In today’s digital landscape, public sector organizations—particularly those in the State, Local, and Education (SLED) sectors—are contending with an unprecedented surge in cyber threats. Over the past several years, attacks against SLED institutions have been increasing not just steadily but exponentially. What was once an occasional disruption has evolved into a constant barrage of ransomware extortion, data breaches, and sophisticated fraud schemes targeting everything from K–12 school districts to state health departments and municipal governments.

This escalation isn’t happening in a vacuum. Since 2022, the world has witnessed profound geopolitical shifts—wars, regional conflicts, and a reconfiguration of international alliances—that have directly contributed to the development and proliferation of new cyber threats. Nation-state adversaries have become more assertive, state-sponsored threat groups have grown in number and sophistication, and criminal ecosystems have thrived by adopting advanced tools and tactics once reserved for intelligence services. As a result, SLED entities now face a diverse and rapidly evolving threat landscape that challenges even the most well-resourced security teams.

Figure 1: Cyber Threat Landscape Across U.S. Public Sector Entities

At the same time, the lines between criminal operations and state-sponsored campaigns have blurred. Many ransomware groups operate with tacit approval from foreign governments, while politically motivated threat actors increasingly target public sector institutions to project power and sow disruption. Combined with the rapid commoditization of cyber crime tools, these developments mean that even smaller agencies and school systems can suddenly find themselves in the crosshairs of highly organized adversaries.
In this environment, traditional perimeter-based defenses and reactive incident response are no longer sufficient. External risk management (ERM) has emerged as an operational necessity—a way to detect threats before they materialize, monitor adversary infrastructure in real time, and disrupt attacks at their earliest stages. In this article, we’ll explore the core pillars of ERM and show how SLED organizations can leverage proactive intelligence to safeguard their mission, their people, and the public trust they are sworn to protect.

Deep & Dark Web Monitoring

Deep and dark web monitoring is the process of searching parts of the internet that are not indexed by standard search engines, including hidden marketplaces, private forums, and encrypted platforms where stolen data and credentials are traded. For SLED organizations, this type of monitoring is not optional—it’s essential. School districts, public health agencies, and law enforcement bodies store vast quantities of sensitive information, from student records and medical files to police reports. These datasets are prime targets for cyber criminals and are frequently advertised or sold in hidden corners of the internet.

Figure 2: Argos Detection of a Ransomware Leak Post and Corresponding Darknet Listing

To the left, the Argos platform identifies and extracts intelligence on the Nitrogen ransomware group’s publication of stolen data from the Coweta County School System attack. To the right, the live darknet Tor website displays the ransom note, including proof-of-leakage files and download links offering personal and financial records of students and parents.

One recent example that illustrates why this capability is so vital is the ransomware attack against Coweta County School System, which took place on May 25, 2025. Dark web monitoring and forensic analysis revealed that the likely root cause of this incident was widespread infostealer infections: many employee and student devices had been compromised by malware families including StealC, Lumma, and Redline. These infostealers harvested login credentials and other sensitive authentication data, which were later offered for sale by initial access brokers. Those brokers specialize in collecting and monetizing access, effectively acting as suppliers for more sophisticated threat actors. In this case, the credentials were acquired by the group Nitrogen, who used them to establish a foothold inside the school system’s internal environment and ultimately deploy ransomware.

Figure 3: Argos Detection of Infostealer Infections Targeting Coweta County School District

The Argos platform identified multiple Stealer logs containing credentials associated with Coweta County School System accounts. The redacted details illustrate harvested login data that was offered for sale by initial access brokers. Notably, the detection dates precede the ransomware attack by several weeks, demonstrating how early intelligence could have enabled proactive mitigation before the breach escalated.

This chain of compromise demonstrates exactly why continuous dark web intelligence is critical. Infostealer infections often go unnoticed because they do not immediately trigger destructive activity—yet they quietly lay the foundation for far more severe breaches. Detecting these credentials early, before they are packaged and sold to ransomware operators, is often the only opportunity to interrupt the attack lifecycle.

At Cyberint, now Check Point’s Infinity ERM, we have cultivated this domain as a core area of expertise. Our analysts regularly track the ecosystem of initial access brokers, monitor credential marketplaces, and surface compromised data that could lead to catastrophic intrusions. We recently presented our findings on this subject at RSA in a talk titled “An Identity Defender’s Worst Nightmare: Initial Access Brokers and Here Is Why.” For public sector organizations, especially those entrusted with protecting children’s and citizens’ data, this level of visibility into the dark web can mean the difference between resilience and crisis.

Phishing and Brand or Identity Impersonation Detection

Phishing and identity impersonation detection focuses on uncovering fraudulent websites, emails, and social media profiles designed to mimic legitimate brands or institutions. This is especially relevant for SLED entities, as attackers often exploit trust in public organizations to deceive employees and citizens alike. For instance, a phishing email might masquerade as a message from a city’s official IT department, or a fake website might mimic a state agency portal to harvest login credentials. Early detection and takedown of these threats are crucial for preventing data theft, ransomware infections, and the erosion of trust in government services.

Figure 4: Official FBI Alert Regarding the DMV-Themed Phishing Campaign

A notable recent example is the DMV-themed phishing campaign targeting U.S. citizens. In May 2025, a sophisticated phishing campaign emerged, impersonating several U.S. state Departments of Motor Vehicles (DMVs). This campaign leveraged widespread SMS phishing (smishing) and deceptive web infrastructure to harvest personal and financial data from unsuspecting citizens. Victims received alarming messages concerning unpaid toll violations and were directed to fake DMV websites that prompted them to resolve the issue by paying a nominal fine. These cloned websites requested extensive personal information and credit card credentials under the guise of verifying user identity.

Technical analysis of this campaign done by Check Point uncovered shared infrastructure, consistent domain naming conventions, reused frontend assets, and strong indicators pointing to a China-based threat actor. The widespread impact and impersonation of trusted state agencies underscore the urgency of awareness and proactive defense.

Figure 5: Forensic Analysis of the DMV-themed Phishing Infrastructure

Forensic analysis performed by the Infinity ERM team revealed that all the observed phishing domains were hosted within the same infrastructure, indicating they were likely connected and orchestrated by a single threat actor. This shared hosting environment and overlapping resources suggest a coordinated campaign targeting U.S. consumers. Additional technical details were published in the Check Point research blog.

This incident underscores the critical importance of robust phishing and brand impersonation detection measures for SLED organizations. By proactively identifying and mitigating such threats, agencies can protect their constituents from fraud and maintain the integrity of public services.

Fraudulent Activity Detection

Fraudulent activity detection plays a critical role in identifying and disrupting illicit schemes that target public institutions and their stakeholders. While many high-profile breaches involve ransomware or large-scale data theft, a substantial proportion of financial damage and reputational harm comes from more covert types of fraud. These schemes often originate in the dark web and are orchestrated by specialized criminal groups who focus on social engineering, document forgery, and money laundering.

Figure 6: Argos Detection of Dark Web Marketplace Offering Counterfeit U.S. Documents

Argos identified this cyber crime forum post by a threat actor advertising forged U.S. passports, driver’s licenses, birth certificates, green cards, and counterfeit banknotes. The sale of these fake documents facilitates fraud against government entities and enables identity theft schemes.

For example, in one recent case we observed in dark web monitoring, a threat actor advertised a comprehensive service offering counterfeit U.S. documents. This operation marketed forged passports, driver’s licenses, birth certificates, green cards, residence permit cards, and counterfeit banknotes of various currencies. By promoting these documents as virtually indistinguishable from legitimate records, the actor enabled buyers to construct synthetic identities, gain unauthorized access to services, or facilitate broader fraud campaigns. The existence of such offerings underscores how deeply commoditized identity fraud has become—and why early detection of these listings is essential to protect both institutions and the public.

In another instance, a sophisticated money laundering service openly promoted cash and gold pickups, cashier’s checks, and parcel drops across the U.S., Canada, and Australia. This group advertised the ability to move funds quickly and discreetly via wire transfers, digital payment apps, and stable cryptocurrency accounts. The operation was positioned as a turnkey laundering solution, offering round-the-clock customer support and emphasizing the speed and “professionalism” of its services. For SLED organizations and other public entities, these kinds of networks represent not only a financial threat but also a vector for fraud schemes that can intersect with benefits programs, procurement fraud, and payment system compromises.

Figure 7: Argos Detection of Telegram-Based Money Laundering Services

This cyber crime advertisement, detected by Argos, shows a threat actor offering cash pickups, gold transactions, cashier’s checks, and wire transfers to launder illicit funds. The operation promotes 24-hour service across the U.S, highlighting how readily available professional money laundering has become in the underground economy.

The emergence of such services highlights why proactive fraud intelligence must be part of any external risk management strategy. Infinity ERM continuously tracks these underground marketplaces and laundering infrastructures, providing early warnings and actionable intelligence to help public sector security teams detect and disrupt fraud before it scales. By combining dark web monitoring with fraud detection analytics, organizations can better protect their ecosystems from the hidden economies that fuel financial crime.

Threat Actor Profiling

Threat actor profiling is the practice of tracking and analyzing the behaviors, motivations, and tactics of cyber criminal groups that target public sector entities. In recent years, ransomware syndicates, hacktivist collectives, and nation-state actors have increasingly focused their attacks on SLED organizations, aiming to disrupt essential services, steal sensitive data, and erode public confidence. By developing detailed profiles of these adversaries, SLED agencies can attribute attacks to specific groups, understand their preferred methods of operation, and anticipate where they are likely to strike next.

With Infinity ERM, we continuously monitor and track threat actor activity across diverse geographies, industry sectors, motivations, and modi operandi. This capability provides cyber security professionals with intelligence that goes far beyond simply responding to or blocking indicators of compromise associated with known attacks. Instead, it enables analysts to identify patterns, emerging cyber signatures, and active attack vectors in the wild—and to act on them in real time. This approach marks the difference between traditional reactive threat intelligence and truly proactive security.

Figure 8: Threat Actor Profiling Heat Map

Infinity ERM produces dynamic and modular visualizations of threat actor activity based on comprehensive analysis. This heat map highlights the volume of attacks by actor across both sector and geography. In addition to activity trends, Infinity ERM incorporates intelligence on each group’s modus operandi, tools, tactics, techniques, and attack vectors to deliver actionable profiling that supports proactive defense.

Our methodology focuses on connecting the signatures profiled for each threat actor to ongoing, live attacks as they unfold. Security professionals can therefore map specific tools, CVEs, campaigns, and TTPs to the groups or individuals orchestrating them. For example, when a ransomware group targeting school districts begins using a new exploit kit or shifts tactics to social engineering, the profiling process detects these developments early. This intelligence allows SLED organizations to adjust defenses before attacks reach their perimeter, prioritize patching of exploited vulnerabilities, and tailor response plans to the unique characteristics of each adversary.

Figure 9: Infinity ERM Threat Actor Intelligence Card

Infinity ERM’s threat actor card delivers detailed intelligence on each group, including targeting patterns, motivations, victimology, and exploited vulnerabilities. This example shows the Cl0p ransomware group, highlighting their top CVEs, preferred sectors, geographic focus, and operational tactics. Such comprehensive profiles enable security teams to anticipate threats and tailor defenses accordingly.

Ultimately, this proactive approach to threat actor profiling transforms cyber security from a reactive exercise, focused only on cleaning up after an incident, to a forward-looking strategy that anticipates threats, disrupts attacks before they escalate, and continually strengthens resilience. For public institutions entrusted with protecting citizen data and essential services, this shift is not just an advantage but a necessity.

Supply Chain Risk Management

Supply chain risk management has become a critical concern as SLED organizations increasingly rely on an ecosystem of technology providers, service vendors, and third-party platforms to deliver essential public services. Supply chain risks occur when a third-party vendor used by an organization is breached, and through that breach, the data or systems of the primary organization are also exposed or compromised. Even when an agency’s own security controls are strong, a trusted partner’s weaknesses can create hidden vulnerabilities that attackers are eager to exploit.

Figure 10: Dark Web Disclosure of Oracle Cloud Breach

This screenshot shows the original dark web post by a threat actor announcing the compromise of Oracle Cloud infrastructure in late March. The Argos platform detected the disclosure in real time, enabling immediate notification to affected customers. This incident underscores the importance of third-party risk management and early warning capabilities to mitigate cascading impacts from vendor breaches.

A recent example that underscores this risk is the breach of Oracle in March 2025. Attackers exploited a previously unknown vulnerability in Oracle’s cloud infrastructure services, ultimately compromising sensitive data and credentials stored across multiple customer environments. Check Point immediately began tracking the breach as details emerged in closed dark web forums and underground broker channels. Within hours of confirming the intrusion, our team notified all affected customers so they could initiate containment and remediation.

Figure 11: Infinity ERM Vendor Risk Card for Oracle

Infinity ERM’s vendor intelligence platform displays Oracle’s overall risk score, breach history, and targeting level. This view highlights the timely detection of the March 2025 breach, enabling rapid assessment and mitigation of third-party risk across customer environments.

What made this incident particularly alarming was the extent of its impact on public institutions: roughly 25% of the organizations affected were government agencies and education entities, including state IT departments, educational institutions, and healthcare systems that relied on Oracle’s infrastructure to deliver essential services. This event demonstrated how a single supplier compromise can cascade through dozens of dependent environments and expose vast quantities of sensitive information before any traditional security controls detect the intrusion.

Figure 12: List of Government and SLED Entities Impacted by the Breach

This excerpt shows a sample of government and education domains identified among the victims of the Oracle breach. Infinity ERM’s analysis estimated that over 25% of affected organizations were public sector institutions, underscoring the critical importance of proactive third-party risk monitoring in this vertical.

Early detection and proactive third-party monitoring are therefore essential pillars of supply chain security. Without visibility into your vendors’ risk posture, there is no practical way to identify these breaches in time to prevent widespread damage. By maintaining continuous intelligence on the security status of technology partners and contractors, agencies can shrink the window between compromise and response, protect citizen data, and reinforce the resilience of public sector operations.

Executive Protection Intelligence

Executive protection intelligence focuses on identifying and mitigating personal threats to high-profile leaders and staff members within public sector organizations. SLED officials such as police chiefs, correctional facility leaders, state administrators, and university presidents often become personal targets of malicious campaigns intended to intimidate, discredit, or manipulate them.

One very common attack vector in this space is impersonation on social media. Threat actors frequently create fake profiles and pages that closely mimic the real accounts of public figures to erode trust, gather sensitive information, or distribute disinformation. For example, in recent monitoring we observed countless impersonating pages created for Andrew Cuomo, the former Governor of New York. These fraudulent accounts were designed to confuse followers, manipulate public sentiment, and serve as staging points for social engineering. This is a high-volume tactic that can have far-reaching consequences, ranging from phishing attempts and psychological warfare to coordinated campaigns aimed at damaging reputation and influencing perceptions among constituents.

Figure 13: Impersonation Pages Targeting Andrew Cuomo

Argos detected multiple impersonating social media profiles purporting to represent Andrew Cuomo. The top left shows Cuomo’s legitimate LinkedIn account, while the other LinkedIn, Instagram, and Facebook profiles are unofficial pages leveraged in social engineering campaigns. Such impersonation attacks are increasingly common and can be used to manipulate public perception or conduct fraud.

What makes this threat even more pressing is the rapid rise of advanced AI capabilities. Emerging generative tools enable attackers not only to build convincing fake pages and profiles but also to create sophisticated deepfake videos and synthetic audio clips. These assets can be used to impersonate officials with striking realism, making it much harder for the public to distinguish legitimate communications from fabricated ones. As a result, the barrier to entry for carrying out high-quality impersonation attacks has dropped dramatically. Where such operations once required substantial resources and expertise, today even low-skilled actors can execute campaigns that would have been unthinkable just a few years ago. This is one of the key reasons we are seeing so many more impersonation incidents compared to prior years.

For public sector organizations and their leaders, this evolving threat landscape underscores the importance of continuous monitoring, early detection, and rapid takedown of fraudulent profiles and content. Executive protection intelligence plays an essential role in defending not just individuals but also the public’s trust in institutions and the integrity of official communications.

Geopolitical Threat Alerts

Geo-targeted threat alerts provide location-specific intelligence about emerging cyber threats that could impact particular jurisdictions. For SLED organizations, this kind of intelligence is indispensable, because many attacks are regionally concentrated and tailored to exploit local vulnerabilities or public infrastructure. Whether it is a phishing campaign targeting school districts in a specific state, ransomware aimed at election systems in a county, or disinformation attacks coordinated to influence municipal government decisions, the speed and relevance of intelligence can determine the success of a response.

Figure 14: Argos Threat Actor Cards Highlighting State-Sponsored Groups

These Argos intelligence profiles showcase state-sponsored threat actors active in the global geopolitical cyber landscape. Infinity ERM continuously tracks their motivations, operations, and ties to geopolitical developments, delivering valuable context to customers, especially SLED organizations, seeking to understand and mitigate nation-state threats.

One of the most significant challenges today is the scale and sophistication of state-sponsored cyber activity. Threat actors affiliated with nation-states continuously develop advanced tools, exploit newly discovered vulnerabilities, and orchestrate campaigns designed to destabilize public services or undermine confidence in institutions. At Check Point, we monitor countless state-sponsored groups and their ecosystems in real time, tracking their attack tools, infrastructure, and evolving tactics. This persistent visibility empowers public sector organizations to recognize when an emerging campaign is targeting their region or sector and to take preemptive measures before an intrusion escalates.

By combining geopolitical context with continuous technical intelligence, SLED agencies can achieve a level of situational awareness that was previously unattainable. Rather than reacting to breaches after the damage is done, they can proactively anticipate where adversaries are likely to focus their efforts, implement defenses tailored to known techniques, and coordinate incident response with regional and national stakeholders. For public institutions entrusted with critical infrastructure and citizen services, this is no longer a luxury—it is an operational necessity.

Conclusion

In a world where the cyber threat landscape has evolved into a vast, coordinated ecosystem of financially motivated criminals and nation-state adversaries, external risk management is, unfortunately, no longer optional for public sector institutions—it is essential. Over the past few years, attacks on SLED organizations have accelerated at an unprecedented pace, fueled by geopolitical turmoil, the rise of professionalized cyber crime marketplaces, and the widespread commoditization of advanced attack tools. From ransomware groups harvesting credentials on the dark web to state-sponsored actors waging targeted campaigns to undermine public trust, the spectrum of threats facing state and local agencies has never been broader or more complex.

As the examples in this report illustrate, early detection and proactive intelligence are the decisive factors that separate organizations that merely react to breaches from those that can anticipate and disrupt them before damage is done. Whether it is identifying stolen credentials weeks before a ransomware attack, uncovering phishing infrastructure designed to impersonate government agencies, tracking state-sponsored adversaries in real time, or monitoring the security posture of critical vendors, a mature external risk management program empowers security teams to stay ahead of adversaries.

Check Point’s approach is grounded in this philosophy of proactive defense. By continuously mapping the threat landscape, from initial access brokers and laundering operations to sophisticated nation-state campaigns, we help public institutions not only understand who their adversaries are but also how they operate, what they target, and where they are most likely to strike next. This intelligence-driven posture enables SLED organizations to protect their missions, their data, and ultimately the public trust they are charged to uphold.

In the years to come, as geopolitical tensions and technological advancements continue to reshape the attack surface, the agencies best prepared to weather this storm will be those that invest in visibility beyond their own networks. The path forward is clear: only by extending our defenses outward—into the dark web, across the supply chain, and into the infrastructure of adversaries themselves—can we build the resilience required to secure the future of our public institutions.

You may also like