On January 11, China announced its first death from the Coronavirus (SARS-CoV-2), which was quickly followed by news of confirmed cases in neighboring countries. Since then, the global information space has been flooded with an overabundance of both accurate and inaccurate news and information, in what the World Health Organization coined as a “massive infodemic.” This Infodemic has largely been facilitated by social media and further exacerbated by state actors that are spreading disinformation relating to the nature and origin of the virus.
However, the anxiety and uncertainty caused by the pandemic together with the desire of people for reliable information amid an overabundance of information has also opened a unique window of opportunity for cyber threat actors. This is reflected, among others, in the near exponential registration of COVID-19 themed domains, a growing list of malware families that are leveraging the crisis, and targeted cyber operations against health, government, or media sectors that are dealing with the response to the pandemic. Especially social engineering attacks, such as, phishing emails attacks have been on the rise with COVID-19 related email lures representing the “greatest collection of attack types united by a single theme” that according to Proofpoint researchers have seen.
COVID-19 themed domain registrations were first observed on January 12 with a further noticeable spike on February 12 – one day after the WHO named the virus Coronavirus disease - COVID-19. Since then, the number of domain registrations have increased near exponentially on a weekly basis. While the total number of newly registered COVID-19 themed domains was around 16,000 on March 09, it was nearly over twofold only a week later. As these domains have proven to be more malicious in terms of hosting malware, false information, or scam products, there have been calls for greater scrutiny of COVID-19 themed domain registrations. Domain registrar Namecheap has followed suit by blocking the registration of applications using “coronavirus” in combination with the term “vaccine.”
Activity in Cybercrime Forums and the Dark Web
According to a report by Digital Shadows, discussions around COVID-19 are “as popular on the dark web as they are on the clear web.” These discussions have varied around the ethicality of exploiting the crisis for financial gain, with many users discouraging others from profiting off of the pandemic or even providing advice and solidarity with those affected. This type of seemingly benign discussion corresponds with vows of major ransomware gangs (e.g. Maze and DoppelPaymer) to not target the health sector during the pandemic. However, others have offered “coronavirus specials”, which enable customers of malicious products and services to use discount codes, such as, “COVID19” or “coronavirus.”
Phishing emails account for the majority of COVID-19 related malicious cyber activity, as these social engineering attacks can easily leverage the global anxiety, uncertainty, and false information surrounding the pandemic. Barracuda Networks observed an increase of 667% in the number of such cases, from 1,188 incidents in all of February to 9,116 incidents as of March 26. These emails would often adjust language, content, and imitated source on the basis of their targeted region and audience. For example, the Emotet Trojan was deployed in late January against targets in Japan – one of the first affected countries, imitating a national disability welfare provider and warning of new coronavirus cases in Japan. In comparison, in early March, as COVID-19 deaths in Italy began to increase, a Trickbot spam campaign was observed targeting Italian email addresses, imitating the WHO.
Attacks on the Health Sector and (Inter)national Organizations
The perhaps most worrying cyber trend that has accompanied the global pandemic is the targeting of the health sector. Ransomware attacks have hit hospitals that are dealing with COVID-19 patients in the Czech Republic, Spain, and most recently France. A further ransomware attack took place against a facility of the UK Hammersmith Medicines Research (HMR) firm, which had been on standby to perform potential tests of a COVID-19 vaccine. The attack was carried out by the Maze ransomware gang, which had previously vowed not to target the health sector. These ransomware attacks are likely to have been motivated by economic incentives.
In comparison, attacks against government agencies or international organizations have appeared political in nature in their attempts to disrupt communications or exfiltrate information. On March 16, Bloomberg reported a DDoS attack against the US Health and Human Services Department (HHS), which was allegedly “aimed at undermining the response to the coronavirus pandemic." The attack was said to have been carried out by a foreign state; however, the US government did not further details. Nearly a week later, cybersecurity experts discovered an operation by “elite hackers” to steal the login credentials of WHO staff. The suspected threat actor is the so called DarkHotel, which has conducted cyber-espionage operations in the past mainly in East Asia.