In early April, British and American cyber officials took the rare step of issuing a joint security advisory. Such interventions are reserved for the most significant cyber incidents, from Russian hacking to major criminal campaigns. But this particular advisory was unlike those that preceded it. Rather than highlighting a specific software vulnerability or nation-state campaign, it covered a broad range of attacks that shared just one trait: coronavirus.
Attackers, security officials revealed, were seeking to exploit people’s fears of the pandemic for a variety of malicious purposes, including data theft, fraud and espionage. Although analysts working at the National Cyber Security Centre (NCSC), a division of GCHQ, noted that the total number of security attacks had not risen, they witnessed a sharp rise in the number of attacks using the outbreak as bait. In one week alone in March, 6,000 coronavirus-related domains were registered, with security experts warning that many of them were malicious.
It is perhaps no surprise that cyber criminals, characterised by cynical opportunism, would attempt to exploit a global health crisis. But it is not just fraudsters who are deploying such tactics. The NCSC’s advisory noted that “advanced persistent threat” actors (APTs) were also exploiting the pandemic to launch campaigns. APTs are better known outside of security circles as state-sponsored hackers.
“[APT and cyber criminal] activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised,” the NCSC stated. “Their goals and targets are consistent with long-standing priorities such as espionage and information operations.”
Speaking to Spotlight, Paul Chichester, the director of operations at NCSC, said: “We’ve seen that cyber criminals are changing tactics to take advantage of the pandemic and coronavirus is ideal bait to phish for sensitive information and infect devices with malware. This is a fast-moving situation and our priority, alongside international partners, is to ensure that the public and organisations can take action to protect themselves.”
In mid-April, an email with the subject line, “Covid-19: Emergency advice from the NHS”, was sent to 21,000 people in the UK. After opening the email, recipients were advised to click a link to see a list of up-to-date coronavirus cases in their area. The link opened a fake Microsoft Outlook page that invited people to resubmit their email address and password, which could subsequently be sold on through dark web forums.
“This particular campaign illustrates the tailoring of threat actors’ messaging to reflect what is happening in the media,” Carl Wearn, head of e-crime at Mimecast, which uncovered the campaign, told NS Tech at the time. “With the NHS currently working on a contact tracing app, this scam looks to take advantage of this by offering people the opportunity to see the number of coronavirus cases in their local area. This is obviously very tempting to people wanting to keep themselves as safe as possible.”
While hackers have targeted a range of businesses since the start of the outbreak, arguably the most exposed organisations are those operating in the healthcare sector, and there have already been some high-profile targets.
On Sunday 15 March, as the size of the coronavirus crisis was becoming apparent in the United States, the US Health and Human Services Department (HHS) was hit by a distributed denial of service (DDoS) attack. The attack, which leveraged servers around the world, hit the department’s systems millions of times in an apparent effort to thwart the agency’s response to the outbreak. Speaking to Bloomberg anonymously at the time, an official said that a nation-state actor may have been responsible.
Since the coronavirus crisis began to unfold, security experts have warned that such provocations could be considered acts of war during a global pandemic. But the HHS is not the only organisation to have been hit. According to Reuters, hackers believed to be working for Iranian interests reportedly targeted the personal email accounts of officials working for the World Health Organisation in order to get information about the global spread of the virus.
Hostile nation states are not the only threat actors targeting healthcare organisations. Despite several high-profile ransomware groups having promised to avoid the sector, Interpol warned last month that hospitals around the world were facing a surge in ransomware attacks, with hackers calculating that organisations which might normally refuse to pay out would be more willing to do so.
Brno University Hospital, one of the Czech Republic’s major Covid-19 testing centres, was held to ransom over the course of a weekend in mid-March, prompting staff to relocate some patients as IT staff scrambled to get systems back online. While the NHS is considered to be relatively well prepared for ransomware strikes, having bolstered its defences in light of the 2017 WannaCry attack (See: Interview with Marcus Hutchins, p.18-20), other healthcare organisations around the world are less well prepared.
Nevertheless, while healthcare organisations are particularly exposed, the NCSC’s latest guidance suggests they are by no means alone in weathering a storm of Covid-19-themed attacks. “As the Covid-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business,” said Bryan Ware, assistant director for cyber security at the US Cybersecurity and Infrastructure Agency, in the joint alert it issued with the NCSC in April.
“We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding Covid-19,” he continued. “We are all in this together and collectively we can help defend against these threats.”