As the U.S. government seemed headed for a possible shutdown last week, cybersecurity firms began picking up on an alarming trend: a spike in cyberattacks targeting government agencies and the U.S. defense industry.
It has some analysts concerned that U.S. adversaries and criminal hackers might have been preparing to take advantage of weaker-than-usual cybersecurity if lawmakers had not been able to reach a deal to keep U.S. agencies open past September 30.
Check Point Software last week said it had detected an 18% increase in cyberattacks against U.S. agencies and U.S. defense companies during the previous 30 days, compared with weekly averages for the first half of the year.
The attacks, according to Check Point, focused on using malware programs designed to steal information and credentials, as well as a focus on exploiting known vulnerabilities.
A second cybersecurity company, Trellix, told VOA that it too saw “a significant spike” in ransomware attacks on U.S. government agencies over the past 30 days.
Trellix attributed 45% of the malicious cyber activity to Royal ransomware, which previously had been used to target a variety of U.S. manufacturing, health care and education sectors.
Agencies would be affected
A surge in the use of Royal ransomware earlier this year prompted the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory this past March. And some cybersecurity analysts have linked Royal ransomware to Russian cybercriminals.
As for the recent spike in attacks, using Royal and other malware, analysts are concerned.
“I can’t state this is related to the impending shutdown,” Patrick Flynn, head of the Advanced Programs Group at Trellix, told VOA via email. “But one could speculate it probably has something to do with it.”
While refusing to comment directly on the pace of cyberattacks as it related to the potential shutdown, U.S. government agencies did express concern.
“[The] Cybersecurity and Infrastructure Security Agency’s (CISA) capacity to provide timely and actionable guidance to help partners defend their networks would be degraded,” the Department of Homeland Security said in a fact sheet before the shutdown was averted.
“CISA would also be forced to suspend both physical and cybersecurity assessments for government and industry partners, including election officials as well as target rich, cyber poor sectors like water, K-12, and health care, which are prime targets for ransomware,” it added.
DHS did say that had there been a shutdown, some of its employees who specialize in cybersecurity would have been required to work without pay.
While not commenting directly on the question of cybersecurity, the FBI told VOA in a statement that some of its personnel would also have been required to work in the case of a shutdown to support bureau activities that “involve protecting life and property.”
For now, some of those fears have been put aside after lawmakers agreed on a bill that will fund the U.S. government until November 17.
But if ongoing talks on legislation to fully fund the government for the coming year stall, it could again put U.S. government networks in the crosshairs.
Attacks seem part of trend
Not all cybersecurity analysts are convinced a government shutdown would make the U.S. more vulnerable to cyberattacks.
Trellix told VOA that while malicious cyber activity spiked in the month leading up to passage of the temporary funding bill, the attacks seemed to be part of a larger, months-long trend that has seen cyber actors increasingly target governments across the globe.
Other cybersecurity firms caution that other recent U.S. government shutdowns, including those in 2013 and in late 2018 to early 2019, have not led to a jump in attacks.
“Mandiant hasn’t historically seen any upward trends of cyberattacks tied to government shutdown,” said Ben Read, the head of cyber espionage analysis at Mandiant-Google Cloud.