Ransomware Identified as the Main Threat to Russia’s Public Sector

Experts from Positive Technologies have analyzed the threat landscape in the Russian public sector. Their study, covering the period from 2022 through the first half of 2024, was presented at the Eastern Economic Forum. According to analysts, ransomware remains the most common type of malware used in attacks. However, in the first six months of this year, the share of successful incidents involving ransomware decreased by 4% compared to the overall figure for 2023 and by 14% compared to 2022.

Targeting Government Organizations

Although government agencies typically refuse to pay ransoms for stolen data, they remain frequent targets. Hackers attack these organizations not only for financial gain but also to disrupt government operations, steal, or destroy confidential data. Experts attribute this targeting to the large number of employees who actively use email and other communication tools at work, creating numerous entry points into agency infrastructure.

Attack Methods and Consequences

The most common consequence of such attacks is disruption of core organizational activities (48% of incidents), followed by leaks of confidential information (41%). Analysts note a steady increase in data leaks: in 2023, leaks occurred in 41% of cases, rising to 48% in the first half of 2024.

The public sector has become the most targeted by APT (Advanced Persistent Threat) groups. In targeted attacks, remote access Trojans account for 65% of cases, while spyware is used in 35%.

Nearly half of all incidents (47%) involved attackers using social engineering and relying on human error to deceive victims. Additionally, malware was used in every second successful attack (56%).

Experts emphasize that the use of malware is steadily increasing: 48% of incidents in 2022, 57% in 2023, and 68% in the first half of 2024. This trend is driven by the simplicity and effectiveness of malware, as well as an active underground market where ready-made malware can be rented or purchased, and custom development can be ordered.

The report also notes that attackers buy or trade credentials for access to compromised devices on the dark web. In every sixth ad, access to the infrastructure of compromised government organizations is offered. The price for access can range from $20 to several thousand dollars for high-privilege accounts. In a third of cases, the price is not specified and is negotiated privately.

The Cost of Initial Access

According to experts, the importance of building effective cybersecurity in the public sector is dictated by the dangerous consequences of cyberattacks: an attack on one agency can affect not only that agency but also other structures, the entire state, and its citizens. For example, the theft of users’ personal data as a result of an attack on one government agency can lead to unauthorized access to both government resources of other organizations and commercial services.

In addition to Russia, the report highlights other regions with high levels of attacks on the public administration sector. The most attractive targets for attackers are countries in Asia (33%), Africa (12%), and North America (12%).

Furthermore, interstate economic competition is reflected in cyberspace and is a key driver of carefully planned targeted attacks on government structures. Nearly half of all successful cyberattacks (48%) during the study period were targeted, most often resulting in data leaks (62% of cases). Both highly skilled APT groups and hacktivists are behind these attacks. The main types of stolen data are personal information (33%) and trade secrets (30%).