Outbreak of coronavirus cyberattacks

At the time of the pandemic, the cyber threat landscape is still inhabited by the same malicious actors as before. But now they exploit the Covid-19 crisis to their benefit. The fear and anxiety that spread alongside the virus, allowed the hackers to leverage coronavirus related topics to craft their new ploys. So, as coronavirus is overwhelming people worldwide, the nation state supported hackers and cybercriminals continue to prowl the cyber realm.

Opportunities from Covid-19’s perfect storm

This crisis presented an opportunity for malicious actors to attack the computer networks and systems of individuals, public and private enterprises, and even global organisations, at a time when cyberdefence is lowered, because of the shifted focus to the health crisis. It allowed using coronavirus as a lure for the new cyber campaigns, and it moved more people than ever before into working from the cyber (in)security of their homes. 

When people were thirstiest for some information on Covid-19, the attackers disguised malicious content in the emails they send, as a message from a trusted authority or well-known company (be that WHO, your Ministry of Health, or private delivery company) with vital information about the pandemic and response to it. Frequently, these emails contained language that created a sense of urgency, and crucially they contained a bait document or links with a promise of giving you more information. 

 

“Frequently, these emails contained language that created a sense of urgency, and crucially they contained a bait document or links with a promise of giving you more information.”

 

These ingredients were all there to entice the targeted individuals - government officials, employees at public and private bodies, and others - into clicking, which then allowed infecting their devices and gaining access to personal account credentials and/or the organisations’ networks. 

At the same time, to reduce the spread of the virus, people were asked to stay home and socially distance, which meant that a greater number of people than ever before moved to working from home. This created increased vulnerability of the systems and amplified the threat posed by malicious actors. The reason for this is the speed with which the move occured - businesses and organisations simply did not have adequate amounts of time to enhance their cybersecurity for the changed circumstances. 

As a consequence, the cyber threat indicators (made up of conversations observed and uncovered in the dark web, hackers’ forums, and closed communities) linked to the coronavirus pandemic increased by 600% from February to early March, meaning that the malicious actors were hard at work, actively planning how to leverage the situation to attain their political and financial objectives. 

 

State-sponsored APT groups and Covid-19 

Identifying concretely the entities behind the attacks, is always a difficult task. However, already in the beginning of March, the state-sponsored hackers from China, North Korea and Russia were reported as the ones using Covid-19 themed emails in the newly created social engineering campaigns.

For example, in February, the Hades group, believed to be tied to APT FancyBear (Russia), carried out an attack in Ukraine that combined a malware spread with a disinformation campaign to maximise its destructive impact. The hackers sent emails, disguised as coming from the Centre for Public Health of the Ministry of Health of Ukraine with the latest news regarding Covid-19. In reality, those emails contained a hidden a C# backdoor trojan and false information about an evacuation flight coming from China, which sparked violence and protests against the evacuees. This caused even more disruption and panic at an exceptionally chaotic time, which seems to have been part of the plan.

 

“Already in the beginning of March, the state-sponsored hackers from China, North Korea and Russia were reported as the ones using Covid-19 themed emails in the newly created social engineering campaigns.”

 

The United Kingdom’s National Cyber Security Centre (NCSC) and US’s Cybersecurity and Infrastructure Security Agency (CISA) reported on April 8th in a joint statement that they note how the state backed hackers have been using virus to increase spying. The suspected states in these attacks are China, Russia, and Iran, who prioritise espionage and ‘hack-and-leak’ operations. 

 

When cyberattacks are life-threatening

However, the especially worrying trend that can be seen is an increase in the number of cyberattacks (especially ransomware) against the key organisations and infrastructure responding to the challenges of Covid-19. On the 4th of April, Interpol issued a “purple notice” alert to law enforcement in all 194 of its member states to support the fight against the cybercriminals engaged in these attacks.

There was a glimpse of a hope in the middle of March, when Bleeping Computer reached out to some of the major cybercriminal gangs behind major ransomwares and reported that they pledged not to target medical care companies and other organisations at the frontline of battling the Covid-19 pandemic. Their good will was questioned since the very beginning, and for a good reason: not even a day after the pledge, the Maze ransomware group attacked computer systems of Hammersmith Medicines Research, which was on a standby for testing coronavirus vaccines in live trials, publishing personal details of thousands of former patients when the company refused paying the ransom. 

 

“Cyberattacks were reported by hospitals all around the world.”

 

Cyberattacks were reported by hospitals all around the world, from Brno University Hospital in Czech Republic, which was forced to shutdown all of the computers, to medical clinics in the US state of Texas, which suffered a combination data breach-ransomware attack that exposed sensitive information. Even international agency WHO reported a fivefold increase in cyberattacks since the beginning of the pandemic. It is suspected that the majority of attacks on WHO can be linked to digital espionage campaigns, however, it is usually hard to judge who precisely was at sight of the hackers. 

 

Covid-19 as a cybersecurity risk: a case for a good cyberhygiene 

Overall, it can be said that the global pandemic of Covid-19 is not only a serious health issue, but also a cybersecurity risk, as malicious actors swiftly took advantage of the situation and used it to carry out their cyberattacks with the new lure. While it is frequently hard to judge what is the endgame of the attacks, seizing the moment for political advancements, intelligence gathering, financial gains and chaos seeding is not that surprising.

In the activities of APT groups, geopolitics tends to be a major driver, which means that the state-sponsored cyber operations in these times are still likely to be directed at strengthening the influence and contributing to the goals of their sponsor states, such as in mentioned cyberattack by hackers affiliated with Russia, who combined the spread of false information with the cyberattacks.

Furthermore, as nation states have a vested interest in peeping at the steps that others are taking in the fight against the virus, and possibly even stealing proprietary information related to the development of vaccines, the hackers tailor their activities to provide these new types of intelligence, which is what was noted in the statement by NCSC and CISA.

 

“Deliberate attacks on the key health organisations and infrastructure, are done with the intent of locking the personnel out of the vital systems and preventing them from accessing the needed files, by practically holding them “digitally hostage” and willing to compromise more to return the access and resume work. This is a convenient way for cybercriminals to cash in on the crisis.”

 

Frequently, of course, the attacks are financially motivated, as the cyber criminality is opportunistic. Deliberate attacks on the key health organisations and infrastructure, are done with the intent of locking the personnel out of the vital systems and preventing them from accessing the needed files, by practically holding them “digitally hostage” and willing to compromise more to return the access and resume work. This is a convenient way for cybercriminals to cash in on the crisis.  

However, at the times of a health crisis and a worldwide pandemic, such cyberattacks could lead to worse medical care, and ultimately more deaths; while cyber bombarding WHO, which is used as the primary source of information on the pandemic, brings us to a risk of extending the duration of emergency. 

So, as one of the key preventive measures for the spread of Covid-19 is washing hands, it is important also to take care of washing your cyberhands. The authenticity of any incoming message, email, phone call has to be double checked. Every click has to be deliberated, and software and networks need to be sufficiently secured - now even more than ever, because the number of such attacks is significant and is expected to increase further.

About author: Tetyana Demyanchuk

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace