When implementing COVID-19 business continuity plans, companies should take into consideration security threats from cybercriminals looking to exploit fear, uncertainty and doubt – better known as FUD. Fear can drive a thirst for the latest information and may lead employees to seek online information in a careless fashion – leaving best practices by the wayside.
According to Reinsurance News, there has already been “a surge of coronavirus-related cyber attacks”. Many phishing attacks “have either claimed to have an attached list of people with the virus or have even asked the victim to make a bitcoin payment for it.” Not all employees are accustomed to the risks from a corporate-wide work from home (WFH) policy given the previous lack of intersection between work and personal computers.
One cyber security firm released information outlining these WFH risks. And, another security provider offers a common-sense refresher: “If you get an email that looks like it is from the WHO (World Health Organization) and you don’t normally get emails from the WHO, you should be cautious.” In addition to recommendations made by security consultants, there are privacy-forward recommendations that will necessarily mitigate against phishing exploits. For example, WFH employees should be steered towards privacy browsers such as Brave and Firefox to avoid fingerprinting and search engines such as Duckduckgo for private searches. A comprehensive listing of privacy-forward online tools is found at PrivacyTools.IO.
Criminals have already exploited the current FUD by creating very convincing COVID-19-related links. As reported by Brian Krebs, several Russian language cybercrime forums now sell a “digital Coronavirus infection kit” that uses the Hopkins interactive map of real-time infections as part of a Java-based malware deployment scheme. The kit only costs $200 if the buyer has a Java code signing certificate and $700 if the buyer uses the seller’s certificate.
At a very basic level, WFH employees should be reminded not to click on sources of information other than clean URLs such as CDC.Gov or open unsolicited attachments even if they appear coming from a known associate. Now that banks, hotels, and health providers are sending emails alerting their clients of newly-implemented COVID-19 procedures, it is especially easy to succumb to spear phishing exploits – which is the hallmark of state-sponsored groups. As recently reported, government-backed hacking groups from China, North Korea, and Russia have begun using COVID-19-based phishing lures to infect victims with malware and gain infrastructure access. These recent attacks primarily targeted users in countries outside the US but there should be little doubt more groups will focus on the US in the coming weeks. Until ramped up testing demonstrates that the COVID-19 risk has passed, companies are well advised to focus some of their security diligence on these targeted attacks.
This does not mean employees need to be fed yet more FUD – this time regarding network security, without some good news. Employees can be reminded of the fact a decade ago we survived another pandemic. Specifically, between April 2009 and April 2010, there were 60.8 million cases, 274,304 hospitalizations, and 12,469 deaths in the United States caused by the Swine Flu. Globally, the Swine Flu infected between 700 million and 1.4 billion people, resulting in 150,000 to 575,000 deaths. Moreover, the young were a vector for Swine Flu yet are not for COVID-19. And, a large band of 25 – 35 year olds are better in two days – hardly a bad cold, for COVID-19 whereas there was no such band for the Swine Flu. On the downside, COVID-19 has a more efficient transmission mechanism than Swine Flu and we are better suited to develop influenza vaccines than we are for coronavirus vaccines.
UPDATE: April 23, 2020
The CDC reports in its latest published statistics there were 802,583 reported cases of COVID-19 and 44,575 associated deaths. Without a doubt, this pandemic is certainly much worse that the Swine Flu pandemic as previously reported by the CDC. Moreover, the current “panic pandemic” certainly shows no indications of subsiding.
Whether the governmental measures taken actually ratcheted up the body count or caused them to diminish is left for historians and clinicians to analyze. The hard fact remains the body count keeps going up and the U.S. economy is still on lock down as of April 23, 2020.
UPDATE: May 1, 2020
On April 30, 2020, it was reported Tonya Ugoretz, deputy Assistant Director of the FBI Cyber Division, stated the FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – IC3 normally averages 1,000 daily complaints.
UPDATE: May 6, 2020
On May 5, 2020, a joint alert from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre warned of APTs targeting healthcare and essential services.
The alert warned of “ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses.” This May 5, 2020 alert follows an April 8, 2020 Alert that warned in broader terms of malicious cyber actors exploiting COVID-19.
APTs are conducted by nation-state actors given the level of resources and money needed to launch such an attack. Moreover, they generally take between eight and nine months to plan and coordinate before launching. It is particularly disheartening that these recent attacks include those launched by state-backed Chinese hackers known as APT 41. As one cybersecurity firm points out in a recently-released white paper: “APT41’s involvement is impossible to deny.”
Distilled to its essence, the uncovered APT41 attacks mean that before COVID-19 was even on US shores, Chinese state-actors were planning attacks targeting the healthcare and pharmaceutical sectors. One can only hope the cyberattacks were not coordinated alongside the spread of the virus – a virus that only became public months after a coordinated attack would have been first planned.