New report unveils cyber threats to law enforcement
Political ideology or financial motives were behind nearly every observed cyberattack on law enforcement
By Scott Kaine
The police are in both the public and criminal eye, which makes them a target for cyberattacks. Police data, including information about officers, is at risk of exposure during cyberattacks. Similarly, disruptions to law enforcement networks as a result of cyberattacks, including ransomware, can prevent officers from conducting their duties in an efficient, reliable manner.
Motorola Solutions’ threat intelligence team, a dedicated team of employees who proactively monitor for and report on cyber threats to public safety, conducted research and analysis throughout 2021 and into 2022 on how cyberattacks impact law enforcement, resulting in the report “Public Safety: Cyber Threats to Law Enforcement.” During this time, the team found that of all cyberattacks reported against law enforcement, nearly half (49%) affected U.S. agencies. This number is slightly higher when compared to cyberattacks against public safety as a whole, where results show U.S-based victims made up 40% of the total. Other nations in which attacks against law enforcement were reported included India, Thailand, Ukraine, Canada, the United Kingdom, Argentina and Switzerland.
Threat actors: Motivations and tradecraft
Political ideology or financial motives (i.e., extortion) were behind nearly every observed cyberattack on law enforcement during this observation period. Meanwhile, the team observed little espionage or other nation-state-driven activity. This is likely due to the nature of nation-state-affiliated campaigns, which are often carried out by advanced persistent threat (APT) groups, which – in contrast to hacktivists and ransomware gangs – operate with a higher degree of tradecraft and seldom announce their operations.
Here’s a summary of other observations from the report:
The team found cybercriminals were behind more than two-thirds of recorded attacks on police and that 67% of those were financially motivated. Criminal forums regularly offer stolen police data and network access for sale. It also identified likely cases of financially motivated actors offering stolen data for free, as a way to increase their standing on associated criminal forums. This behavior can also be considered financially driven, as it ultimately serves to increase the success of the actor’s future deals on criminal forums.
As an example of financially-motivated activity, in December 2021, the extortion gang CLOP published confidential data stolen from an undisclosed United Kingdom police force on the gang’s data-leak blog. CLOP allegedly accessed the police department’s information after compromising a third-party organization responsible for managing IT services for the Police National Computer (PNC).
In another ransomware case, an undisclosed extortion gang targeted an eastern U.S. municipality – infecting multiple servers, including those used by a police agency on the East Coast of the United States. This disrupted multiple, unnamed law enforcement applications used by the department, and caused agency officials to preemptively disable 60 town servers. There was no impact on 9-1-1 or emergency services due to this latter attack, but officers were likely forced to conduct multiple operations by hand that had previously been managed by the affected applications.
Law enforcement is a frequent target for ideologically-minded threat actors. The team found that hacktivism drove at least 16% of attacks on police since the beginning of 2021, with adversaries exposing sensitive data and officers’ personally identifiable information.
For example, from May 3-4, 2021, the team found that a Colombian police department reported that its unencrypted radio communications were being broadcast across the internet, which was likely possible due to the relative lack of privacy of unencrypted, non-trunked radio channels. This malicious broadcasting began on the same day (March 3) that the Colombian Trade Union Federation reported instances of violence, arbitrary detentions and other transgressions. While the malicious broadcasting wasn’t directly tied to the reporting, it occurred the same day the public became aware of the purported abuses. The malicious broadcasting also occurred during widespread Colombian protests about taxes, highlighting how public unrest is often a flashpoint for hacktivist activity and tension between citizens and law enforcement.
Negative publicity and public protests related to police activity often precede hacktivist attacks. According to the team, these attacks are most likely to take the form of data theft, followed by data exposure on social media or dedicated data-leak websites. Hacktivists tend to be of low sophistication and target weak or compromised credentials and internet-exposed databases.
The team found that attackers leveraged a variety of tactics, techniques and procedures (TTPs) when targeting law enforcement agencies. These sometimes differed between groups.
Extortion gangs most consistently targeted external remote services for their initial access operations. They often exploited public-facing applications, such as virtual private networks. However, in instances where they did not attack external remote services, they relied on phishing campaigns, compromised credentials and various brute force techniques to access law enforcement networks.
Meanwhile, hacktivists also used several of these techniques. Structured query language (SQL) injection exploits against internet-accessible databases allow attackers to become administrators of the database server and then spoof identities, tamper with existing data, publicly share data, destroy it, or otherwise make it unavailable. The team has assessed that most hacktivists who target police are less likely to conduct complicated vulnerability exploitations and instead would likely use compromised credentials or other potentially unsophisticated techniques.
Reducing your agency’s cyber risk
Stopping cyber adversaries in the early phases is the best way to defend against the widest range of tactics used in observed attacks against police. Key steps to reduce an agency’s cyber risk include:
- Harden network perimeters. Defenders should disable unused services, enforce multi-factor authentication and apply patching regularly, especially prioritizing internet-facing services.
- Identify and slow attacks that have already passed the initial access phase. Defenders should ensure offline data backups are regularly updated, enforce multi-factor authentication for internal resources, restrict where credentials are stored and constantly monitor network security, ideally via a team that has time to review and address alerts.
- Share information and Intelligence analysis with other law enforcement agencies. Join an information-sharing and intelligence organization (ISAO) that actively collaborates to identify and share details about cybersecurity threats. The Public Safety Threat Alliance is a Cybersecurity and Infrastructure Security Agency-approved ISAO from which police agencies can gain access to anonymized data to better understand cyber threats to the law enforcement community and potentially thwart attacks before they reach your agency’s doorstep.
Cyberattacks against police agencies are not going away. In fact, the threat will likely continue to grow. Agencies must be proactive in protecting their systems, software and networks; otherwise, their ability to protect and serve may be at risk.
About the author
Scott Kaine is corporate vice president of cybersecurity for Motorola Solutions and spearheads the Public Safety Threat Alliance.