Why public institutions are the prime targets of cyber attacks

A large number of cyber attacks hit public institutions and authorities in 2019. The administration of the city of Frankfurt am Main, the Berlin Court of Appeal and the administration of Neustadt am Rübenberge are just three examples that show the catastrophic consequences that an infection with malware can have for public authorities. In all these cases, it was the banking trojan Emotet – currently the most dangerous malware in the world, according to the German Federal Ministry for Information Security (BSI) – that was able to paralyse these institutions and still does so in some cases.

Almost six months after the Emotet case, the Berlin Court of Appeal is still largely offline. Neustadt am Rübenberge was also hit hard, because when the attack hit the city hall in September 2019, hackers were able to encrypt a large part of the files. Administrative work came to a virtual standstill: construction projects, marriages and payments of parental benefits were no longer possible.

What makes public institutions so interesting for cyber criminals?

Your money or your life

The hackers mostly pursue one goal when spreading ransomware: the extortion of ransom money. Public institutions are particularly interesting here, as life in cities and communities depends on their functioning. In some areas this can even be taken literally; just think of the health sector.

Especially in times of the corona pandemic, it becomes clear how irreplaceable medical infrastructures are – at present, countless lives worldwide depend on how effectively the respective health systems work. An infestation of administrations with malware can bring cooperation, information exchange and organization to a standstill. Added to this are the consequences that an infestation of hospitals can have – the Klinikum Fürth is just one example from last year.

Accordingly, the hackers assume that the victims are more willing to pay ransom in order to be able to use affected systems again as quickly as possible. And they are proceeding systematically: The perpetrators often first inspect the networks and adapt the ransom individually to the solvency and sensitivity of the data and systems found.

However, in many cases there are regulations at state and local level that strictly prohibit the payment of ransoms. One does not want to signal to the blackmailers that their scam could be successful – otherwise the number of blackmail attempts would only increase, according to Helmut Dedy of the German Association of Cities.

In the case of Neustadt am Rübenberge, however, it is still unclear whether a ransom was ultimately paid.

Sensitive data

But it is not always about money. If cybercriminals do not pursue financial goals, there is a whole spectrum of motivations: attracting attention (to put more pressure on subsequent attacks) or political goals (to disrupt infrastructures), for example.

According to statements by federal and state data protection officers, attacks in 2019 resulted in the loss of data on authorities, personnel, health data or other sensitive information. In principle, “it must be assumed that attacks lead to an outflow of data if hackers have been able to use the emotet Trojan as a gateway,” the data protection officers say.

Even in the case of the Berlin Court of Appeal, the data itself appeared to be the hackers’ target. According to the forensic expert opinion, the attack was “clearly set up for data outflow “. Although it is unclear whether the court documents fell into the hands of the criminals, this cannot be ruled out.

The Berlin Court of Appeal handles a large amount of legally relevant data: Clear names of key witnesses, information on ongoing proceedings and other information on which financial penalties or prison sentences may depend. And even these can be worth a lot of money if they fall into the right – or wrong – hands.

Why are public institutions victims of cyberattacks so frequently?

Rigid structures, outdated technology

Even thriving, medium-sized companies often have difficulty keeping their IT infrastructures up to date. Especially the area of cyber security is often neglected, as the importance of protection against cyber attacks is not recognized and investments in an effective protection concept against cyber crime are not approved.

This is all the more problematic because the malware used is being developed at an increasingly rapid pace, resulting in a constant stream of new threats. Fast and flexible responses are now a prerequisite for ensuring protection against cyber attacks. Public institutions are particularly at risk here, because in addition to the aforementioned problems of insufficient budgeting, there are bureaucratic obstacles that make it impossible to fend off cyber attacks. Outdated IT systems and inadequate security concepts then lead to weak points which can be exploited by cyber criminals and make the success of such serious attacks possible.

Example: Berlin Court of Appeal

The court did not have its computers serviced by ITDZ, the central service provider for information and communication technology for the Berlin administration, because the judicial authorities of the federal states work independently in the area of IT security as well, based on the federalist structures and the principle of separation of powers. The Court of Appeal insisted on the use of its own data center. This was a mistake, as the President of the Court of Appeal, Mr. Pickel, now admits.

Numerous attack vectors

By definition, public facilities serve the public interest and are made accessible to the respective population – and this to an increasing extent and in accordance with the law. For example, the Gesetz zur Verbesserung des Onlinezugangs zu Verwaltungsleistungen (Onlinezugangsgesetz/Online Access Act) obliges “the federal, state and local governments to offer their administrative services digitally via administrative portals by the end of 2022”.

Growing digitisation is leading to a large number of publicly accessible online services and at the same time to an increasing number of employees exchanging (sensitive) data. This provides cybercriminals with an enormous opportunity to attack: As the number of online services grows, so does the number of potential technical weaknesses and the danger of human error, especially if employees are not sufficiently sensitized to attacks.

How to fend off cyber attacks on public institutions

The BSI also emphasizes the importance of this employee sensitization, which is a sensible first step on the path to IT security. However, Emotet emails (and other emails contaminated with malware) now look very authentic, so that only a genuine email firewall really offers protection against cyber attacks.

It is high time for public institutions in particular to take action against cyber attacks. An email security gateway is a must here, as this is the only way to protect these facilities and the data of residents and employees from current threats.

NoSpamProxy already protects federal agencies

The vast majority of viruses use emails as a launching pad into the company. NoSpamProxy already protects numerous public institutions – among them two federal authorities – with a variety of security functions such as URL Safeguard, the Sandbox Service or the comprehensive reputation filter. Emotet infections and threats from other malware are thus reliably repelled. NoSpamProxy is developed exclusively in Germany and holds the “IT Security Made in Germany” seal of approval from the TeleTrust Association. Request your trial version now!