Cyber thieves target local, county governments as launch pad for bigger attacks

Lindsay M. McCoy
Special to The Detroit News

When Webster Township in Washtenaw County was attacked by ransomware, officials had to create a new website, new emails and new anti-virus and ransomware software to resolve the problem.

It was one of 77 ransomware attacks in the United States last year that were confirmed by the cybersecurity company, Emsisoft.

To lessen such attacks, the federal government has included a new $1 billion cybersecurity grant program in the bipartisan infrastructure law passed last year. It allocates the bulk of the funding that states receive for their local governments, with 25% of the money earmarked for rural governments.

There were 77 ransomware attacks on local governments in the United States in 2021. In 2019, a ransomware attack affected about two dozen Texas communities.

Sgt. Matt McLalin, who investigates cyberattacks in the State Police’s cyber command center, said local and county governments make up a lot of the center’s victims.

“Every single week we are getting multiple reports of local governments who have been affected,” McLalin said. 

Brett Callow, a threat analyst from Emsisoft, said the discrepancy in data stems from not all attacks being reported to his New Zealand-based company or being labeled as “cyberattacks” rather than ransomware.

“Tracking incidents is far more challenging than it should be,” Callow said. 

The most common type of attacks on rural governments are ransomware attacks and phishing emails, said Michigan Tech University professor Yu Cai, a cybersecurity expert. 

“The ransomware is getting explosive in the past 10 years, so we see a lot of cyberattacks based off ransomware,” he said. 

When ransomware infiltrates a computer system, those impacted can’t access their information systems until they pay ransom to the hackers, usually in the form of bitcoin, according to Cai.

Rural governments often become targets of such attacks because of their lack of expertise or resources to defend themselves, he said.

“Small towns, rural areas, they can’t even afford an IT person, let alone a security person, so they are an easy target,” Cai said.

A less obvious reason why rural and other small governments are often targeted is because they can be used as gateways to larger attacks, he said.

“A lot of small towns think, ‘Well, we don’t have a lot of valuable information in our computer system, so we don’t care.’ No, that’s wrong,” Cai said. “They want to use your machine, your systems, as a steppingstone to launch a further attack.”

He said attacks from foreign countries are easy to detect, while those from other sources are not.

“If it’s an attack from a small town in Michigan, that will be a lot harder,” Cai said. 

McLalin echoed Cai’s concern about using smaller governments as avenues for larger attacks through phishing emails.

“It just spreads like wildfire,” McLalin said. “Unfortunately, down that road will lead to ransomware.”

Cai said he hopes rural officials use the new federal money to boost their IT infrastructures and software, as well as to hire staff.

“Maybe hire a cybersecurity person, or to ask for third-party consultants, or some help from experts to help them test their systems to see how they can improve them,” Cai said. 

Andy Brush, a program manager at the state Department of Technology, Management and Budget, also recommended having good backups and doing regular assessments of an organization’s current cybersecurity posture.

“You might be buying the wrong stuff. You might start implementing things and not know where you stand,” he said. “You would not be spending money effectively.”

Funds from the grant could help governments with a budget to ensure they’re spending money on necessary protections, according to Brush. 

He said another challenge facing small governments is a lack of the ability and resources to apply for a grant themselves.

“We know that there’s 2,500 or so local public entities, so there are a lot of people we aren’t talking to,” he said.

Brush said the department plans to reach out to smaller local entities that might need additional resources to complete grant applications.

While the state hasn’t received the federal funding yet, Brush said, “You can go to our Cyber Partners website and join there and let us know you’re interested.” 

“As these things roll out, we want to make sure we are doing as much outreach as possible so that we are hearing concerns from local entities,” he said.

Lindsay M. McCoy writes for the Capital News Service.