Capitalising on COVID-19 Pandemic

OVERVIEW

Cyber threat actors with varying motivations are capitalising on the panic and fear caused by the COVID-19 pandemic to conduct malicious cyber activities around the globe. Since January 2020, threat actors have intensified their malicious cyber activities capitalising on the coronavirus theme to steal personal information and credentials which allow them to gain access to networks, as well as to make financial gains.

With the global outbreak of COVID-19, intense public concern, as well as the increased reliance on the Internet as the primary means for work for telecommuters, a surge in cyber threats exploiting COVID-19 as an attack vector globally can be expected.

hoto credit: Crowdstrike 

Threat actors are conducting their campaigns using two key tactics to target victims:

a. Leveraging COVID-19-themed content as lures

Threat actors have primarily used COVID-19 and related themes as phishing lures to steal information and credentials. Some malware strains deployed include known credential-stealing malware such as AZORult, Cerberus, Lokibot and TrickBot. COV19-related lures have also proliferated across multiple sectors in many countries, targeting industries such as healthcare, manufacturing, pharmaceutical and transportation. A significant uptick¹ in the usage of coronavirus-themed lures beginning in February 2020, with a continuous rise towards end March has been observed. This trend is likely to continue and may even surge.

Cyber-criminals are adapting their methods as COVID-19 concerns increasingly affect aspects of everyday life. Notably, malicious actors are reportedly hijacking home routers² to redirect victims to fake COVID-19 themed websites that push information-stealing malware such as Oksi. Some are even selling customised COVID-19-themed “malware exploit” and “phishing” kits, which are sold at relatively low-cost, in the Dark Web and underground forums³.

As for delivery methods, opportunistic threat actors have leveraged emails, instant messaging platforms and short message service (SMS) messages, as well as websites to support their malicious activities. In particular, there have been multiple reports of thousands of coronavirus-related websites set up on a daily basis⁴. These sites are used to host malware attacks and/or for financial fraud. In a rare move, authorities in the United Kingdom and United States are working with domain name registrars to step up measures to flag and crack down on malicious coronavirus scam websites.

  b. Masquerading as authorities and/or official sources

As COVID-19 concerns spike, there are increasing cases of threat actors impersonating officials and government agencies, especially organisations at the frontline of the COVID-19 response. This tactic mainly leverages COVID-19-related information, charts, advisories and directives purportedly from official sources. In late March 2020, a COVID-19-related phishing email supposedly from Prime Minister Lee Hsien Loong was found circulating online. The World Health Organisation (WHO)⁵ was also reportedly targeted by the DarkHotel APT group which set up a fake website spoofing the WHO’s internal email domain to steal credentials.

Advanced Persistent Threat (APT) groups have also allegedly joined cyber-criminal syndicates in exploiting the COVID-19 theme in their phishing lures by masquerading as official documents from foreign governments⁶. These malicious activities have been reported to target specific countries to gain access to their infrastructure.

Incidents targeting COVID-19 response organisations

Malicious cyber activities by cyber criminals and APT groups will continue to rise so long as COVID-19 remains a global healthcare crisis. The consequences can be damaging as increasingly sophisticated attempts could potentially disrupt the operations of critical infrastructure and sectors at the heart of the COVID-19 response, such as hospitals, medical facilities, and government bodies coordinating COVID-19 responses.

These frontline sectors are also most likely already stretched managing the COVID-19 crisis and may be less prepared to counter risks on the digital front.  Recently, the Brno University Hospital in Czech Republic suffered a cyber disruption which closed down wards and stalled dozens of coronavirus tests⁷. In the local context, there is a need to step up cyber vigilance, especially in the healthcare sector, as it remains an attractive target to cyber criminals and APT actors.

As scientists in our research and development institutes race to fast-track vaccines and rapid test kits for COVID-19, these organisations are also prone to cyber espionage attempts to steal their trade secrets or hold their research findings hostage. In the United Kingdom, a medical testing facility for potential coronavirus vaccines was hit by the Maze Ransomware group⁸.

CONCLUSION

COVID-19 provides an environment conducive to the conduct of malicious cyber activities by:

1. Generating uncertainty and intense public interest. Threat actors have used COVID-19 as a hook to lure potential victims by exploiting the public’s insecurities and fears during a pandemic. Anxious and eager for information or advice about COVID-19, members of the public are more likely to take the bait and blindly follow instructions of seemingly credible emails or text messages, be it clicking on unsafe attachments and links or providing personal information as a precondition to obtaining said info and advice.

2. Amplifying the effectiveness and impact of cyber incidents. The threat actors also understand that crises and emergencies, such as COVID-19, can significantly amplify the impact of a cyber incident on critical infrastructure and sectors. The consequences of putting a fire brigade out of action are not nearly as serious when there is no fire as when there is. During a public health crisis such as COVID-19, the healthcare sector as a target becomes more attractive than usual, accounting for malicious cyber activities such as those inflicted on the U.S. Health and Human Services Department and the Czech hospital.

3. Catalysing new or broader attack surfaces. COVID-19 has compelled companies, organisations and governments to mount ad hoc systems and arrangements aimed at containing its spread while maintaining business continuity. They often rely on digital infrastructure to operate and are not always adequately secured, thereby creating new attack surfaces or broadening existing ones for threat actors to exploit. The proxy voting machines catered for those in self-isolation to facilitate municipal elections in Marseille are a case in point⁹.

As COVID-19-related threats escalate on the cyber front, everyone needs to play their part to take practical steps to stay safe online. Organisations should evaluate their cybersecurity postures and take the necessary precautions to counter the threat. 

REFERENCES

• [1] Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide

• [2] Hackers Hijack Routers to Spread Malware Via Coronavirus Apps

• [3] Threat actors play on people’s desire to help cure Coronavirus

• [4] New York asks domain registrars to crack down on sites used for coronavirus scams

• [5] WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike

• [6] 6 ways attackers are exploiting the COVID-19 crisis

• [7] Hackers are targeting hospitals crippled by coronavirus

• [8] COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online

• [9] Massive cyber attack hit the town hall of Marseille ahead of local election