Earlier this month, Mandiant announced that it had responded to an intrusion by a Chinese-backed hacking group, APT41, that targeted a U.S. state government’s computer network. The security company ultimately discovered a persistent effort that allowed the malicious hackers to successfully compromise at least six U.S. state government networks by exploiting vulnerable internet-facing web applications using a zero-day vulnerability.
Mandiant couldn’t determine the hackers’ motives but said the intrusions were consistent with an espionage operation. The company also predicted that further investigation would reveal even more states whose agencies were affected by the effort.
These incidents underscore that state governments are just as attractive, if not even juicier, targets for malicious hackers as the federal government or any other organization. It’s no surprise then that state governments are stepping up their efforts to bolster their cybersecurity protections, launching task forces, hiring advisors, creating security centers, and boosting cybersecurity spending.
Recent state cybersecurity actions
The following significant state-level cybersecurity developments over the past six weeks point to this trend:
- New Mexico named a senior advisor for cybersecurity and critical infrastructure: On March 18, New Mexico Governor Michelle Lujan Grisham announced the appointment of Annie Winterfield Manriquez, a senior leader at the MITRE Corporation, as her senior advisor for cybersecurity and critical infrastructure. The governor’s announcement cited the geopolitical situation in Ukraine, foreign actor threats against state governments, and warnings about potential Russian cyberattacks as factors that motivated Manriquez’s hiring.
- North Carolina Joint Cybersecurity Task Force established: On March 16, North Carolina Governor Roy Cooper signed an executive order that formally established the State of North Carolina Joint Cybersecurity Task Force (JCTF), first announced in 2018. It comprises state agencies including Information Technology, Emergency Management, National Guard Cybersecurity Task Force, and something called the Local Government Information Systems Association Cybersecurity Strike Team. The task force provides “incident coordination, resource support, and technical assistance to state and local government agencies and educational entities like schools and universities that have been the target of significant cybersecurity incidents.”
- The Maryland legislature introduced a package of legislation to bolster cybersecurity: Following the discovery of vulnerabilities in the state’s cybersecurity system, on March 1 the Maryland General Assembly introduced a package of six bills to improve the state’s cybersecurity posture. The bills would require the Maryland Department of Emergency Management to help local governments prepare for an attack, create the Local Cybersecurity Support Fund to help smaller governments upgrade their security systems, and establish a funding mechanism to modernize all of its legacy IT systems. The package would also centralize all IT systems among state agencies to fall under the Department of Information Technology, require all state and certain local agencies to undergo annual security assessments, and create new offices to assist local governments in boosting their cybersecurity systems.
- Virginia House proposed a $150 million budget on cybersecurity: The Virginia House of Delegates submitted its version of the state’s budget in early March, allocating $150 million for cybersecurity initiatives for the next two years. However, much of that figure was already in the budget proposed by then-Governor Ralph Northam in December in response to an “extremely sophisticated malware” attack that temporarily crippled the state’s legislative agencies.
- New York created a Joint Security Operations Center: On February 22, New York Governor Kathy Hochul announced the creation of a Joint Security Operations Center (JSOC) in Brooklyn that will serve as the “nerve center” for joint local, state, and federal cyber efforts, including data collection, response efforts, and information sharing. A partnership launched with New York City Mayor Eric Adams, Albany Mayor Kathy Sheehan, Syracuse Mayor Ben Walsh, Buffalo Mayor Byron Brown, Rochester Mayor Malik Evans, Yonkers Mayor Mike Spano, and cyber leaders across the state, the JSOC was described as the first-of-its-kind cyber command center to provide a statewide view of the cyber-threat landscape and improve coordination on threat intelligence and incident response. The JSOC’s cybersecurity teams will draw from resources across several organizations, including federal, state, city, and county governments, critical businesses and utilities, and state entities, including the Division of Homeland Security and Emergency Services, Office of Information Technology Services, New York State Police, MTA, Port Authority of New York and New Jersey, and the New York Power Authority.
State and local governments’ wide range of services a target for cyberattacks
These efforts highlight how state governments are an enticing target for threat actors. “U.S. state government networks amass many different departments and critical infrastructures such as state elections, transportation, and financial information that may be of value for threat actors,” Rufus Brown, senior threat analyst, advanced practices at Mandiant, tells CSO.
Local jurisdictions also encompass a wide range of critical services that need protection from threat actors, Rob Main, the state of North Carolina’s chief risk officer, tells CSO. “Citizen services are provided at the lowest possible level in municipalities,” he says. “A cybersecurity incident affecting the confidentiality, integrity and availability of any systems or infrastructures that provide support to citizens have the deepest impact on North Carolina’s lives.”
North Carolina’s JCTF, launched primarily to coordinate and receive reports of significant cybersecurity threats from local governments, will step in if these jurisdictions need help, Main says. “If the county, city or town does not have the resources to respond to and recover from an incident, the joint cybersecurity task force mobilizes to put boots on the ground in the affected entity's jurisdiction.”
States can likely expect more attacks from organized threat actors, according to Mandiant’s Brown. “Nation-state actors such as China and Russia continue to persistently target these state networks to gain access and achieve their goals through intelligence collection,” he says.
“The variety of data within state government networks can serve a wide array of intelligence operations for nation-states. Financially motivated actors that deploy disruptive malware such as ransomware can also add significant disruptions and risk to U.S. state government department operations when targeted,” Brown adds.
Whatever the case may be, North Carolina is prepared. “We are postured to respond to cybersecurity incidents regardless of threat actor or source,” Main says.