Shutdown Sparks 85% Increase in US Gov't Cyberattacks TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsMicrosoft Issues Emergency Patch for Critical Windows Server BugMicrosoft Issues Emergency Patch for Critical Windows Server BugbyRob WrightOct 24, 20252 Min ReadVulnerabilities & ThreatsFear the 'SessionReaper': Adobe Commerce Flaw Under AttackFear the 'SessionReaper': Adobe Commerce Flaw Under AttackbyRob WrightOct 23, 20252 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCybersecurity OperationsCybersecurity CareersThreat IntelligenceCyber RiskNewsShutdown Sparks 85% Increase in US Government CyberattacksShutdown Sparks 85% Increase in US Government CyberattacksShutdown Sparks 85% Increase in US Government CyberattacksAttackers are pouncing on financially strapped US government agencies and furloughed employees. And the effects of this period might be felt for a long time hereafter.Nate Nelson, Contributing WriterOctober 24, 20256 Min ReadSource: trekandshoot via Alamy Stock PhotoCyberattacks against federal employees have nearly doubled since the US government shut down on Oct. 1.With vital agencies on pause, employees furloughed, and threat activity only ever rising, the federal government and its personnel have possibly never been weaker than they are right now, from a cybersecurity perspective. Predictably, threat actors have noticed. The month of October has seen a surge of meaningful attacks against government workers in limbo, with potential consequences for the agencies that employ them and, by extension, the nation they oversee.Experts emphasize, too, that the most serious cyber consequences of the shutdown won't come in the form of immediate breaches. Threat actors targeting employees today might lie in wait until some future day. Add to that all of the recruiting challenges and eroding trust in government institutions and it's the long-term fallout that should worry everyone most.555M Government Cyberattacks in One MonthCyberattacks against US agencies were rising steadily even before Oct. 1, in anticipation of the shutdown. Researchers at the Media Trust then observed a spike of activity on its very first day.At this point, they're projecting that the feds will experience north of 555 million cyberattacks by the end of the month — an 85% increase over the already more active than usual month of September.Related:How CISA Layoffs Weaken Civilian Cyber DefenseSource: The Media TrustTo make matters worse, Media Trust CEO Chris Olson points out that those 555 million attacks aren't the cheap phishing chum one might expect to dominate such a dataset."These are targeted digital attacks through websites, apps, and targeted advertising. What we are detecting are actual interactions with employees," he says.Government Employees Are at Their Most VulnerableJustin Miller, associate professor of cyber studies at the University of Tulsa, knows well the kinds of financial hardships government employees face during shutdowns, having spent decades with the Secret Service."I remember last time, the DHS said, 'Hey, give this to your mortgage company. It's a letter saying you're a Homeland Security employee, in case you can't pay your mortgage.' And my mortgage company laughed at me. They're like, 'Yeah, that's great. I can appreciate your work for DHS, but your mortgage is due on the 15th and you need to pay it,'" he recalls.Financially stressed employees are exactly the targets attackers are aiming for. Elaborating on his data, the Media Trust's Olson reports that nation-state actors, cybercriminals, and hacktivists are performing "a surge in deceptive ad campaigns and phishing lures designed to exploit financial anxiety during the government shutdown. Many of these spam campaigns promise quick cash, loan forgiveness, or job opportunities but lead to credential-harvesting sites or malware downloads."Related:Electronic Warfare Puts Commercial GPS Users on NoticeAn attack on a government employee sitting at home today could be utilized later, once that employee goes back to work. An attacker could learn about that employee in order to impersonate them later in phishing emails, or infiltrate the smartphone they'll bring to work again every day once the shutdown lifts.Or attackers can do one better.The Risk to Essential EmployeesThe Media Trust found that the most targeted agency during this shutdown, by far, has been the Department of Veterans Affairs (VA). In second place — again, some distance from third — is the Department of Justice (DoJ). The chart below shows the volume of attacks that reached each agency in the first week of October.Though the VA and DoJ might sound like an arbitrary duo, there may well be some hidden logic underneath.Source: The Media TrustWhen a government shutdown happens, employees fall into two buckets. Many are furloughed — sent home and barred from even checking their government email inbox. Some are deemed "essential," though, and they have to keep working.Related:International Sting Takes Down SIM Box Criminal NetworkEssential workers are just as unpaid, stressed, and vulnerable, yet they still have to walk into their workplace everyday. Miller points out how, especially in these cases, "you're going to have morale issues. And then with this minimal staffing, you're creating a higher burden on the personnel who are there having to do probably additional work," meaning cyber threats are more likely to slip through.Because so many of them perform crucial medical and benefits work, 96.8% of employees at the VA are still going into work Monday through Friday. Similarly, 90% of DoJ employees are considered essential.The White House has advised that, during the shutdown, "generally, agency cybersecurity functions are excepted as these functions are necessary to avoid imminent threat to Federal property," but agencies have discretion in how they interpret this guideline. And with two-thirds of the Cybersecurity and Infrastructure Security Agency (CISA) sitting at home, agencies already lack the support they're used to at a time when they're at greatest risk.The Long-Term FalloutIlona Cohen, former general counsel for the US Office of Management and Budget (OMB), now chief legal and policy officer for HackerOne, worries that amid all the headlines, people might be missing the forest for the trees."I think people think, 'OK, a certain amount of damage will be done in a certain number of days, whatever. Congress and the president decide [it's over] and then we all go back to business.' But there is a long-term impact anytime you have a shutdown like this," she says.Putting aside the threat of latent cyberattacks — like the 2015 Office of Personnel Management (OPM) breach — there are also less visible consequences. For example, the government already faces an uphill battle recruiting talent from the more lucrative private sector, which is only set to grow worse now."It is a challenge that has been difficult to address for years now and there has been some progress. But if you are constantly having federal workers who are nervous about instability in the federal government and a failure to be paid, then you're just going to push skilled cyber professionals out of public service. That's going to be a problem not just when the shutdown ends, but for many, many weeks, months, years, depending on how many people you lose because of this instability," Cohen says.Then there are all of the difficulties that come with discontinuity — paused projects, delayed modernization of legacy systems, and vulnerabilities going unaddressed.Combine that with the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the State and Local Cybersecurity Grant Program (SLCGP), "and the combination of the shutdown plus the expiration of critical laws means that you have a significant erosion of trust," Cohen says. "It just breaks down."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsEffectively Incorporating API Security into the Overall Security WorkflowCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTEffectively Incorporating API Security into the Overall Security WorkflowWed, Nov. 19, 2025 at 11am ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identiy-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Attack activities directed at the United States federal workforce surged dramatically following the federal shutdown that began on October 1, 2024, according to research from Media Trust and analysis by Nate Nelson. As essential agencies paused operations and many employees were furloughed or left unpaid, cyber‑actors intensified their efforts, exploiting the resulting financial stress and institutional uncertainty. By the end of October, observers project that more than 555 million directed attacks were directed at U.S. government workers—an estimated 85 percent increase over September’s already heightened activity levels. These are not generic phishing scams; they are targeted, sophisticated campaigns that reach employees via legitimate websites, applications, or deceptive online advertising, with the intent to harvest credentials or install malware. The attacks were designed to take advantage of the particular anxieties that shutdown induces, such as fears of delayed paychecks, mortgage arrears, and job security.

The Department of Veterans Affairs emerged as the top victim of the month’s activity, followed by the Department of Justice. The pattern reflects a broader strategic focus on agencies that maintain high levels of external client interaction and thus hold valuable data sets. A breakdown of the first week of October shows a sharp spike in hits on veteran records and legal documents, indicating that adversaries are targeting both critical information repositories and operational processes within these agencies. Meanwhile, other departments that rely heavily on digital infrastructure for public-facing services also experienced elevated attack rates.

The shutdown itself created a dual‑pronged threat environment. On the one hand, furloughed workers—who are allowed to leave federal email systems but are still paid—receive frequent social‑engineering attempts promising quick cash or loan forgiveness. On the other hand, essential employees, who must continue to log into secure systems, are pressured by lower staffing levels, heightened morale strain, and the knowledge that their pay may continue to be delayed. Because these workers are still physically present in federal offices, attackers can leverage an initial compromise to gain continued access to personal devices and networks, potentially using that foothold for future incursions after the shutdown concludes. Moreover, the Department of Homeland Security’s guidance that cybersecurity roles are generally “excepted” from shutdown restrictions means that many agencies have had reduced cybersecurity staff during the most vulnerable period.

Experts caution that the long‑term implications of the shutdown extend far beyond immediate breaches. Ilona Cohen, a former OMB general counsel who now leads legal and policy efforts at HackerOne, warned that the instability could deepen recruitment challenges and exacerbate the talent exodus from the federal cybersecurity workforce. When federal employees repeatedly face pay uncertainty, they may seek more stable, higher‑paying opportunities in the private sector, thereby widening the cybersecurity talent gap for U.S. agencies. This shift could result in slower adoption of critical security technologies, delayed modernization of legacy systems, and increased vulnerability windows. In addition, the expiration of key federal frameworks—such as the Cybersecurity Information Sharing Act of 2015 and the State and Local Cybersecurity Grant Program—would compound these difficulties, eroding public trust and diminishing national resilience.

The Media Trust figures suggest that the surge is both a result of and a catalyst for evolving attacker tactics. Nation‑state actors, cybercriminal groups, and hacktivists have been coordinating “deceptive ad campaigns and phishing lures” that are tailored to the specific financial anxieties stemming from the shutdown. Such campaigns often promise “quick cash,” “loan forgiveness,” or “job opportunities” but direct users to credential‑harvesting sites or malware‑laden downloads. Attackers are also employing “social‑engineering hooks” that can linger in corporate networks, waiting to be exploited once employees return to work. The timing and persistence of these incidents underline the importance of continuous monitoring for behavioral anomalies among federal workforce accounts, even when physical office access is temporarily halted.

The Department of Veterans Affairs, with its 96.8 percent staffed workforce, remained largely on the front lines during the shutdown. Its high operational tempo—processing benefits, medical records, and veteran services—means that security incidents can rapidly propagate across multiple systems, impacting vulnerable populations. Meanwhile, essential staff in the Department of Justice and other agencies face increased workloads, which can lead to oversight errors, misconfiguration, and lax application of security protocols. These human‑factor vulnerabilities are amplified by the fact that many cybersecurity and infrastructure teams, including those in the Cybersecurity and Infrastructure Security Agency (CISA), were working remotely, thereby limiting in‑person oversight and real‑time incident response capabilities.

The overall picture painted by Nate Nelson points to a compounding set of risks: immediate cyber incidents, potential long‑term talent leakage, systemic infrastructure degradation, and erosion of trust in federal institutions. Immediate defensive responses must include continuous phishing training, stringent access controls, and robust anomaly detection across all agency networks—particularly targeting those individuals whose accounts were compromised during the shutdown. These efforts are essential to ensuring that the federal workforce, even during periods of fiscal uncertainty, remains resilient against a highly motivated and increasingly sophisticated adversarial landscape.