Evasive malware: A growing threat to state and local governments

Headlines trumpet the remarkable international pushback on Russia’s election  meddling and sponsorship of cybercrime and fraud. Water-cooler talk of spies, bots and assassinations has everyone acting like an armchair FBI agent. The vulnerability of our nation's institutions is front and center, and it is disturbing, to say the least.

And it’s not just the White House, the National Security Agency and the Senate Intelligence Committee that should be alarmed. State and local governments face a growing cybercrime threat. Hackers target municipalities and state agencies in part because they are often easier to breach than better-defended enterprise networks. More importantly, state and local government networks often host and process highly valuable data about individuals, critical infrastructure and sizable financial transactions.  Highly motivated attackers have a good chance of pulling off a successful heist of data or funds, disrupting operations, exposing public figures or conducting espionage.

Protecting municipalities against cyberattacks is a major challenge. Overall, municipal technology tends to be characterized by legacy infrastructure, diverse requirements and a complex network topology. State and local government IT professionals are often charged with overseeing loosely associated, disparate networks, each servicing different needs and constituents. These heterogeneous environments are notoriously difficult to manage and secure, creating gaps that attackers readily find and exploit.

These issues are compounded by tight budgets, difficulty recruiting security experts and drawn-out bureaucratic procedures for technology upgrades and purchases. IT and security personnel are typically overburdened and pulled in multiple directions, leading to a reactive security stance that simply isn’t sufficient in the face of constant, sophisticated intrusion attempts.

The problem is even more acute in smart cities, where municipalities use interconnected information and communication technologies to increase operational efficiency, share information with the public and improve both the quality of government services and citizen welfare.

Several recent attacks illustrate the potential damage that can result when local agencies are compromised. For example, the Emotet Trojan attack on municipal systems in Allentown, Pa., disrupted the operations of finance and police departments. Local media reports have estimated the cost of remediation at $1 million, which doesn’t include loss of productivity or other associated costs.

The Colorado Department of Transportation was hit by a SamSam ransomware attack that forced the shutdown of more than 2,000 endpoints, taking the department back to pen and paper during the investigation and recovery process. Fortunately, the ransomware did not hit critical systems, and CDOT had data back-ups. It isn’t hard to imagine how it could have been much worse without good luck and smart preparation.

In the same time period, WannaCry attacks on Connecticut state agencies and malware damage to city systems in Savannah, Ga., were reported. In even more recent news, Atlanta is investigating and recovering from a ransomware attack that stymied some public-facing services, including court systems.

Failure to defend against cyberattacks can result in more than monetary losses and networked systems damage. When critical systems at hospitals, police and fire departments are attacked, public safety and individual welfare are at risk -- not to mention the exposure of highly sensitive data. 

Government agencies that are already strapped for financial and IT staff resources can ill afford the time- and labor-intensive recovery process that often follows infection by Trojans that evolve and evade detection like Emotet, making getting rid of them no simple matter.

Evasive malware is increasingly available to both sophisticated and run-of-the-mill cybercriminals. Capable of transforming itself, it can persist and burrow deeper into networks and endpoints over long periods of time.  Antivirus and similar baseline anti-malware solutions are weak at detecting evasive malware; these threats are built specifically to avoid being identified by AV.

Agencies must take proactive steps to protect systems from these insidious, stealthy attacks -- because they are harder to detect and difficult to remove.

Deploying a vaccine and other anti-evasive malware solutions can prevent these infections from taking hold in the first place. Applying the vaccine in an already-infected environment can even keep Emotet from spreading further and accelerate incident response time.

Anti-evasion solutions work by preventing malware from getting around baseline security measures. For example, they can fool the malware into thinking it is in a hostile environment (e.g., through the use of simulated sandbox artifacts), causing it to shut itself down before it deploys. Anti-evasion approaches are also designed to be effective against malware hidden in malicious documents, fileless methods that inject malicious code into memory and attacks that use legitimate tools, like PowerShell, to install malware.

State and local agencies should conduct careful assessment to identify tools that are a good match for their existing technology set-up (including legacy systems) as well as their staff skill level and resources for deploying and maintaining anti-evasion solutions.

These days, IT managers reading security-related news stories may feel like they're digging into a John le Carré novel. It's an interesting read, but that doesn’t mean they want a starring role in one of these modern-day tales of subterfuge and piracy. In the game of cyber cat and mouse, government organizations of all sizes need their own bag of tricks. The ability to outwit attackers gives agencies a powerful way to shut down attacks before they can cause damage.

Send those hackers packing -- don’t be the kind of easy target they love to infiltrate.