Cybercriminals — both political and criminal — are using the global health crisis as an opportunity to target vulnerable organizations and individuals. Telework and general panic are making this mission easier.
As the novel coronavirus continues to panic people and markets and send governments into emergency response mode, hackers and foreign adversaries are capitalizing on the chaos to extort money and political gain.
Attacks on government at the federal, state and local levels have come over the past two weeks —including a ransomware attack on a Illinois public health agency and what was likely a state-sponsored DDOS attack on the U.S. Health and Human Services department (HHS), the main federal agency responding to the outbreak.
This is likely just the beginning of an uptick in such cyberattacks, as hackers look to exploit both public anxiety and disoriented bureaucracies to gain access into systems and networks.
In recent weeks, reports have shown that many ransomware hackers are taking advantage of public fears surrounding COVID-19, largely by using phishing emails disguised as informational PSAs or updates from health organizations like the Centers for Disease Control and Prevention (CDC) or World Health Organization (WHO). Other strategies are even more devious: fake coronavirus tracking apps or informational websites that are really just malware-ridden traps set for unsuspecting users.
At the same time that lures are being tailored to the ongoing crisis, ransomware targeting of vulnerable companies and government agencies are likely to rise. As organizations roll out make-shift telecommuting arrangements to deal with social distancing, they put themselves in uniquely vulnerable positions. A number of governments, like state agencies in New Jersey and North Carolina, having recently reverted to work-from-home policies, and this trend — which is almost certain to grow and bring with it elevated risks.
As workers shift from professionally managed networks to home Wi-Fi setups, hackers will have expanded opportunities to ploy familiar tactics: the sudden flood of exclusively online interactions will enlarge the attack surface for social engineering efforts, and deployment of password stealing malware through malicious emails — potentially dressed up like health advisories — will be a means of infiltration.
Brett Callow, a threat analyst with Emsisoft, said that a typical seasonal spike in ransomware attacks might be larger than usual this year as a result of the global pandemic.
“The number of successful attacks [typically] spikes in spring and summer and, this year, those spikes are likely to be exacerbated because hastily introduced work-from-home programs, key personnel being quarantined, etc., may result in security weaknesses,” Callow said, speaking with Government Technology.
At the same time, it is likely there will be an increase in the number of attacks on both health-care providers and health informational resources, since both will become high value targets amid the crisis. This is daunting, given the fact that some 764 health-care providers were hit with ransomware last year alone.
“The problem is exacerbated by the fact that the ransomware spikes may well coincide with the COVID-19 peak, creating a perfect storm,” he said, referencing the predictions that the virus may peak during the mid-summer months, likely in July.
As cybercriminals use the outbreak to advance their bottom line, nation state actors are also capitalizing on the crisis, using the chaos to conduct espionage, make intrusions or attack enemies. As an example, the incident at the HHS is believed to have been a state-backed attack, potentially stemming from Iran and designed to slow the U.S. response to the outbreak.
James Yeager, public sector vice president at CrowdStrike, discussed with Government Technology how Chinese state-sponsored hacker groups, or advanced persistent threats (APTs), are taking advantage of many of the same social fears and anxieties surrounding the virus to advance their own interests.
“Nation state actors from China, who are primarily targeting government and political groups, have recently launched a remote access tool [RAT] that gains access to devices through a lure and decoy content campaign," said Yeager.
An internal CrowdStrike memo shared with GT showed that this group — known as APT 23, or "Pirate Panda" — has been using a text file that displays "decoy content" designed to look exactly like the COVID-19-related daily reports from WHO. Once a user clicks on the file, however, it deploys the group's RAT, giving hackers access to a user's system and allowing for internal reconnaissance, data exfiltration or other espionage.
"Considering the public’s concerns regarding the global outbreak of the novel coronavirus, the creation of the exploit document was likely attempting to capitalize on the fear and monitoring of the virus outbreak," the memo reads.
Yeager reiterated this: “The fear surrounding the rise of reported [COVID-19] cases is leading a lot of people to look to the WHO daily report, and so the Chinese have used this to their advantage to lure the consumer in and display this decoy content to distribute their remote access tool. This all conforms to the TTPs (tactics, techniques and practices) that we see and are known to see historically from this actor,” he said.
While evidence suggests the group is so far mostly using its RAT against political groups in Asia, similar techniques could easily be deployed using the same virus-based deceptions in the U.S.
Yeager said there are a number of ways that newly remote workers can cut down on risk, including compartmentalizing responsibilities to make sure that only people who absolutely need access to certain data and files are the ones who get it. At the same time, organizations should invest in online monitoring, while also having incident response plans in place that can aid in the event of an attack, he said.
Others organizations and officials have released their own recommendations for secure remote work, too. The National Institute of Standards and Technology (NIST) recently published a bulletin listing a number of suggestions for secure telework and remote access, while state governments like North Carolina have similarly issued their own policy guidelines for safe local government teleworking.
U.S. Rep. John Katko, ranking member of the House cybersecurity sub-committee, recently published a "Cyber Guide" and other advice for teleworking, advising that organizations take basic steps like updating anti-virus software, following organization protocol and being vigilant against phishing emails.
Much of these frameworks stress the same principles: the use of firewalls, VPNs, two factor authentification are all encouraged when possible; the development of over arching frameworks for telework; and educating staff about best practices in light of increased risks.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.