IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Bad Actors Have Adapted Well to the Pandemic Crisis

Hackers have sought to exploit the novel coronavirus to spread chaos, make money and build political advantage. The trends show a variety of ways bad actors are using this particular global moment to their advantage.

Even as government agencies around the world stretch themselves thin to battle the novel coronavirus, they have also had to defend themselves against an apparent surge in interest from hackers.

With a large uptick in government telework, the fear and anxiety surrounding cyberattacks has risen, and reports from state and federal authorities consistently indicate hackers are trying to take advantage of the current chaos for their own gain.  

At the same time, in certain areas where experts had predicted catastrophic effects, recent reports have shown that those concerns may have been overblown. Here's a run down of the current trends and the ways hackers are targeting governments as the COVID-19 crisis continues to unfold. 


Health organizations have seen a lot of activity at the national and international level. Reports show that hackers are consistently targeting large health organizations, often in an apparent bid to disrupt their response to the virus outbreak. 
A recent attack leaked thousands of passwords from email accounts attached to some of the world's largest health organizations, including the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), and the National Institutes of Health (NIH). Researchers say the culprit behind the breach is a mysterious hacker with conspiracy theories about the origins of COVID-19. 

Of the 6,835 email addresses that were leaked, 2,712 were from WHO, of which 457 are valid and active addresses, a WHO representative told Government Technology. A check on the active accounts found that none of them had been compromised, though their passwords have been changed anyway to ensure security, he said. 
The organization further commented that hackers have targeted WHO workers using a variety of techniques that exploit "the current Covid-19 situation via multiple impersonation approaches (vishing [voice phishing], email phishing, WhatsApp phishing, social media)."


As joblessness has climbed at an alarming rate, unemployment benefit websites have apparently become major targets for hackers

"Attackers, whether cybercriminals or nation-state adversaries, are always looking for stress points and cybervulnerabilities," said Marcus Fowler, director of strategic threat at Darktrace, whose company recently published research on this trend. "The current global disruption and implosion of what was once normal is exposing, and at times even creating, new stress points and attack opportunities."

Fowler, a former CIA agent with a background in cybersecurity and data analysis, said that benefit websites have become one such stress point. Their increased political importance paired with a lack of cyber-readiness makes them appealing targets. 

"Every government is suddenly having to manage massive unemployment spikes and an unprecedented number of benefits sign-ups as COVID-19 disrupts economies around the world. U.S. unemployment application numbers have reached over 26 million. Just this week, Reuters has reported that millions of Americans have been completely locked out of U.S. unemployment sites," said Fowler. 

"Previously, these sites were not as critical to countries’ ability to move forward as they are today. This likely means they also were not resourced adequately from a cybersecurity standpoint. Much like the saying 'you don’t start digging the well when you are thirsty,' you want to avoid trying to scale up security only after your site has become a target," he said. 


Some experts are warning that schools may become one of the biggest public-sector targets for hackers during the outbreak. Earlier this month, the FBI warned that remote education platforms were targets for hackers, and numerous schools have reported incidents in recent weeks, as the flood of "zoombombing" reports shows.

Schools have traditionally been a target because of poor cybersecurity staffing and training. Some 350 K-12 breaches were reported during FY19 alone, a number that could grow given the circumstances, said James Yeager, CrowdStrike's public sector expert. Schools may be particularly susceptible to social engineering attacks, which have risen in prominence since COVID-19, he said.

"Ed tech is at risk of falling victim to these schemes, as students and/or parents may click on a link thinking it’s a virtual classroom or some other method of electronic curriculum when instead it’s a cybercriminal attempting to gain login credentials," said Yeager.  

Many schools will likely have to rely on families' personal devices, which are more insecure and aren't under the same rigorous compliance standards in terms of security patching, he said. 
"While school systems may not have the IT infrastructure, tools and manpower that large enterprises do, they can still do their part to ensure teachers and students can safely keep class in session as we get through this crisis," said Yeager. 


Not all the cybernews is bad, however. As odd as it might seem, successful ransomware attacks on municipal entities have actually "taken a nosedive" since the coronavirus outbreak, said Brett Callow, threat analyst with Emsisoft. 

A precipitous drop in successful attacks on health care, education and other government entities marked the first quarter of 2020, Emsisoft research shows. Of those, schools are being hit the hardest, but overall numbers for entities are down across the board since this time last year. 

"Despite COVID-19 and WFH [work-from-home], or, more accurately, because of them, the number of successful ransomware attacks on the U.S. public sector, including health care, has declined significantly. In fact, the number of incidents has reduced to a level that we have not seen for several years," Callow said, explaining that with entities reducing their organizational footprint they may be effectively reducing the attack surface.  

However, this doesn't mean that you can't still get hit, as is evident by recent events involving the city of Torrance, Calif., which was struck by DoppelPaymer ransomware in January and is now having its stolen data leaked online. 

Also, the Emsisoft report notes, this relief is "only temporary," and successful attack levels are likely to revert to normal levels once society returns to normal. Callow warned against an "uptick" in successful attacks in the coming weeks. 


Several other indicators show a potential decline in successful activity since the shelter-in-place orders have taken effect, said Guy Propper, head of threat intelligence for Deep Instinct. 
Propper said that while media coverage of cyberattacks has risen since the virus outbreak, the attacks being carried out are not fundamentally different than before the crisis. Furthermore, several indicators of successful attacks have seen declines, according to his company's research. These include "droppers," which are programs that inject malware. 
"Office droppers are regarded to be highly indicative of infection rates as they are the main initial infection vector, particularly in phishing email attempts," said Propper. "When compared to January, March saw a 66 percent decrease, and when compared to February the decline was 50 percent. At present, the numbers for April are dramatically reduced again, pacing at only 19 percent of January infection figures and 27 percent of those for February." 
The other trend that saw declines were malicious portable executables (PE), which are a particular file format and are also used to spread malware in computer systems. 
"The number of malicious PE in March decreased by 38 percent compared to January and so far, April is pacing at only 76 percent compared to the same number of days into the month as January," Propper said.
Why these attacks have declined isn't totally clear. Some of it may have to do with the shifting landscape of the attack surface, while it could also potentially be attributed to hacker altruism. Some hackers may legitimately be restraining themselves during this crisis as an odd gesture of good will, the researcher offered. 
"It would be a mistake to generalize that all hackers behave the same, because there are many different groups and individuals acting (or not acting) for different reasons and who tend to have different targets," said Propper. "Many will adapt to generate profit no matter the circumstance, while others operate with a moral compass."

Lucas Ropek is a former staff writer for Government Technology.