Self Assessment

CYFIRMA INDUSTRY REPORT : GOVERNMENT & CIVIC

Published On : 2024-12-30
Share :
CYFIRMA INDUSTRY REPORT : GOVERNMENT & CIVIC

EXECUTIVE SUMMARY

This CYFIRMA government & civic organization’s report offers original cybersecurity insights and statistics, presented in an engaging infographic format. It covers key trends and statistics from November 2023 to November 2024.

INTRODUCTION

Welcome to the CYFIRMA infographic report, where we delve into the external threat landscape of government organizations over the past 365 days. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns and ransomware incidents targeting government, civic and non-profit organizations around the world.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates is 100% accurate at the time of ingestion, as per its publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

GOVERNMENT & CIVIC ORGANIZATIONS IN 2024

ADVANCED PERSISTENT THREATS

Over the past 12 months, government organizations recorded victims across 29 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 35%.

We track only a single segment in the government category for APT campaigns as per below:

OBSERVED CAMPAIGNS PER MONTH

APT CAMPAIGNS – GOVERNMENT

SUSPECTED THREAT ACTORS

The government sector faces a diverse range of threats from both nation-state and financially motivated actors. FIN11 and FIN7 lead in targeting, reflecting financially driven motives, such as ransomware and data extortion.

Nation-state groups like Lazarus Group, MISSION2025, and Mustang Panda (China) focus on espionage and the theft of sensitive information. Russian actors, including Gamaredon, Fancy Bear, and Sandworm, prioritize geopolitical objectives and intelligence gathering. Emerging actors, such as Unknown Thai-speaking TA and Unknown Vietnamese TA, highlight the sector’s appeal to a broader range of adversaries.

GEOGRAPHICAL DISTRIBUTION

Government organizations are globally targeted, with a strong emphasis on advanced economies like Japan, the United States, and the United Kingdom, reflecting their prominence in geopolitical and global affairs. Asia-Pacific countries, including India, Taiwan, and South Korea, also feature prominently, highlighting the region’s growing strategic importance.

Emerging markets like Indonesia, the Philippines, and Malaysia further underscore attackers’ interest in developing nations. Smaller nations such as Oman, Nepal, and Brunei illustrate the sector’s appeal to a wide range of adversaries, targeting both established and less fortified government systems globally.

TOP ATTACKED TECHNOLOGY

The Government & Civic Organizations sector’s most targeted technologies emphasize the attackers’ focus on foundational and internet-facing systems. Web applications dominate, reflecting their critical role in service delivery and their vulnerability to exploitation.

Operating systems also see significant targeting, highlighting their importance in maintaining governmental infrastructure. Additionally, technologies like infrastructure-as-a-service solutions, VPN solutions, and routers are targeted, underscoring the sector’s reliance on secure and resilient IT systems to protect sensitive operations and data.

TOP MALWARE

The Government & Civic Organizations sector is targeted with a diverse range of malware, reflecting both tailored and scalable approaches. Unique/Custom TTPs and Commodity Malware dominate, highlighting the balance between sophisticated, targeted attacks and accessible, off-the-shelf tools.

Winnti and tools like NukeSped RAT, PlugX, and Cobalt Strike underscore a focus on espionage and long-term infiltration. Financially motivated malware, such as ransomware and Emotet, emphasizes data theft and extortion, while niche tools like Mirai and Redline demonstrate opportunistic campaigns.

RANSOMWARE VICTIMOLOGY GOVERNMENT & CIVIC

In the past 12 months, CYFIRMA has identified 293 verified government & civic sector ransomware victims. This accounts for 5.61% of the overall total of 5,219 ransomware victims during the same period.

GLOBAL DISTRIBUTION BY INDUSTRY

The government and civic organizations recorded the highest year-to-year growth of recorded victims, with 229.21%, more than triple from the previous year. It ranked at the 10th place for both years combined. However, it moved up from the last 13th in 2023 to the 7th place as the sixth most frequent victim of ransomware in 2024.

VICTIMS PER SECTOR DURING 2024

Ransomware attacks in 2024 highlight vulnerabilities across diverse government, civic, and non-profit sectors.

Local Government faces the highest incidents (44), followed by Non-Profit Miscellaneous Organizations (42) and Government Administration (27).

Non-Profit Education and Research (22) and Public Health Services (10) also stand out, reflecting threats to critical services and sensitive data.

Notably, Social Services (11) and Environmental Management (9) indicate expanding targets beyond traditional sectors.

While some sectors like Gaming and Recreation report minimal cases, the overall trend underscores widespread susceptibility, with community-serving entities like Housing Development and Judiciary Services also affected.

QUARTERLY CHANGES DURING 2024

Government & civic organizations experienced sustained activity with moderate and alternate growth from quarter to quarter, second and fourth quarters show mild spikes.

INDUSTRY MONTHLY ACTIVITY CHART

Monthly activity follows the scaled-down global trendline with mostly minor divergences. February, March, and August recorded mild dips. The global spike in May was moderately amplified for government & civic organizations. Despite a small spike in September, this sector diverged from the strong global upswing in October and November, suggesting a calmer start to 2025 relative to other industries.

BREAKDOWN OF ACTIVITY PER GANG

In total 54 out of 97 gangs recorded victims in government & civic organizations industry, with a 56% participation.

LockBit3 and RansomHub led ransomware activity, each targeting 35 victims. RansomHub saw a late-year surge, peaking in November (8 victims), and consistent operations from July onward.

Play targeted 20 victims, with steady activity across the year and peaks in December, April, and October. Incransom and Medusa followed with 16 victims each. Incransom peaked in June and showed sporadic activity, while Medusa had its strongest months in May and October.

Blacksuit, Hunters, and Meow each accounted for 12 victims. Meow peaked in October with four victims, while Hunters and Blacksuit maintained steady but lower levels of activity throughout the year. Qilin (11 victims) was active sporadically, with peaks in February and August.

Less active groups like Akira (9 victims) and Bianlian, Dragonforce, and Handala (8 victims each) showed scattered activity, with Handala focusing on late-year operations. Emerging actors such as Killsec (7 victims) and Rhysida (6 victims) demonstrated limited campaigns, with peaks in October.

Siegedsec had a focused campaign in December, targeting six victims. Large gangs like 8Base (5 victims), Alphv (4 victims), and Blackbasta (4 victims) reported isolated victims. Stormous (4 victims) and groups like Cactus and Cicada3301 (3 victims each) reflected sporadic operations.

Overall, LockBit3 and RansomHub dominated with year-round campaigns, while Play and other mid-tier actors maintained steady operations. Smaller and emerging groups contributed sporadic but impactful campaigns, emphasizing a diverse ransomware ecosystem.

INDUSTRY RANSOMWARE VICTIMS PER GANG

Looking at the top 35 gangs, LockBit3 and RansomHub lead in activity within this sector, with 35 victims each (5.84% and 7.37%, respectively), indicating significant activity but distributed targeting. Play (20 victims, 5.43%) also shows moderate activity. Other notable actors include Incransom (16 victims, 10.13%) and Medusa (16 victims, 7.73%), both showing stronger focus.

Several gangs demonstrate a notable focus on government and civic organizations:

  • Handala (8 victims, 21.05%) and Siegedsec (6 victims, 33.33%) reflect concentrated targeting efforts.
  • Meow (12 victims, 8.96%), Blacksuit (12 victims, 8.22%), and Dragonforce (8 victims, 7.55%) also indicate meaningful focus.
  • Stormous (4 victims, 8.89%) and Cicada3301 (3 victims, 7.69%) highlight focused efforts despite lower victim counts.

Some gangs exhibit disproportionately high percentages due to low victim counts:

  • Pryx (2 victims, 66.67%) and Siegedsec (6 victims, 33.33%) show extremely high percentages driven by small absolute numbers.
  • Knight (2 victims, 16.67%) and Mydata (2 victims, 15.38%) also display elevated percentages that are skewed by minimal activity.
  • Madliberator (2 victims, 14.29%) and Snatch (2 victims, 11.11%) reflect similar trends of high focus but limited overall impact.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The USA accounts for 53.2% of ransomware victims in the Government & Civic Organizations industry in 2024. The next most affected countries are the UK with 17 victims, Canada with 13, Israel with 13, and Brazil with 10.

A total of 48 countries reported victims, with 24 of them having only one victim each.

GOVERNMENT & CIVIC ORGANIZATIONS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

APT Campaigns
Government organizations experienced a 35% incidence rate across APT campaigns, driven by nation-state and financially motivated actors. Groups like Lazarus and MISSION2025 focus on espionage and intelligence gathering, while financially driven actors like FIN11 and FIN7 pursue ransomware and extortion. Emerging groups like Handala and Siegedsec reflect diverse motivations, including political and social agendas.

Actors: FIN11, FIN7, Lazarus, MISSION2025, Mustang Panda, Gamaredon, Fancy Bear, emerging groups like Handala and Siegedsec.

Geographic Focus: U.S., Japan, U.K.; Asia-Pacific nations (India, Taiwan, South Korea); emerging markets (Indonesia, Philippines, Malaysia).

Targets: Web applications, operating systems, IaaS solutions, VPNs, and routers.

Malware: Winnti, NukeSped RAT, PlugX, Cobalt Strike; ransomware, and tools like Mirai and Emotet.

Ransomware
The government & civic sector recorded 293 ransomware victims (5.61% of the global total), reflecting the highest year-over-year growth (+69.62%) among industries. Activity was consistent with peaks in Q2 and Q4, though the sector diverged from the global trend with a calmer October and November, suggesting a slower start to 2025.

Victim Trends: Peaks in May and November; minor dips in February, March, and August.

Key Actors: The most active were LockBit3 (35 victims, steady activity) and RansomHub (35 victims, peak in November).

Other notable gangs were Play (20 victims, peaks in December, April, October); Incransom, and Medusa (16 each).

Geography: The U.S. accounted for 53% of all victims; activity was recorded in 47 countries.

Ranking: Government & civic organizations ranked as the 7th most frequent victim of ransomware.