Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Encrypted Attacks: Impact on Public Sector


Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving — and increasingly covert — cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? 

HTTPS has long been a cornerstone for protecting data, with nearly 95% of web traffic utilizing it today. For public sector entities like federal agencies and contractors, encryption is essential to meeting modern security and compliance requirements

 However, despite its association with security and privacy protocols, the surge in encrypted attacks suggests that encryption is becoming more synonymous with “obscurity” than “security.” 

 This blog post delves into the encrypted threats landscape, sheds light on how encrypted attacks can impact public sector organizations, and reveals four ways to stop encrypted threats with Zscaler.

The encryption paradox escalates

Encryption may be essential for data protection, but it simultaneously acts as a veil for malicious activities, from malware distribution to phishing scams, as proven in the recently released ThreatLabz State of Encrypted Attacks Report.

ThreatLabz analysis of 29.8 billion threats revealed the striking percentage of threats embedded in encrypted traffic (86%) amounts to a 24.3% year-over-year growth in encrypted threats. This trend underscores the sophisticated and multifaceted nature of threats and tactics leveraging encrypted channels to evade detection.

Understanding encrypted attacks

Encrypted attacks exploit the very protocols designed to secure data transmission, making it challenging for traditional security measures to detect and thwart their activity. Our ThreatLabz report analyzes the top 10 encrypted threat categories, including emerging threats and unique attack vectors. Here's a look at the three most predominant encrypted threats and their operational dynamics:

Malware distribution: Encrypted malware is the top threat, constituting 78.1% of observed attacks, and includes malicious payloads, infected web content, and viruses. The malware threat poses a significant risk to the integrity of public sector networks — including loss of control over critical systems and potential cascading effects on other critical operations.

Ad spyware sites: 18.1% of encrypted attacks occurred through ad spyware sites. These websites covertly distribute adware and spyware, inundating users with intrusive pop-up ads. These attacks not only compromise user experience but also discreetly harvest personal data, raising privacy and security concerns.

Phishing scams: Encrypted phishing increased by 13.7% year-over-year. Utilizing encrypted channels, cybercriminals host phishing sites that mimic legitimate websites, as demonstrated in the report. The most popular phishing attacks observed by ThreatLabz were linked to applications owned by Microsoft, Adobe, Google, Facebook, Amazon, Netflix, and others.

These threats provide just a glimpse into the intricate landscape of encrypted attacks. Delving deeper involves understanding the current impact of encrypted attacks on critical public sector industries.

Key considerations for public sector

As the public sector has increasingly adopted encryption, it is not surprising that our research found public sector industries among those most impacted by encrypted attacks.

Here are a few more key findings and considerations relevant to the public sector. For the complete findings and analysis, download this version of the report. 

  • The government sector experienced a sharp rise in encrypted attacks, with a 185% year-over-year increase. Government entities — especially those involved in election processes this year — are an attractive target for cybercriminals, including sophisticated nation-state-backed groups, due to their pivotal role in shaping and safeguarding national interests. The ThreatLabz team anticipates that advanced persistent threats (APTs), which have a history of election interference, will increasingly exploit encryption vulnerabilities to infiltrate target networks and conceal their activities.
  • Education topped the government sector, however, with a 276% year-over-year surge in encrypted attacks. As the education sector continues to embrace digital transformation, adopting innovative systems and tools that handle vast amounts of sensitive student data expands its attack surface — amounting to greater vulnerability and desirability as a top target for encrypted attacks.
  • The manufacturing industry, crucial to the supply chain of public sector organizations, experienced a 25.4% increase in encrypted attacks. The sector's embrace of Industry 4.0 has not only improved efficiency but has also expanded its attack surface. This expansion creates new entry points that cybercriminals increasingly exploit. Given its pivotal role in national security, attacks on the manufacturing sector pose significant risks to the public sector.

While government and educational entities face distinctive risks when it comes to encrypted attacks, it is imperative for all public sector organizations, contractors, and suppliers to acknowledge and address these potential threats. The impact of encrypted threats goes beyond mere data breaches — it extends to the resilience of critical infrastructure and essential services and the integrity of national security. Public sector organizations must take strategic measures to secure encrypted traffic and fortify defenses against evolving encrypted threats.

Encrypted threats across the attack chain

It’s important to note that threat actors leverage encrypted channels across all stages of the attack chain — not just during compromise. As mentioned, cybercriminals frequently abuse legitimate, trusted websites to execute their attack, which means that public entities need a defense-in-depth strategy to counter them at all stages. 

As one example, in recent DuckTail operations exposed by Zscaler, these APTs hide their efforts with TLS encryption throughout all stages of attack. First, they target business Facebook, Google Ad, and TikTok accounts, luring users to fake ChatGPT and Google Bard AI pages to install malware payloads, which are hosted on trusted SaaS sites like DropBox and iCloud, and abuse their legitimate TLS certificates. Once those malware payloads are installed on users’ devices, they communicate with a GitLab URL for ongoing command-and-control (C2) activity — yet another trusted encrypted channel.


 Zscaler has worked closely with these organizations to take down DuckTail activity. However, this variety of encrypted attack remains prevalent. Without the ability to inspect encrypted SSL/TLS traffic throughout all stages of an attack, public sector entities may remain vulnerable.

4 steps to stop encrypted attacks

Adopting a zero trust architecture is foundational to effectively stopping encrypted attacks at each stage of the attack sequence. The following four steps comprise a comprehensive strategy for public sector organizations to secure encrypted traffic and improve resilience:

  1. Inspect all encrypted traffic with a zero trust, cloud-proxy architecture: Employing a zero trust architecture is crucial for scanning all encrypted traffic at scale. SSL/TLS inspection should be applied for every packet on a per-user basis, ensuring infinite scalability.
  2. Minimize the attack surface: Hide internet-facing assets using a cloud proxy and restrict application access to only authorized users. This significantly reduces the attack surface and the risk of being discovered by attackers, mitigating potential encrypted attacks.
  3. Prevent initial compromise with inline threat prevention: Deploy inline defenses in the data path to detect and prevent encrypted threats efficiently. Core technologies should incorporate artificial intelligence and machine learning and include an AI/ML-driven cloud sandbox, cloud IPS, URL filtering, DNS filtering, and browser isolation.
  4. Stop data loss: Securing data in motion requires implementing inline data loss prevention (DLP) for inspecting SSL/TLS content. Incorporating AI-driven data discovery and classification is vital to prevent unauthorized data exfiltration and uphold the integrity of sensitive information.

Read more about each of these steps in our report.


As the public sector confronts the evolving threat of encrypted attacks, it’s important to stay vigilant and adaptive. Understanding the nuances of encrypted attacks, inspecting all encrypted traffic, and implementing a comprehensive zero trust platform are indispensable steps for public sector organizations to effectively navigate the encryption paradox and defend against these attacks. 

Learn more about the encrypted threat landscape and how to improve your organization’s resilience to these attacks. Download the ThreatLabz 2023 State of Encrypted Attacks Report for additional guidance and the full findings and analysis.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.