Cyber Incident Victim: Click2Gov
Date:
Sep 2018
Location:
United States of America
Summary
A previously unknown hacker group breached multiple local government payment portals using a self-hosted solution, exploiting vulnerabilities in a Java application server to install malicious web shells and activate debug mode for logging transactions. The attackers deployed specialized malware to extract payment card details from both stored logs and real-time HTTP traffic, compromising numerous municipalities over an extended period. The provider issued patches following initial reports of suspicious activity, but subsequent investigations revealed additional affected entities. Security researchers assess the operation required diverse skills and sustained effort, indicating coordinated team involvement rather than individual action.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between late 2017 and mid-2018, an unidentified hacker group compromised Click2Gov, a widely used self-hosted payment solution for municipal services like utility bills and permits. Attackers exploited vulnerabilities in Oracle WebLogic Java EE application servers to install a web shell named SJavaWebManage, which activated debug mode within Click2Gov systems. This debug mode captured detailed transaction logs containing payment card information. The hackers deployed two custom malware strains—FIREALARM and SPOTLIGHT—to extract card data: FIREALARM parsed stored logs, while SPOTLIGHT intercepted HTTP traffic in real time. Superion, Click2Gov’s provider, first acknowledged suspicious activity in October 2017 but did not disclose specifics. By June 2018, cybersecurity firm Risk Based Security confirmed breaches at nine U.S. cities linked to Click2Gov, prompting Superion to release a patch on June 15, 2018.
FireEye’s investigation, published on September 19, 2018, revealed the attacks had persisted for nearly a year prior, indicating the threat actors operated undetected for an extended period. The firm attributed the campaign to a coordinated team rather than a lone individual, citing the operational complexity and sustained effort required. Following FireEye’s report, Risk Based Security identified nine additional affected municipalities, doubling the known impact to 18 local governments. Superion’s patch addressed the exploited vulnerabilities, but compromised municipalities independently notified residents about potential payment card theft. The incident mirrored a separate breach involving the GovPayNow portal disclosed days earlier, though no direct connection between the two campaigns was confirmed. Municipalities faced reputational and financial repercussions as they managed customer notifications and fraud monitoring.