As measures put in place to combat and slow the spread of COVID-19 become a part of everyday life, Cyjax CISO, Ian Thornton-Trump, and Head of Editorial, Tristan de Souza are virtual once again. The seventh instalment of the Cyjax Geopolitical Podcast covers the “shocking” (in Ian’s words) story of over 30 million Chrome users being infected with spyware; the “debacle” (also Ian) of the NHS’s track and trace app which is not expected to arrive until the winter; the fallout (pun intended) of a potential cyberattack at the Natanz nuclear site in Iran; and a Microsoft Office 365 phishing campaign that may indicate a subtle change of direction for threat actors.
Not so shiny Chrome
In mid-June, a spyware campaign was uncovered after 32 million malicious extensions were downloaded by Google Chrome users. Most of the free extensions purported to warn users about questionable websites or to convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
Chrome is the most popular browser in the world with one study showing it has almost four-times the global uptake of Safari, and more than fifteen times as many installs as Firefox. This makes for a vast attack surface and also makes it at least four times as important that Google takes steps to protect its userbase. It is striking that these malicious extensions were all downloaded from the official Google Chrome Store: if users cannot be guaranteed of their download’s security when using official channels, there is little more that can be done to secure their browsing experience.
Google has a history of malicious applications being delivered through its app store, the Play Store. It is also more than two years since the company said they would improve security by, in part, increasing human checking of apps. This does not appear to have gone far enough. Ian thinks that this pivot to targeting browser extensions to disseminate malware is “not surprising” but states that the size of the campaign is “shocking.”
Can’t track, won’t trace
And a pivot back to the COVID-19 pandemic sees a discussion of the NHS track and trace app in the UK. It has now been revealed that the app is unlikely to be released to the British public until the winter, despite being described earlier in the pandemic as a key part of the fight against coronavirus. Apple and Google’s de-centralised model has proven the most effective worldwide; was the government’s attempt to go it alone another ‘world-beating’ mistake from an administration that has proved itself a past master in hubris? And what are the implications for democracy in allowing the big tech companies into the process, if indeed there are any?
In the aggregate, Ian is not worried about companies such as Google having access to this data if it results in societies becoming more active or enables swifter responses to outbreaks of disease – due to increased searches for ‘high temperature’ or ‘dry cough’ in a certain area, for example. It is when this becomes more localised – zooming in on city blocks, say – that the prospect becomes more dystopian.
Ultimately, in terms of the government’s failure to sufficiently protect its citizens, Ian believes this is a “shambles” that may push people to more easily accept the insertion of big tech into our healthcare systems and could cost the UK government the next election.
Natanz to see here
On 2 July, a fire and a possible explosion were reported at the Natanz nuclear site in Iran. Was this a mistake by a member of staff? A dissident attack? Or, as the Iranian administration was quick to claim, was this the result of a cyberattack on the facility? Tristan thinks it unlikely that this would have been caused by dissidents in the country. While Iran certainly has offensive cyber-capability, it is second-tier, and the likelihood of anti-regime factions having gained sufficient expertise to target a heavily protected nuclear base is low. The chances of human error, however, cannot be ruled out.
Natanz was the target of the archetypal state-sponsored cyberattack in 2010. The Israeli and US-developed Stuxnet worm caused significant damage and major setbacks to the Iranian nuclear programme. That the administration in Tehran should so readily blame this latest issue on a cyberattack is interesting. Is this an attempt for the Iranian administration to change the narrative? The government is under pressure and an external attack on Iranian soil would enable them to deflect criticism of their domestic policies, particularly their handling of the COVID-19 crisis. Ian notes that this is likely to be a proxy for “big power rivalry” and may result in region-defining conflict if Tehran decides to strike back against Israel, Suadi Arabia, or the US.
Business as usual, or COVID with a twist?
Lastly, Ian and Tristan turn in-house, with a phishing campaign discovered by Cyjax analysts targeting users of Microsoft Office 365. Some 1,100 people have already fallen victim to this scam, including members of the NHS, UK police and government, the Australian government, Boeing and Oracle.
For the last three to four months, during the domination of the public consciousness by COVID-19, threat actors’ lures were almost exclusively coronavirus-related. This ranged from spurious cures, to free PPE, to information regarding the latest outbreak figures. This campaign, however, did not contain anything about the coronavirus and, as such, may indicate a return to business as usual for scammers.
While this may well be the case, for as long coronavirus is with us – and it is fair to say that it will be around for some time – malicious actors will use it in their campaigns and lures. What we expect to see, however, is a slight shift, away from the purely medical issues that come with a society attempting to prevent the spread of infection, towards the government responses to job losses and economic downturn. As such, both Ian and Tristan expect phishing campaigns like this to still be COVID-related, but with a twist.
If you enjoy our podcast, please subscribe to our YouTube channel and follow us on LinkedIn for all the latest blogs covering the intersection of cybersecurity and geopolitics. Essential reading for all businesses.