Date: 28 May 2020 Author: Wiktor Sędkowski
Cyber attacks during Covid-19 pandemic
Each year the amount of security incidents on the internet increases. Although technology companies are putting more and more effort to secure the global network, the criminals are still able to find their way to infiltrate corporate and government owned infrastructure. Yearly growth of malware infections and other security related incidents falls into 20-50% range, depending on the source of statistics. The U.N. disarmament chief – Izumi Nakamitsu reported during Security Council meeting on 22 of May that “cybercrime is on the rise, with a 600% increase in malicious emails during the current crisis”.
The times of global pandemic made an excellent opportunity for APT (Advanced Persistent Threat) groups to target employees working remotely in home office environment where security capabilities are nowhere close to the ones deployed by system administrators in corporate networks. Although most of the attacks launched in recent months do seem to originate from criminals and hacking groups not related to any particular state, there are indicators of attacks launched by state-sponsored groups. In the middle of February QiAnXin security researches found a C# backdoor trojan attached to documents named “Коронавірусна інфекція COVID-19.doc” (Coronavirus infection COVID-19.doc). The document was sent to selected targets in Ukraine. Attackers tried to impersonate the Center for Public Health of the Ministry of Health of Ukraine. Opening the document and allowing the malicious macro to run allowed hackers to gain full control over victim’s computer. The analysis of code performed by researchers identified the Hades group, tied to APT28 (Fancy Bear) operating out of Russia, as the authors of malware. It is important to note that, at the same time the above attack took place, Ukraine was hit with huge social media disinformation raid, for which Ukrainian officials blamed Russia. Since the beginning of the coronavirus outbreak, fake news related to pandemic have spread through Ukraine like in no other European county. Russia denied those accusations.
Cybersecurity experts and threat researchers joined in global effort to warn individuals about downloading apps aimed at combating the ongoing pandemic. This warning came because of two main reasons. First, developers are racing to produce contact tracing apps aimed to help reduce the virus spread around the globe. This haste doesn’t leave a lot of time for adequate security testing, what in result can lead to serious consequences if hackers get to exploit the application. Another reason is that criminals are developing applications of their own. Those applications prepend to serve a good cause but underneath are nothing more than a ransomware or information stealing software. The most recognizable software of such kind is “the corona map” which appeared just after pandemic started. It was distributed as a tool showing current pandemic situation around the world. Victims could see a copy of legitimate map, but what was hidden was the “AZORult” malware running in the background, capable of stealing cryptocurrency wallets and passwords stored in browser installed on victims’ machine. Copies of this malware were sold on several Russian language cybercrime forums in form of a “a digital Coronavirus infection kit”. Smartphones were also targeted, special coronavirus version of the Android device screen-locking malware SLocker was distributed via third-party marketplaces, in hopes of drawing in victims with coronavirus related content. Researchers at Bitdefender investigated this malicious app, which has been targeting users in Ukraine, Russia, Kazakhstan, Turkmenistan.
If content prepared by Warsaw Institute team is useful for you, please support our actions. Donations from private persons are necessary for the continuation of our mission.
The amount of malware distributed in recent weeks confirms the importance of Estonia’s Prime Minister Juri Ratas words. During the Security Council meeting which took place on 22nd May 2020 he said that “the need for a secure and functioning cyberspace is more pressing than ever”. He also criticized cyberattacks targeting hospitals and medical research facilities, which were launched during the pandemic. “Those attacks are unacceptable” said Ratas, highlighting the most important elements for securing cyberspace. “First, the United Nations Member States have agreed long ago that existing international law applies also in cyberspace. We hold the strong view that existing international law provides comprehensive guidance for state behavior regardless of the domain. By following this simple principle, the behavior of states in cyberspace can become more transparent and predictable. Second, Estonia considers that a framework for cyber stability and conflict prevention has already been established by existing international law, voluntary norms of responsible state behavior as well as confidence building measures. It is now important to implement this framework”. Except Russia, this Security Council meeting was attended by all council member states.
All texts published by the Warsaw Institute Foundation may be disseminated on the condition that their origin is credited. Images may not be used without permission.