Businesses, governments and their citizens around the world face an unprecedented challenge from the coronavirus pandemic. This is both a physical and cybersecurity issue. At the time of publication, there had been over 330,000 confirmed cases worldwide and 14,500 deaths. This includes 5,683 patients in the UK and 281 fatalities. [1] Strict limitations have been placed on travel and freedom of movement as events are cancelled and borders closed. Shortages of food, medicines and essential supplies have all been reported as people panic buy and suppliers struggle to cope with increased demand. [2] And criminals online and off are looking to take advantage.
In England, schools were shut for most pupils on 20 March and citizens were advised to practice social distancing. This appears not to have been heeded by many: on 21-22 March, thousands gathered in parks, markets and beaches around the UK. Stricter enforcement may have to be introduced. [3] On the same day as the schools were shuttered, all pubs, restaurants, gyms and other social venues were ordered to close until further notice. Those that can work from home have been recommended to do so while many others face redundancies or unpaid leave. Salaried employees forced to take temporary redundancies will receive up to 80% of their wages from the government. [4]
All forecasts point to severe economic damage as a result of these measures, not just in the UK but around the globe. The prices of oil, gold and other commodities are tanking. Fearing the impact on growth, investors have withdrawn funds, wiping around a third off global markets since January. In the UK, interest rates have been cut to historic lows in a bid to temper the outbreak’s economic impact. Exactly how effective this will be, remains to be seen. However, at 0.1%, there’s very little room for further manoeuvre in monetary policy. [5]
Despite increasingly stringent measures being taken to slow the outbreak, both in UK hospitals and wider society, worst-case scenario forecasts suggest that up to 80% of the population could be infected. [6] Hospitals in the UK have been ordered to cancel all non-urgent operations for at least three months. Patients considered fit enough to leave will be sent home, and approximately 10,000 extra beds sourced from the private sector to ease pressure on NHS services. [7] Even the more positive estimates would severely strain NHS resources and result in thousands of deaths. There is little doubt that COVID-19 is going to be massively disruptive for all sectors going forward.
Overview of malicious cyber activity
As the outbreak escalates, we are witnessing a significant uptick in cyberattacks exploiting the fear of coronavirus to compromise victims. Most sectors have been targeted, including government, manufacturing, pharmaceutical and healthcare organisations. Employees working remotely for the first time have compounded the risk. In response, the National Cyber Security Centre (NCSC) provided guidelines for businesses and staff to work safely from home. [8]
Private citizens attempting to stay abreast of the latest developments have also been hit. Some have been infected with malware after visiting fake coronavirus tracking websites or mobile apps; others have received malicious emails impersonating the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC). A broad range of malware is being delivered via these vectors, including ransomware, remote access trojans (RATs) and information stealers (infostealers). Emails containing links to phishing pages are a persistent threat, including many purportedly offering coronavirus updates or advice. [9]
An Advanced Persistent Threat (APT) is a skilled offensive cyber group, usually backed or directed by a nation-state. These groups have always leveraged current affairs and public holidays in the target country to make their lures more compelling. The global impact of the virus and the panic that this has induced, coupled with the highly technical skillset and worldwide reach of these APTs, mean that these campaigns are likely to be far more effective than anything we have seen previously.
Most coronavirus-related APT activity to date has been observed in Asia. This is likely to reflect the fact that the outbreak began in China, providing cybersecurity researchers with more time to uncover and monitor campaigns in the region. This is not to say, however, that there has not been APT activity in other regions, merely that APTs in Asia are more likely to have been detected by this point.
Several malicious coronavirus-themed documents were identified that appear to have originated with North Korean APT Kimsuky. [10, 11, 12] It is not clear who these samples were targeting, but the group has previously attacked a broad range of organisations supporting Korean reunification, cryptocurrency exchanges, think tanks, nuclear power operators and more.
Elsewhere in the region, Chinese APTs MustangPanda, ViciousPanda and EmissaryPanda have been linked to coronavirus-themed lures, delivering various malware to victims in Taiwan and the Mongolian public sector. [13, 14, 15] All three groups, however, present a threat to organisations of interest to the Chinese state, including NGOs, foreign embassies, government, defence and technology sectors.
Russian cybercriminal group, TA505, has also distributed coronavirus-themed malspam to healthcare, manufacturing, and pharmaceutical organisations in the US. The emails have the subject “COVID-19 Everything you need to know” and contain a link to a ransomware downloader.
BEC and ransomware
As the coronavirus pandemic progresses, Business Email Compromise (BEC) will remain a significant threat to all sectors. In 2019, the FBI recorded 23,775 BEC incidents, resulting in more than $1.7bn in losses. [16] Already we have seen BEC gangs exploiting coronavirus to dupe victims. Cybercriminal group AncientTortoise is believed to have been the first to employ this tactic. On 12 March, researchers captured an email from the group, claiming that their victim was changing bank accounts due to the spread of COVID-19. [17]
Organised ransomware gangs will continue to present a significant threat to businesses. Interestingly, two of the most active groups operating at present, Maze and Doppelpaymer, have pledged to avoid targeting healthcare organisations during the coronavirus pandemic. This tactic is more likely to be for self-preservation, rather than representing any genuine sense of altruism on their part. And it still leaves numerous other operators, such as Sodinikobi/REvil, Ryuk, PwndLocker and Ako, who have not made such claims. [18]
Based on the available evidence, we assess it is highly likely that APTs, and cybercriminals more generally, will continue to exploit the COVID-19 pandemic to compromise targets. Consequently, it is essential that governments and organisations around the world maintain visibility of emerging campaigns. Timely, accurate and actionable cyber threat intelligence is vital in this regard. Understanding a group’s tactics, techniques and procedures (TTPs) will allow an organisation to respond proactively, implementing effective mitigations that will minimise the likelihood of a successful breach.