(U//FOUO) Cyber targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting.
(U//FOUO) We judge criminal hackers are the most prominent cyber actors targeting the ESS, as criminal hackers are prone to announcing attacks to increase visibility and support for their cause. This is further evidenced by the numerous attacks against state and local networks, particularly law enforcement, in response to perceived social and legal injustices.
(U//FOUO) Cybercriminal targeting of the ESS for financial gain using tactics and techniques such as telephony-denial-of-service (TDoS) and ransomware to extort funds from victims likely will persist, as cybercriminals continue to see ESS entities as lucrative targets for extortion, as well as popular targets for nuisance-level attacks.
(U//FOUO) There is no reporting to indicate state-sponsored actors are actively targeting ESS networks.
(U) Cyber Threats Against the Emergency Services Sector
(U//FOUO) Cyber targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting. Independent researchers have already reported on the widespread availability of vulnerabilities and attack vectors for critical hardware and software that is used in this sector extensively. Such vulnerable systems include call-center communications-management software, closed-circuit TV camera systems, interactive voice response systems, and emergency alert systems—particularly wireless emergency alert systems. Current and historic cyber threats against the sector primarily have been limited to low-level exploitation and attacks—such as data theft, denial-of-service (DoS) attacks, website defacements, and spear phishing—on individual targets from multiple adversaries, including criminal hackers, cybercriminals, and state-sponsored actors. While most malicious activity affecting the ESS serves as a nuisance, according to MS-ISAC, such activity has the potential to disrupt or endanger first responder activities by severing access to critical information systems, slowing system resources, and degrading the integrity of data.
(U) Appendix A: Recommended Spear-Phishing and Malware Mitigation and Protection Measures
(U) Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
(U) Maintain up-to-date antivirus software, and keep operating systems and software up-to-date with the latest patches.
(U) Be cautious about all e-mails received, including those purported to be from “trusted entities,” and be careful when opening links within those messages.
(U) Do not input personal information or login credentials in pop-up windows or links within an e-mail, and do not open attachments or click on links in unsolicited e-mails—access the links by navigating to the organization’s website directly.
(U) Look for uniform resource locators that do not match a legitimate site, but appear to be associated with the site through small spelling variations or different domain names (.com vice .net).
(U) Be wary of downloading files from unknown senders. Malicious code can be embedded in commonly e-mailed files, such as .doc, .pdf, .exe, and .zip; and be particularly cautious of double file extensions (evil.pdf.exe).
(U) Only download software from trusted sites, and enable the feature to scan e-mail attachments before downloading and saving them to a system or network