19 March 2020
Full Report: Global Themes
- COVID-19-themed phishing and ransomware attacks risk will rise significantly as pandemic worsens over coming months
- Attackers will look to impersonate official health bodies to manipulate recipients into opening documents containing hidden malware
- Spread of disinformation by state actors will in part aim to facilitate increased success of COVID-19-themed cyberattacks
The UK’s National Cyber Security Centre (NCSC) issued a warning on 16 March over the rising threat of coronavirus (COVID-19) themed cyberattacks. This followed reports of such incidents worldwide, particularly against health infrastructure, typified by a ransomware attack against the Champaign Urbana Public Health District in the US state of Illinois, reported on 10 March. The attack brought down the district’s website. An unspecified attack on 13 March against a Czech hospital in Brno – which hosts a major testing laboratory for COVID-19 – forced a complete IT shutdown that required acute patients to be rerouted to an alternative hospital. Such attacks have also occurred in other sectors, with widespread reports of incidents targeting businesses in countries most heavily affected by the virus, particularly Italy and South Korea, in recent weeks.
Fears over the virus, and the large number of people seeking to access information relating to its spread, will provide a major opportunity for cyberattacks. These will likely include phishing attacks – which aim to secure passwords by tricking recipients to input information to access fake websites and documents, and the use of ransomware – which when activated locks a device until receipt of payment, typically in the form of cryptocurrency.
Past incidents highlight the significant global damage that ransomware can inflict. In particular, the May 2017 WannaCry attack infected around 200,000 computers across 150 countries and would have had an even wider impact had a researcher not swiftly identified a vulnerability in its code. The UK National Health Service (NHS) was one of the worst-affected organisations, with around 70,000 devices disrupted causing significant disruption and necessitating major costly IT upgrades. WannaCry is of particular significance as it highlights how such attacks are not limited to criminal groups, but can be state-backed, with the US Homeland Security Department and the UK’s NCSC publicly blaming North Korea. This is credible given reported similarities between WannaCry and past malware deployed by the Pyongyang-linked Lazarus Group, as well as the fact North Korea typically intends cyberattacks to secure funding for the regime.
COVID-19-themed phishing and ransomware attacks risk will increase as pandemic worsens
COVID-19 thus provides an opportunity for Pyongyang. Indeed, there were reports on 27 February that state hackers had attempted a spear-phishing attack on South Korean firms, hiding malware in documents purporting to contain information on Seoul’s response to the pandemic. Other state actors who will capitalise include Russia, where the Hades Group – an affiliate of Fancy Bear, which is associated with Russia’s Military Intelligence Directorate – was credibly linked to COVID-19-themed attacks from mid-February. Hades Group targeted Ukrainian institutions with password-stealing malware in fake documents relating to COVID-19, disguised as originating from Ukraine’s Ministry of Health. Reports suggest China has been most active, with the Mustang Panda and Violent Panda groups conducting state-sponsored attacks targeting Vietnam and Mongolia respectively in recent weeks. This reflects Beijing’s strategy of accessing political intelligence and commercially valuable information and intellectual property.
By contrast, there have been no significant reports of Iranian-linked attacks of this nature, despite the fact hacking groups affiliated with the Revolutionary Guards (IRGC) possess similar offensive capabilities and would be motivated to target geopolitical rivals experiencing outbreaks, particularly the US. The absence of attacks is likely due to the extent of the virus’ spread in Iran – where the number of cases and deaths likely far exceeds official statistics – which means state resources will be heavily focused on the domestic situation. It is plausible the IRGC is instead deploying its cyber capabilities to monitor public commentary and crack down on the spread of potentially damaging messages. Indeed, reports on 26 February showed 24 arrests had been made in relation to the purported spread of “rumours” relating to the virus.
The threat of further attacks will likely rise in line with the severity of the pandemic. Western nations, including the US, UK and in the EU, are all expected to see precipitous rises in case numbers over the coming months, ensuring government bodies and large companies across all sectors, but particularly in the healthcare sector, will face elevated risks. Phishing attacks will be particularly prevalent, with hackers likely looking to impersonate official bodies, including domestic health organisations and institutions such as the WHO, to achieve this. Ransomware cases are also likely to increase, with hackers judging they can earn significant sums of money as the pandemic raises the need to rapidly unlock affected devices.
Alongside the direct threat, all organisations should be aware of the risk of online misinformation that will accompany attacks. Indeed, the Ukraine attacks coincided with a large influx of spam emails reporting a major spike in COVID-19 cases, which will have in part aimed to incentivise malware recipients to open infected documents purportedly containing public health information. Western media on 18 March also reported that an internal EU report has identified a significant rise in COVID-19 misinformation campaigns targeting Western Europe via Russian state media and pro-Kremlin groups, highlighting the extent of the problem.