strategic advantage- and sometimes even threaten to put citizen’s lives at risk by targeting the country’s infrastructure.
A lot of the activities and planning before these attacks take place on the dark web. This is because the anonymity and accessibility of these hidden parts of the web create an ideal environment for cybercriminals. Some of what we found in these layers of the web include discussions of threat actors revolving around attack techniques specific to governments, and the trade of sensitive information related to government bodies.
What are the leading cyberattacks against governments?
In this section, we will discuss some of the most common types of cyberattacks that governments are facing today:
#1 Ransomware attacks
Ransomware attacks continue to be a frequent threat to all organizations in general, and to governments in particular. According to Emsisoft, in 2022, there was an increase of 22% in ransomware attacks targeting state or local governments and government agencies in the US, in comparison to the year before.
We used our Cyber API to find out which of the ransomware groups today is the leading ransomware gang to target governmental bodies or agencies in 2022 and 2023 (based on the victim listings on the groups’ sites) and the group that came on top is Lockbit. Recently, this famous group published 78 GB of stolen data on their TOR site, which they claim they obtained when using a ransomware attack against Italy’s government tax agency, L’Agenzia delle Entrate in 2022.
#2 DDoS attacks
This type of attack is particularly popular and widespread among APT groups with a political or social agenda who aim to disrupt and even take down websites maintained by governments. Threats for such attacks can be identified and even managed in real-time (in case of a call to join an orchestrated DDoS attack) on encrypted chat platforms, with Telegram being the most prominent among them.
The next image shows a message written by the cybercriminal group Anonymous Sudan on their Telegram channel, where they announce they succeeded in shutting down the official website of the Israeli government by using a DDoS attack:
The following image shows another message they sent, which provides a clear indication that they plan to launch massive DDoS attacks against Israel, which they later carried out.
#3 Phishing and social engineering
Phishing and social engineering attacks are a serious threat to governments as they allow cybercriminals to easily trick employees into divulging sensitive information or downloading malicious software. This in return can result in a massive data loss or financial loss. The relative simplicity of these attacks compared to other methods makes them a popular choice for cybercriminals targeting government employees in an effort to breach valuable information.
The next image shows a post published on an underground forum by a threat actor who found an exploit allowing him to send emails from a popular gov domain, which he proposed to use for phishing purposes.
#4 Supply chain attacks
Supply chain attacks against governments involve targeting third-party vendors and suppliers of governmental bodies and agencies to gain access to sensitive government networks or data. These attacks are often harder to detect and can result in compromising national security or critical infrastructure.
The following thread, which was published on the Russian hacking forum XSS, is discussing a zero-day vulnerability found in FortiOS SSL-VPN, a solution that allows employees to remotely access their organization’s network. In this case, the vulnerability was exploited in order to conduct directed attacks against governments and other government-related organizations.
#5 Insider threats
Insider threats refer to government employees or contractors with lawful access to internal tools, information, or systems within the organization who abuse this access in order to leak or steal sensitive information.
One of the most prominent examples recently refers to an Air National Guardsman who allegedly leaked two sets of classified foreign intelligence documents of the Pentagon by posting them to Discord. Some of the documents were shared on 4chan, Twitter, and Telegram, as can be seen in the following screenshot, taken from the pro-Russian Telegram channel “Donbass Devushka”:
Such an attack can have a severe impact on national security, as it can compromise highly sensitive information and damage public trust in the ability of the government to protect such information.
The top dark web sources for early cyber threat indicators against governments
In the past, we examined various indicators, any post that indicates a certain level of threat, detected on the deep and dark web that could potentially indicate a potential cyber threat to governments. These indicators are often distinguished by their source or network location. This year, we’d like to evaluate the volume of such indicators over the past year, by using our Cyber API and classifying the indicators we found according to their respective sources.
The chart below shows that deep and dark web forums, which include underground forums and imageboards, account for the majority of indicators with 65% of the total amount of indicators, with over a million potential cyber threats to governments:
In the second place, we can find chat platforms, which are considered a breeding grounds for radical groups or cybercriminals planning attacks against governments. In the third place, we have marketplaces that are used to trade sensitive information exploitable against governments. Lastly, we have paste sites and ransomware sites which mainly expose the victims of the attacks launched against governmental bodies.
How can deep and dark web monitoring help governments stay safe?
Governments today face various cybersecurity threats on a daily basis. A single attack against a governmental system can lead to serious damage, including data loss, mega leaks, monetary loss, and dramatic effects on the operation of governmental systems and activities. Tracking governmental entities, such as domains and IPs, in the hidden corners of the web can serve as key indicators for emerging cyberattacks. By monitoring the deep and dark web, governments can identify potential threats and take proactive measures to prevent and mitigate cyberattacks.
