The COVID-19 Cyber Dystopia

How cyberciminals profit from a pandemic

This essay investigates how state-sponsored hacker groups and threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. This research is targeted towards those who would like to understand the technical cybersecurity threats that have emerged from the spread of COVID-19.

While countries are in lockdown and a global economic recession is looming, healthcare workers are fighting against the Covid-19 virus. Yet, another war is raging in the cyber sphere. The current pandemic is not only a test of states’ and businesses’ readiness to respond to the crisis on all fronts, but also a challenge to identify and manage the exponential increase in cyber-attacks worldwide. To reduce the spread of the virus we are asked to stay home and abide by social distancing recommendations. Such limitations imposed on public life along with the decreased flow of goods and people’s mobility has urged many employers to allow remote connections to their organizations’ networks.  As a consequence, the number of threat indicators linked to the Coronavirus pandemic has increased by 600% since February[1] illustrating that hackers are working tirelessly to leverage this climate of uncertainty and fear to wreak havoc and pursue their political and financial goals. To illustrate the damage that cybercriminals inflict on the economy, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021,[2] and Europol’s research confirms that cybercrime and fraud have become even more profitable owing to the exploitation of the current situation.[3] If these estimates are correct, the pandemic would help cybercrime become more profitable than the global trade of all major illegal drugs combined.[4]

To provide a breakdown, threat actors are relying primarily on social engineering attacks, in particular phishing emails through spam campaigns and targeted attacks, such as business email compromise (BEC). Malware such as Trickbot, RemcosRAT, FormBook, Agent Tesla, and Lokibot[5] are injected on the infected devices via malicious links and attachments containing, for instance, information about COVID-19. Cybercriminals show no ethical boundaries and will continue to attack wherever there could be a vulnerability. As an example, hackers successfully lured users to open attachments from trusted organizations such as the U.S. Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as China’s Ministry of Health.[6] The attack on the WHO is thought to have been carried out by the APT DarkHotel[7] that has been involved in cybercrime and espionage for over a decade.  Additionally, on 2nd April 2020 Reuters disclosed an investigation reporting that hackers tied to the Iranian government attempted to steal personal email accounts credentials of WHO staff.[8] In times of a global pandemic targeting institutions such as the WHO and Ministries of Health, which play a vital role in relaying relevant information on limiting the spread of the coronavirus pandemic, could potentially not only put lives at risk but also extend the duration of the crisis.

Cyber criminals are successfully capitalising on the anxieties and fears of citizens worldwide during this crisis period characterized by high uncertainty and chaos. For example, at least two European Member States have reported on several scams on alcohol gels or medical equipment being purchased online for hundreds of thousands of euros and not being delivered.[9] It is safe to assume that similar schemes will happen over the next weeks and months since the pandemic will hit more and more countries and businesses. Large-scale cyber-attacks could also target critical infrastructure and have serious repercussion for societies, rendering States even more vulnerable. In fact, this scenario has already unfolded on 12 March 2020 in the Czech Republic where cybercriminals carried out cyber-attacks on the Brno University Hospital which forced the facility to shut down its IT network and postpone critical interventions on patients amid the COVID-19 outbreak.[10] These kinds of attacks are particularly threatening due to the risk of loss of life, and therefore raise serious concerns during the public health crisis we are facing.

Tying hacking campaigns to specific entities or countries is often fraught with uncertainty. However, over the past two months, state-sponsored hacker groups from China, North Korea, and Russia have been especially active in using coronavirus-based phishing baits as part of their efforts to induce victims to download malware on their devices and gain access to their infrastructure. To aggravate matters, hackers can cause considerable damage by spreading fake news to create panic and confusion. This happened for example in Ukraine where the security research team @reddrip7 suspects that the Hades APT concealed a backdoor trojan in emails coming from the Center of Public Health of the Ministry of Health of Ukraine.[11] Hades is believed to be tied to the Russian hacker group APT28 (Fancy Bear), and the emails contained false information regarding an increase in infected patients on the same day a plane carrying evacuees from China arrived. As one of those emails went viral, panic and violent riots sparked in the country.[12] This example shows how malicious actors can easily create chaos with a few malware-laced emails because the pandemic environment allows them to maximize their results by exploiting fear and uncertainty.  It further underscores, as never before, that highly sophisticated attacks by cybercriminals and state-sponsored hackers can sabotage and destroy interdependent systems from a distance with devastating consequences.

It is also suspected that North Korean hackers have recently weaponised spear-phishing lures, and the cyber security firm IssueMakersLab observed a malicious document dropping the North Korean BabyShark malware claiming to contain information on South Korea’s response to the virus.[13] This malware strain has been previously utilized by a North Korean hacker group known as Kimsuky. If States continue to be unchecked in their freedom to exploit the pandemic to pursue their financial and political gains, then victims of such attacks could be on a trajectory for even more virulent and destructive attacks than in normal times.

In a recent report, FireEye Inc. investigated how the hacking group APT41 took advantage of the recently disclosed flaws in software developed by Cisco, Citrix and others to try to break into scores of companies’ networks in the United States, Canada, Britain, Mexico, Saudi Arabia, Singapore and more than a dozen other countries. The group has built a reputation in cybercrime and state-sponsored espionage since at least 2012 and the FireEye report said that APT41 conducted “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”[14]  Hacker groups have also used legitimate statements by political leaders with advice and statistics on the spread of COVID-19. For example, the group MUSTANG PANDA, which is believed to be Chinese, tricked their victims into clicking on attachments containing statements from the Vietnamese Prime Minister Nguyen Xuan Phuc sharing prevention measures against COVID-19.  In reality, a malicious script is executed on the infected device.[15]        

Authoritarian States could also weaponize COVID-19 by deliberately spying on their citizens. For example, in March 2020 Google removed an Android app developed by the Iranian government from its Play Store because instead of just keeping track of the spread of the disease and informing citizens, several users claimed that this application called ac19.apk was in reality spyware as it collected phone numbers and stored real time geo-localization data.[16]

Businesses and individuals will need to reinforce their security measures and are advised to double-check the authenticity of any incoming messages, emails or phone calls. Further they are advised to be particularly prudent when someone is trying to extract any data in an emergency, pretending there is no time to convincingly explain the context. Several resources are available to citizens and companies; for example, Europol published several guidelines on best practices for home-office which are available in several languages.[17] Similarly, ENISA shared an additional set of useful teleworking tips.[18] Criminal justice institutions will also need to enhance their capability to detect, investigate, attribute and prosecute threat actors. INTERPOL issued the COVID-19 Guidelines for Law Enforcement[19] for criminal justice practitioners. However, given that we find ourselves in uncharted territories, extraordinary measures will need to be adopted to allow better cooperation between the competent agencies to limit the harm caused by the virus and the malicious actors exploiting it. To address those challenges, cyber security experts from more than 40 countries formed the COVID-19 CTI League. One of the initiators of the effort, Marc Rogers, said that the immediate priority is to prevent hacks against medical facilities.[20]

In our hyper-connected digital world, cybercrime is a highly profitable venture and attacks are likely to become more frequent and more sophisticated in the following weeks as the pandemic continues to cast a shadow over the global economy. Lastly, it cannot be over-emphasized that early detection of cyber threats coupled with timely threat intelligence could increase businesses’ resilience and equip them with the right tools to come out as winners in the aftermath of the COVID-19 crisis in cyberspace.

References

[1] Cyfirma, Corona virus in cyberspace. (2020, March 19). Retrived from https://www.cyfirma.com/news/coronavirus-in-cyberspace/

[2] Cybercrimemag. (2018, December 9). Cybercrime Damages $6 Trillion by 2021. Retrieved from https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

[3] Pandemic profiteering: how criminals exploit the COVID-19 crisis. (2020, March 27). Retrieved from https://www.europol.europa.eu/publications-documents/pandemic-profiteering-how-criminals-exploit-covid-19-crisis

[4] Periman, K., Da-Costa, F., & Financial Services. (2019, March 22). How to Prevent the Bank Robbery No One Can See. Retrieved from https://blogs.cisco.com/financialservices/how-to-prevent-the-bank-robbery-no-one-can-see

[5] Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from https://www.recordedfuture.com/coronavirus-panic-exploit/

[6] Ibidem

[7] Winder, D. (2020, March 25). ‘Elite Hackers’ Thought Behind Cyber Attack On World Health Organization. Retrieved from https://www.forbes.com/sites/daveywinder/2020/03/25/hackers-target-world-health-organization-as-cyber-attacks-double-during-covid-19-pandemic/#489deb0f2e5c

[8] Menn, J. (2020, April 2). Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus – sources. Retrieved from https://www.reuters.com/article/us-health-coronavirus-cyber-iran-exclusi/exclusive-hackers-linked-to-iran-target-who-staff-emails-during-coronavirus-sources-idUSKBN21K1RC

[9] Ibidiem

[10] Cimpanu, C. (2020, March 13). Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak. Retrieved from https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/

[11] Technical Twitter of QiAnXin Technology, (2020, February 21). Attacks pretend to be from the Center for Public Health of the Ministry of Health of Ukraine and deliver bait document containing the latest news regarding #COVID-19. A backdoor written in C# gets dropped by malicious macro code to perform remote control. https://t.co/yT0iUZxMji pic.twitter.com/fb2ECmbSKX Retrieved from https://twitter.com/RedDrip7/status/1230683740508000256?s=20

[12] Miller, C. (2020, February 27). A Viral Email About Coronavirus Had People Smashing Buses And Blocking Hospitals. Retrieved from https://www.buzzfeednews.com/article/christopherm51/coronavirus-ukraine-china

[13] IssueMakersLab. (2020, February 27). North Korea’s BabyShark malware has been found in the form of document on South Korea’s response to COVID-19. pic.twitter.com/yAWuWt6Qkq. Retrieved from https://twitter.com/issuemakerslab/status/1233010155018604545

[14] Glyer, C. (2020, March 25). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved from https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

[15] Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from https://www.recordedfuture.com/coronavirus-panic-exploit/

[16] Cimpanu, C. (2020, March 9). Spying concerns raised over Iran’s official COVID-19 detection app. Retrieved from https://www.zdnet.com/article/spying-concerns-raised-over-irans-official-covid-19-detection-app/

[17] Staying safe during COVID-19: what you need to know. (2020, April 3). Retrieved from https://www.europol.europa.eu/staying-safe-during-covid-19-what-you-need-to-know

[18] Tips for cybersecurity when working from home. (2020, March 24). Retrieved from https://www.enisa.europa.eu/tips-for-cybersecurity-when-working-from-home

[19] INTERPOL issues international guidelines to support law enforcement response to COVID-19. (n.d.). Retrieved from https://www.interpol.int/News-and-Events/News/2020/INTERPOL-issues-international-guidelines-to-support-law-enforcement-response-to-COVID-19

[20] Menn, J. (2020, March 26). Cybersecurity experts come together to fight coronavirus-related hacking. Retrieved from https://www.reuters.com/article/us-coronavirus-cyber/cybersecurity-experts-come-together-to-fight-coronavirus-related-hacking-idUSKBN21D049

Cybercrimemag. (2018, December 9). Cybercrime Damages $6 Trillion by 2021. Retrieved from https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

Periman, K., Da-Costa, F., & Financial Services. (2019, March 22). How to Prevent the Bank Robbery No One Can See. Retrieved from https://blogs.cisco.com/financialservices/how-to-prevent-the-bank-robbery-no-one-can-see

Cyfirma, Corona virus in cyberspace. (2020, March 19). Retrived from https://www.cyfirma.com/news/coronavirus-in-cyberspace/

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from https://www.recordedfuture.com/coronavirus-panic-exploit/

Winder, D. (2020, March 25). ‘Elite Hackers’ Thought Behind Cyber Attack On World Health Organization. Retrieved from https://www.forbes.com/sites/daveywinder/2020/03/25/hackers-target-world-health-organization-as-cyber-attacks-double-during-covid-19-pandemic/#489deb0f2e5c

Menn, J. (2020, April 2). Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus – sources. Retrieved from https://www.reuters.com/article/us-health-coronavirus-cyber-iran-exclusi/exclusive-hackers-linked-to-iran-target-who-staff-emails-during-coronavirus-sources-idUSKBN21K1RC

Council of Europe. (2020, April 1). Cybercrime and COVID-19. Retrieved from https://www.coe.int/en/web/cybercrime/home/-/asset_publisher/heMXZKvP3IUd/content/cybercrime-and-covid-19?inheritRedirect=false&redirect=https://www.coe.int/en/web/cybercrime/home?p_p_id=101_INSTANCE_heMXZKvP3IUd&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-4&p_p_col_pos=4&p_p_col_count=5

Cisomag. (2020, March 18). CYFIRMA says Coronavirus pandemic has impact on cyberspace. Retrieved from https://www.cisomag.com/cyberthreats-due-to-coronavirus/ https://www.reuters.com/article/us-usa-china-cyber/u-s-cybersecurity-experts-see-recent-spike-in-chinese-digital-espionage-idUSKBN21C1T8

IssueMakersLab. (2020, February 27). North Korea’s BabyShark malware has been found in the form of document on South Korea’s response to COVID-19. pic.twitter.com/yAWuWt6Qkq. Retrieved from https://twitter.com/issuemakerslab/status/1233010155018604545

Glyer, C. (2020, March 25). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved from https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from https://www.recordedfuture.com/coronavirus-panic-exploit/

Cimpanu, C. (2020, March 9). Spying concerns raised over Iran’s official COVID-19 detection app. Retrieved from https://www.zdnet.com/article/spying-concerns-raised-over-irans-official-covid-19-detection-app/

Staying safe during COVID-19: what you need to know. (2020, April 3). Retrieved from https://www.europol.europa.eu/staying-safe-during-covid-19-what-you-need-to-know

Tips for cybersecurity when working from home. (2020, March 24). Retrieved from https://www.enisa.europa.eu/tips-for-cybersecurity-when-working-from-home

INTERPOL issues international guidelines to support law enforcement response to COVID-19. (n.d.). Retrieved from https://www.interpol.int/News-and-Events/News/2020/INTERPOL-issues-international-guidelines-to-support-law-enforcement-response-to-COVID-19

Menn, J. (2020, March 26). Cybersecurity experts come together to fight coronavirus-related hacking. Retrieved from https://www.reuters.com/article/us-coronavirus-cyber/cybersecurity-experts-come-together-to-fight-coronavirus-related-hacking-idUSKBN21D049

Cybersecurity in the Time of COVID-19. (n.d.). Retrieved from https://www.cfr.org/blog/cybersecurity-time-covid-19

The CyberWire Staff, (2020, March 25). The CyberWire Daily Briefing, 3.25.20. Retrieved from https://thecyberwire.com/newsletters/daily-briefing/9/58

Margot Ossola is a Master’s student in International Affairs at the Hertie School. She is fascinated by cyber security and state-sponsored hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *