Cyber Espionage Targeting Public Sector Rose 168% In 2018

International spies are hammering government networks harder than ever, according to the latest Verizon Data Breach Investigations Report released Wednesday.

The 2019 report shows a 168 percent increase year-over-year in the number of government network breaches linked directly to state-sponsored actors. The growth solidifies cyber espionage atop the list of threats to the public sector for the second year in a row.

“Cyber-espionage is rampant in the public sector, with state-affiliated actors accounting for 79 percent of all breaches involving external actors,” Verizon analysts wrote in the report. “Privilege misuse and error by insiders account for 30 percent of breaches.”

The public sector had 23,399 reported incidents in 2019, with 330 confirmed instances of data being disclosed through a breach.

While crimeware (4,758 incidents) and lost or stolen assets (2,820) outpaced other reported incidents, the misuse of privileged credentials topped the list with more than 13,000 incidents.

In contrast, only 40 confirmed breaches—in which external bad actors were able to access government data—resulted from privilege misuse. For breaches, the most common motive identified was cyber espionage, with 140 incidents recorded. The next highest pattern was “miscellaneous errors” at 58.

Of those reported breaches, the most common tactic in 2018 was direct hacking (205 instances), followed by social engineering (173) and malware (153). Those attempts most often targeted individual people (173), user dev, or end-user tools (165), and government servers (131).

Researchers also found public sector employees had the second highest click-rate on phishing emails—as recorded during internal phishing exercises—over other sectors with 4.48 percent, just behind the education sector at 4.93 percent.

“Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they’re barely hanging on by their fingernails. And … that may yet be the case,” Verizon analysts wrote, noting the U.S. public sector is one of the most transparent, as agencies are required to report incidents through US-Computer Emergency Readiness Team.

The data shows a recurring theme of phishing emails—which were present in 78 percent of public sector espionage incidents—leveraged into backdoor and command and control access. However, transparency stops there.

“Admittedly we do not have as much data as to what is happening beyond the deception and initial device compromise,” the report states. However, keylogging malware included in those phishing attempts led analysts to believe attackers were looking to compromise user credentials to gain further access to government networks.  

While breaches linked to cyber espionage rose last year, Verizon analysts note that some 47 percent of breaches were discovered years after the actual attack took place.

Overall, breaches of public sector networks were 2.5 times more likely to go undiscovered for years, according to the report. Analysts noted espionage-related incidents generally take longer to discover, however, Verizon did not have timeline data on those incidents, so the data was not skewed.

For the public sector, “privilege misuse is the most common pattern within breaches that went undiscovered for months or more,” the report states.