Earlier this month, Mandiant announced that it had responded to an intrusion by a Chinese-backed hacking group, APT41, which targeted a US state government computer network. The security firm eventually uncovered a persistent effort that allowed malicious hackers to successfully compromise at least six US government networks by exploiting vulnerable web applications accessible across the Internet using a zero-day vulnerability.
Mandiant could not determine the hackers’ motivations, but said the intrusions were consistent with a spy operation. The company also predicted that further investigation would reveal even more states whose agencies were affected by the effort.
These incidents underscore that state governments are just as attractive, if not juicier, targets for malicious hackers than the federal government or any other organization. It’s no surprise, then, that state governments are stepping up efforts to bolster their cybersecurity protections, launching workgroupshiring advisors, creating security centers and increasing cybersecurity spending.
Recent State Actions on Cybersecurity
The following significant state-level cybersecurity developments over the past six weeks indicate this trend:
- New Mexico named senior adviser for cybersecurity and critical infrastructure: On March 18, New Mexico Governor Michelle Lujan Grisham announcement the appointment of Annie Winterfield Manriquez, Senior Executive at MITER Corporation, as Senior Advisor for Cybersecurity and Critical Infrastructure. The governor’s announcement cited the geopolitical situation in Ukraine, threats from foreign actors against state governments and warnings about possible Russian cyberattacks as factors that prompted Manriquez’s hiring.
- North Carolina Joint Cybersecurity Task Force Created: On March 16, the Governor of North Carolina, Roy Cooper sign an executive order that formally created the North Carolina State Joint Cybersecurity Task Force, first announced in 2018. It includes state agencies including information technology, management of Emergencies, the National Guard Cybersecurity Task Force, and something called the Local Government Information Systems Association Cybersecurity Strike Team. The task force provides “incident coordination, resource support, and technical assistance to state and local government agencies and educational entities like schools and universities that have been the target of significant cybersecurity incidents.”
- The Maryland Legislature has introduced a set of laws to strengthen cybersecurity: Following the discovery of vulnerabilities in the state’s cybersecurity system, on March 1, the Maryland General Assembly introduced a six-bill package to improve the state’s cybersecurity posture. The bills would require the Maryland Department of Emergency Management to help local governments prepare for an attack, create the Local Cybersecurity Support Fund to help small governments upgrade their security systems and establish a funding mechanism to modernize all of its legacy computer systems. The package would also centralize all IT systems among state agencies under the Department of Information Technology, require all state agencies and some local agencies to undergo annual security assessments, and create new offices to help local governments strengthen their cybersecurity systems.
- Virginia House has proposed a $150 million budget for cybersecurity: The Virginia House of Delegates submitted its version of the state budget in early March, allocating $150 million to cybersecurity initiatives for the next two years. However, much of that figure was already in then-Governor Ralph Northam’s proposed budget in December in response to an “extremely sophisticated malware” attack that temporarily crippled state legislative agencies.
- New York created a Joint Security Operations Center: On February 22, New York Governor Kathy Hochul announcement the establishment of a Joint Security Operations Center (JSOC) in Brooklyn that will serve as a “nerve center” for joint local, state, and federal cyber efforts, including data collection, response efforts, and sharing information. A partnership launched with New York City Mayor Eric Adams, Albany Mayor Kathy Sheehan, Syracuse Mayor Ben Walsh, Buffalo Mayor Byron Brown, Rochester Mayor Malik Evans, Yonkers Mayor Mike Spano and cyber -leaders across the state, the JSOC was described as the first a one-of-a-kind cyber command center to provide a statewide view of the cyber threat landscape and improve coordination of threat intelligence and incident response. JSOC’s cybersecurity teams will draw on the resources of multiple organizations, including federal, state, municipal, and county governments, critical businesses and utilities, and state entities, including the Division of Homeland Security and emergency services, Office of Information Technology Services, New York State Police, MTA, Port Authority of New York and New Jersey, and New York Power Authority.
Wide range of state and local government services are targets of cyberattacks
These efforts highlight how state governments are an attractive target for threat actors. “US state government networks bring together many different departments and critical infrastructure such as state elections, transportation, and financial information that can be useful to threat actors,” said Rufus Brown, senior threat analyst. , advanced practices at Mandiant, CSO.
Local jurisdictions also encompass a wide range of critical services that need to be protected from threat actors, North Carolina state chief risk officer Rob Main told CSO. “Citizen services are provided at the lowest possible level in municipalities,” he says. “A cybersecurity incident affecting the confidentiality, integrity, and availability of any system or infrastructure that provides support to citizens has the most profound impact on the life of North Carolina.”
North Carolina’s JSOC, launched primarily to coordinate and receive reports of significant cybersecurity threats from local governments, will step in if those jurisdictions need assistance, Main said. “If the county, city, or town does not have the resources to respond and recover from an incident, the Joint Cybersecurity Task Force steps up to put boots on the ground in the entity’s jurisdiction concerned.”
According to Mandiant’s Brown, states can likely expect more attacks from organized threat actors. “Nation-state actors such as China and Russia continue to constantly target these state networks for access and to achieve their goals through intelligence gathering,” he says.
“The variety of data within state government networks can serve a wide range of intelligence operations for nation states. Financially motivated actors who deploy disruptive malware such as ransomware can also add significant disruption and risk to the operations of US state government departments when targeted,” adds Brown.
Either way, North Carolina is ready. “We are able to respond to cybersecurity incidents regardless of the threat actor or source,” Main says.
Copyright © 2022 IDG Communications, Inc.