The digital transformation of local governments has created an unexpected battlefield. From the snow-capped peaks of Switzerland to the bustling cities of Texas, municipalities worldwide are facing an unprecedented wave of cyberattacks that threaten the very foundation of public services. The past year has painted a stark picture: local governments have become prime targets for cybercriminals, with devastating consequences that ripple through entire communities.
A Year of Digital Siege
The statistics are sobering. Between 2018 and 2024, there were 525 reported ransomware attacks on U.S. government entities alone, resulting in an estimated $1.09 billion in downtime.[1] This represents just the tip of the iceberg, as many incidents go unreported or are discovered months after the initial breach.
The geographic spread of these attacks tells a compelling story of global vulnerability. In Switzerland, Russian hackers systematically targeted municipalities during the World Economic Forum, hitting cantonal banks and local governments in a coordinated campaign.[2] The timing of these attacks suggests that local governments are increasingly being used as pawns in broader geopolitical conflicts, turning municipal infrastructure into proxies for nation-state signaling. Meanwhile, across the Atlantic, Texas has become a particular hotspot, with cities like McKinney, Mission, and Abilene falling victim to sophisticated attacks that exposed hundreds of thousands of residents’ personal information.
The Anatomy of Municipal Vulnerability
Who’s Under Attack?
The victims span the entire spectrum of local government operations. From small townships like White Lake, Michigan (population under 40,000) to major cities like Long Beach, California (466,000 residents), no municipality is too small or too large to escape notice. The attacks have targeted:
- Financial systems: White Lake Township lost nearly $30 million in a bond theft scheme.[3]
- Healthcare data: Long Beach’s attack compromised protected health information of 260,000 individuals. The breach required over a year of digital forensics and infrastructure restoration, illustrating the long-tail damage of modern ransomware operations.
- Critical infrastructure: Mission, Texas declared a state of emergency when hackers compromised police databases and civil records.[4] This highlights a growing trend where attackers aim not just for financial gain but to degrade real-time operational capabilities, including public safety workflows.
- Utility services: Multiple attacks have targeted water treatment facilities and energy systems. Many of these environments run outdated SCADA components with minimal segmentation from IT networks, allowing lateral movement once perimeter access is achieved.
The Attackers: A Diverse Threat Landscape
The perpetrators represent a complex ecosystem of cybercriminals with varying motivations:
- State-sponsored and hacktivist groups: Russian hacker collective NoName has emerged as a particularly persistent threat, conducting DDoS attacks against Swiss municipalities during high-profile international events.[5] Chinese-speaking hackers have exploited zero-day vulnerabilities in municipal software, specifically targeting Trimble Cityworks systems used by local governments.[6] The exploitation of CVE-2025-0994 in Cityworks demonstrates a growing attacker focus on widely deployed, niche municipal platforms—highlighting the strategic value of supply chain access.
- Ransomware operations: Groups like Qilin, Interlock, and Nova have claimed responsibility for attacks on municipalities, demanding ransoms while threatening to release sensitive data. The Abilene attack exemplifies this trend, with hackers stealing 477 gigabytes of data and demanding payment by a specific deadline. Analysis of ransom notes and TOR leak sites shows that municipal victims are increasingly prioritized due to predictable response protocols, low segmentation, and high likelihood of negotiation.[7]
Attack Methodologies Behind Threats to Municipal Systems
Distributed Denial-of-Service (DDoS) Attacks
These attacks have become the weapon of choice for politically motivated hackers. The Swiss incidents demonstrate how DDoS attacks serve as “quasi-demonstrations online” designed to attract attention during significant events. While these attacks don’t typically result in data theft, they effectively paralyze municipal websites and services. Many DDoS payloads also serve as smokescreens for concurrent reconnaissance or credential stuffing attempts on municipal web applications.
Ransomware and Data Exfiltration
The more devastating attacks involve sophisticated ransomware operations that encrypt municipal data while simultaneously exfiltrating sensitive information. The Abilene case reveals the calculated nature of these attacks: hackers not only encrypted data but also deleted files from servers, creating multiple pressure points for ransom payment. Forensic evidence from similar cases suggests attackers often disable volume shadow copies and clear Windows event logs immediately post-deployment, leaving limited traces for incident response teams.
Zero-Day Exploits
Perhaps most concerning is the emergence of zero-day attacks targeting municipal software. The exploitation of CVE-2025-0994 in Trimble Cityworks demonstrates how attackers are specifically researching and targeting software commonly used by local governments.[8] Municipalities are often slow to adopt virtual patching or EDR integration with these tools, making even patched systems vulnerable to post-exploitation abuse via misconfigurations.
The digital transformation of local government has created new vulnerabilities that require immediate attention. The municipalities that survive and thrive will be those that recognize cybersecurity not as an IT problem, but as a fundamental requirement for modern governance.
As municipalities modernize, they’re becoming prime targets for cyberattacks. The ones best positioned to adapt are those that treat cybersecurity as a core part of public service—not just a technical issue.
[1] https://www.comparitech.com/blog/information-security/government-ransomware-attacks/
[2] https://www.swissinfo.ch/eng/workplace-switzerland/schaffhausen-and-geneva-also-affected-by-russian-hacker-attacks/88763740
[3] https://hoodline.com/2024/12/white-lake-township-hit-by-sophisticated-cybersecurity-attack-federal-investigators-step-in/
[4] https://www.valleycentral.com/news/local-news/mission-hit-by-security-incident-computer-systems-offline/
[5] https://www.swissinfo.ch/eng/workplace-switzerland/several-swiss-websites-hit-by-cyber-attack/88756130
[6] https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-us-local-governments-using-cityworks-zero-day/
[7] https://www.abilenetx.gov/civicalerts.aspx?AID=2935&utm_source=chatgpt.com
[8] https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-us-local-governments-using-cityworks-zero-day/
