Malicious cyber activity in the COVID-19 era

Steve Honiss | 3 February 2021

Summary

Information security specialist Steve Honiss explores the spike in state-sponsored cyberattacks linked to COVID-19. This article was originally published in the New Zealand Security Magazine in December 2020.


Strategic Insight

It is fair to say that aside from the health impact of COVID-19 alone, the wider impact of the pandemic is something that has never been seen before. 

In a hyperconnected world, where national economies are suffering downturns or recessions, populations are suffering illness and fear of death, and people are looking to their governments for leadership – it is hardly surprising to note that the weight and resources of governments are being turned to finding prophylaxis, treatment, or cure for the virus.

This is being manifested through the significant and urgent efforts being undertaken by universities, pharmaceutical or vaccine researchers, government health organisations, and other R&D entities. There are vast sums of money being dedicated to this activity. Large pharmaceutical companies who by nature are traditionally competitors, are now working together in pursuit of the cause. 

The threat landscape

Google’s Threat Analysis Group (TAG) have been closely monitoring state-sponsored threat groups carrying out COVID-related espionage.

In July, the US Department of Justice indicted two Chinese hackers associated to the WICKED PANDA threat group and charged them with carrying out cyber activity against a range of Western assets. These actions were reportedly carried out both in their own interests and also at the behest of the Chinese Ministry of State Security. Amongst others, the pair are charged with targeting US organisations involved in developing COVID-19 testing, anti-viral treatments, or vaccinations – on behalf of the Chinese government. 

The hacker group known as COZY BEAR, linked with high certainty to Russia’s Foreign Intelligence Service the SVR has been accused of targeting vaccine research networks in the United States, Canada and Britain. This activity is said to have focused on the vaccine development work being carried out jointly by Oxford University and AstraZeneca.

Likely South Korean APT group Darkhotel is believed to be responsible for a series of sophisticated attacks against the World Health Organisation. 

The WHO makes a very attractive target for threat actors because of the possibility that they hold unreleased information about virus testing, cure, vaccine research progress. Gaining any sort of foothold within the WHO network would be a valuable outcome for an APT group. 

Vietnam-linked threat group OCEANLOTUS have been accused of conducting campaigns against Chinese government organisations, including China’s Ministry of Emergency Management as well as officials in the Wuhan province government.   

In addition to these, Iranian and South American threat groups have also reportedly been identified carrying out cyber activity related to COVID-19. 

All told, the Google TAG are tracking no less than 12 APT groups undertaking COVID related activity.

Like much cyber activity, these campaigns targeting the bio-tech entities and government agencies have not been particularly sophisticated – but the fact is that it does not always need to be sophisticated to be successful. Well-crafted phishing emails, carefully mimicked domains, and enticing lures are often all it takes to obtain account credentials which will frequently provide attackers with their first access point. Alternatively similar techniques may be used to entice the victim user to unwittingly download or execute a malicious application which provides technical access to the victim network.

In April, investigative journalist and security researcher Brian Krebs wrote about the huge increase in new domain registrations featuring the keywords coronavirus or Covid-19 in the weeks around the beginning of the pandemic. One security researcher reported that these sort of domains were being created at the rate of 2000 per day at the height of the activity.  A significant proportion of these will have been used for malicious purposes.

Google’s Threat Analysis Group (TAG) have been closely monitoring state-sponsored threat groups carrying out COVID-related espionage.

In July, the US Department of Justice indicted two Chinese hackers associated to the WICKED PANDA threat group and charged them with carrying out cyber activity against a range of Western assets. These actions were reportedly carried out both in their own interests and also at the behest of the Chinese Ministry of State Security. Amongst others, the pair are charged with targeting US organisations involved in developing COVID-19 testing, anti-viral treatments, or vaccinations – on behalf of the Chinese government. 

The hacker group known as COZY BEAR, linked with high certainty to Russia’s Foreign Intelligence Service the SVR has been accused of targeting vaccine research networks in the United States, Canada and Britain. This activity is said to have focused on the vaccine development work being carried out jointly by Oxford University and AstraZeneca.

Likely South Korean APT group Darkhotel is believed to be responsible for a series of sophisticated attacks against the World Health Organisation. 

The WHO makes a very attractive target for threat actors because of the possibility that they hold unreleased information about virus testing, cure, vaccine research progress. Gaining any sort of foothold within the WHO network would be a valuable outcome for an APT group. 

Vietnam-linked threat group OCEANLOTUS have been accused of conducting campaigns against Chinese government organisations, including China’s Ministry of Emergency Management as well as officials in the Wuhan province government.   

In addition to these, Iranian and South American threat groups have also reportedly been identified carrying out cyber activity related to COVID-19. 

All told, the Google TAG are tracking no less than 12 APT groups undertaking COVID related activity.

Like much cyber activity, these campaigns targeting the bio-tech entities and government agencies have not been particularly sophisticated – but the fact is that it does not always need to be sophisticated to be successful. Well-crafted phishing emails, carefully mimicked domains, and enticing lures are often all it takes to obtain account credentials which will frequently provide attackers with their first access point. Alternatively similar techniques may be used to entice the victim user to unwittingly download or execute a malicious application which provides technical access to the victim network.

In April, investigative journalist and security researcher Brian Krebs wrote about the huge increase in new domain registrations featuring the keywords coronavirus or Covid-19 in the weeks around the beginning of the pandemic. One security researcher reported that these sort of domains were being created at the rate of 2000 per day at the height of the activity. A significant proportion of these will have been used for malicious purposes.

Tip of the iceberg

It is difficult to find any aspect of our governments and economies that are not reliant to some degree on technology and the Internet. 

Even in the years pre-COVID we saw regular public reporting of nation states being called out for hostile cyber activities. It is not unreasonable to believe that what was reported publicly then was only the tip of the iceberg and that in reality, there is a constant unseen war of sorts being waged by those states that have offensive cyber capabilities – or at least have the will and ability to pay for it.

This sort of activity has a range of motivations; from obtaining state secrets, financial bargaining positions, defence policy and plans, material to use for blackmail, academic research, R&D and other valuable intellectual property, destruction and disruption, and in some cases – fundraising efforts to support a national economy through cybercrime.

In addition to this normal level of cyber espionage, the global impact of the coronavirus on health, public confidence and way of life, working situations and employment, and generally economies – has provided a new and fertile ground for malicious cyber activity to take place.

There has been a real flurry of compromises and other malicious activity that has connections in one form or another with the pandemic.

There are three likely main motivations for the activity that we have seen this year. These are a) traditional financially motivated cybercrime, b) state-backed espionage, and c) corporate or economic espionage.

To expand on that

Firstly – cybercrime actors are attempting to steal intellectual property and other secrets with a pure financial motivation. They want to sell what they find to the highest bidder, or they could undertake ransomware attacks in order to hold the secrets to ransom.

Secondly – states are worried. The pandemic is having wide-ranging effects on economies, and countries are concerned. They are prepared to carry out unlawful activity, potentially in violation of bilateral or multilateral agreements, in the name of protecting their populations.

Thirdly – economic espionage. It stands to reason that whoever wins the race to develop a safe and effective vaccine will make potentially huge profits – paying state-level hacking groups to try and copy the opposition’s homework seems a reasonable investment.

Implications

It is hard to say what the implications of this increased activity will play out to be.

Cyber espionage is not a new thing, it is just that COVID-related espionage is a hot topic right now.

Cyber espionage has become something of the new arms race, where instead of the race for bigger and more destructive kinetic or nuclear weapons, countries are building bigger and more skilled offensive (and defensive) cyber capabilities. That is not necessarily related to the pandemic but there are clear signs that countries are engaging their national defensive capabilities in support of protecting COVID research and vaccine developments.

The bigger question perhaps is what is the real end goal here: 

  • Is it simply a question of the states trying to get hold of research so they can advance their own vaccine production efforts?
  • Is it a case of them just trying to see who is furthest along the development path in order to support their vaccine nationalism agenda?
  • Is it in an attempt to just have good intelligence on which to base planning for their ongoing pandemic response?

My final comment on the implications is to note the perennial risk that hostile cyber action leads to some form of escalation in tensions.

Responses by states

Over recent years we have seen agreements and treaties executed that have the intention of at least reducing state-sanctioned cyber activities. They have had questionable effect. 

The US Department of Justice have not infrequently indicted individuals who they accuse of computer crime on behalf of countries such as China, Russia and Iran. That is a largely symbolic act in my view.

Public denunciation of attack campaigns where strong attribution has been carried out are also not uncommon – but to what effect? They send a message to the perpetrators that they have been caught, but it would be naive to believe that they have a great impact in terms of stopping the malign behaviour. These are political statements and little more.

The standard practical measures ought to be taken – so countries should be putting national resources in to shoring up their own defences, supporting those holders of the valuable research and intellectual property, perhaps some might engage in some active defence measures or return fire, and just generally robustly defend and protect what is valuable to them until they are ready to share it. Information owners and governments need to raise the cost of attackers doing business to a level where the return on investment becomes in question.

There is always the policy response options for consideration but to date I do not see that they have had great effect. When you are dealing with threat actors supported by major world powers – it’s my view that a public telling off is unlikely to change behaviour significantly. 

In the case of a country already subject to global sanctions, there are minimal options to consider. Agreements to not behave badly in cyberspace are only going to be adhered to by states that are either not doing it in the first place, or are confident that they can continue without either being caught or facing any real form of retribution.

In conclusion – COVID-19 has provided a rich environment for countries with capability to put those capabilities to use in their own national interests in terms of mitigating the impact of the virus. Past and present behaviours would tend to indicate that this will continue and essentially become the new normal in situations like this. 

Making the task too hard, too expensive, or too time consuming may be the most reliable option for defence.

ABOUT THE AUTHOR

Steve Honiss is the Director of Aardwolf Consulting Ltd (Wellington) and a Senior Fellow at the Azure Forum for Contemporary Security Strategy (Dublin).

Authors’ views are their own and do not represent the official position of The Azure Forum.