Full Report
The state of Indiana attributed the scam emails to a compromised contractor's account.
Analysis Summary
# Incident Report: Compromise of GovDelivery to Distribute State Toll Scams
## Executive Summary
The U.S. government alert system, GovDelivery (provided by Granicus), was leveraged by malicious actors to send fraudulent emails, specifically targeting Indiana residents concerning unpaid tolls. The root cause was identified as a compromised user account, likely belonging to a state contractor, which provided the attackers with legitimate send access. Authorities are working to halt the communication, though the full scope of affected users is yet to be determined.
## Incident Details
- **Discovery Date:** Tuesday (Date implied by report being published May 13, 2025).
- **Incident Date:** Occurred shortly before the report published on May 13, 2025.
- **Affected Organization:** State of Indiana (and potentially other government departments using the system).
- **Sector:** Government/Public Sector Communication.
- **Geography:** U.S. State of Indiana.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to May 13, 2025.
- **Vector:** Compromised user account belonging to an Indiana state contractor.
- **Details:** The attacker gained access to an account authorized to send messages through the GovDelivery platform maintained by Granicus.
### Lateral Movement
- **Details:** No reports of internal network lateral movement were mentioned. The compromise was focused on exploiting the authorized access within the third-party communication platform (GovDelivery).
### Data Exfiltration/Impact
- **Details:** Malicious emails were sent, disguised as official alerts regarding unpaid tolls, which contained disguised links redirecting to malicious sites. No explicit mention of data exfiltration from state systems, only the use of the system to distribute phishing/scam content.
### Detection & Response
- **How it was discovered:** The State of Indiana became aware of fraudulent messages purportedly sent by state agencies.
- **Response actions taken:** Indiana stated it was working with Granicus to stop further communication, noting that the contract with Granicus ended in December 2024, but the state account was allegedly not removed.
## Attack Methodology
- **Initial Access:** Compromised contractor user account credentials for the GovDelivery platform.
- **Persistence:** Access was maintained via the compromised, unrevoked user account on the GovDelivery platform.
- **Privilege Escalation:** Not applicable; the attacker utilized pre-existing permissions granted via the contractor account.
- **Defense Evasion:** Utilizing a legitimate, trusted email notification system (GovDelivery) used by government agencies provided significant defense evasion, as emails would likely bypass typical spam filters for legitimate government communications.
- **Credential Access:** Method of initial credential compromise (e.g., phishing, password spraying) is not specified.
- **Discovery:** Unknown. Attackers likely identified GovDelivery as a high-trust channel for distribution.
- **Lateral Movement:** Not applicable to internal network movement.
- **Collection:** Unknown, though the scope was focused on sending mass fraudulent communications.
- **Exfiltration:** Not applicable (no data exfiltration described from state systems).
- **Impact:** Distribution of scam emails leading victims to malicious sites under the guise of official state business (unpaid tolls).
## Impact Assessment
- **Financial:** Potential financial loss for individual residents falling for the scam. No state financial impact detailed.
- **Data Breach:** No confirmed breach of sensitive state systems; the impact was the misuse of the mailing platform.
- **Operational:** Disruption of legitimate government communications due to the need to address the fraudulent campaign and review third-party access management.
- **Reputational:** Negative impact on public trust regarding the security of government alert systems, specifically concerning the use of GovDelivery/Granicus.
## Indicators of Compromise
- **Network indicators:** Malicious links redirecting to scam sites (URLs defanged for reporting: `hxxp://malicious-toll-site.com`).
- **File indicators:** Not applicable.
- **Behavioral indicators:** Sending of official-looking emails concerning unpaid tolls from government domains via the GovDelivery service.
## Response Actions
- **Containment measures:** Indiana Office of Technology stated they were working with Granicus to stop any further malicious communication originating from the compromised account/channel.
- **Eradication steps:** Implied account disabling and review of access privileges, especially concerning former contractors.
- **Recovery actions:** The state is working to ensure the compromised state account on the vendor platform is secured or removed.
## Lessons Learned
- **Key takeaways:** Reliance on third-party vendors (like Granicus) for critical communications requires strict off-boarding procedures to ensure former contractor or partner accounts are immediately disabled upon contract termination (Contract ended December 2024, but the account was allegedly still active).
- **What could have been done better:** More robust Multi-Factor Authentication (MFA) or stricter access controls on the GovDelivery platform, regardless of contract status, would have mitigated the unauthorized use.
## Recommendations
- Immediately audit all third-party vendor access points utilized for public communication.
- Implement mandatory, automated deprovisioning checks for vendor accounts upon contract end dates.
- Review state contracts to ensure clear stipulation and immediate remediation steps required from vendors following contract termination, specifically regarding account access removal.