Cyber-attacks against government agencies and public sector services are up 40% in the second quarter of 2023 compared to the first.
BlackBerry Cybersecurity’s second Quarterly Threat Intelligence Report, covering cyber-attacks observed from March to May 2023, was published on August 2, 2023. The firm claimed it stopped 1.5 million attacks across 90 days, 55000 of which were targeting public sector organizations.
This reporting period was dominated by news of ransomware groups targeting and breaching city and state government systems in North America. These included the LockBit incident against the city of Oakland in California, BlackByte’s Royal Ransomware campaign that affected Dallas, Texas and Augusta, Georgia and Clop’s MOVEit supply chain attack.
Dmitry Bestuzhev, senior director of BlackBerry’s Threat Research and Intelligence team, told Infosecurity that because government agencies handle citizens’ private information, “government data is gold [and] getting their hands on this sensitive data is considered ‘absolute success’ for both nation-states and financially motivated threat actors. It can also be used in additional cyber-attacks, such as high-quality spear phishing attacks.”
“With limited resources and immature cyber defense programs, these organizations are struggling to defend against the double-pronged threat of both nation-states and cybercriminals, with hacks occurring with more frequency and severity. [They] are also embracing digital transformation and work-from-anywhere initiatives, and this is dramatically increasing the stakes of cybersecurity,” he added.
Threat Actors Using More Novel Tools
On average, threat actors deployed approximately 11.5 attacks per minute during the period observed in the report, including roughly 1.7 novel malware samples per minute. This represents a 13% increase from the previous reporting period’s average of 1.5 new samples per minute.
This “demonstrates that attackers are diversifying their tooling in an attempt to bypass defensive controls, especially those legacy solutions based on signatures and hashes,” reads the report.
While the public sector was the industry that saw the most innovative tools and exploits used against it, it ranked second in the total number of attacks. The healthcare sector recorded 109,922 attacks stopped by BlackBerry in the second quarter of 2023.
“Medical records, social security numbers, credit card details are valuable data points – essentially ‘catnip’ for online criminals -- and healthcare organizations are bursting at the seams with them,” Bestuzhev said.
He added that the increasing number of cyber-attacks against this sector is particularly concerning because every successful attack can have serious consequences, including the loss or sale of sensitive patient data to malicious entities and even direct physical harm to patients.
“Restoring access to data and systems can literally be a life-or-death situation,” he said.
According to a previous BlackBerry report, budget constraints, a lack of incident response planning, limited detection capabilities, alert fatigue, and a cybersecurity talent gap are among the top cybersecurity obstacles reported in the healthcare sector.
Mobile Banking, the Financial Sector’s Achille’s Heel
The financial industry was third in relation to total number of attacks, with 17000 incidents blocked by BlackBerry over the same period.
The most prominent attacks targeting both the healthcare and financial sectors used commodity malware like Emotet, IcedID, SmokeLoader and RedLine, or botnets such as Amadey.
Financial services institutions also face persistent threats through smartphone-centric commodity malware, ransomware attacks, and the rise of mobile banking malware targeting the growing trend of digital banking services.
These findings align with another report on ransomware attacks published the same day by Barracuda Networks.
Read more: Education Sector Has Highest Share of Ransomware Victims
Not Your Average APTs: Indian Threat Group Targeted Pakistan and Turkey
While Russia-backed Fancy Bear (APT28) and the North Korea-backed Lazarus Group (APT38) were the most active threat actors targeting BlackBerry’s customers across the second quarter of 2023, the BlackBerry Threat Research and Intelligence team observed some lesser-known nation-state actors.
In early May, BlackBerry published findings which uncovered campaigns by the advanced persistent threat (APT) group SideWinder, believed to originate in India.
One campaign focused on Pakistani government targets and was delivered by a complex execution chain that relied on phishing emails and weaponized documents that exploited the CVE-2017-019960 vulnerability to perform remote template injection. Another one seemed to target Turkey.
“This campaign’s timing overlapped with geopolitical events in the region, notably Turkey’s public support of Pakistan in its dispute with India over Kashmir,” reads the report.
In May, BlackBerry also discovered a new threat group called Rhysida that intended to attack Chile’s army using ransomware. “The details of the attack have not been fully disclosed, but an army corporal has been arrested for alleged involvement in the ransomware attack,” BlackBerry notes in the report.