Cyber Threats Amid the COVID-19 Pandemic 

By Kevin Dang 

Kevin Dang is a Cyber Security Advisor consulting for the Department of Health and Human Services. His work for the Critical Infrastructure Protection Division gives him visibility into the cyber threats that affect the Health Care sector. The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Department of Health and Human Services. 

As is often the case during any sort of disaster or emergency, cybersecurity often takes a backseat in the minds of both people and organizations. For many people, this pandemic brings an existential threat on top of possibly facing financial hardship. With COVID-19 dominating the news cycle, cyber threat actors are taking full advantage of the situation by perpetrating scams and phishing attacks which largely depend on the target’s sense of fear and urgency. 

Anomali, a cybersecurity research firm, has observed a spike in malware attacks via phishing in conjunction with the spread of the health crisis. Notably, the attacks come from both individual cyber criminals as well as state-sponsored threat actors1. One such COVID-19 themed attack was a phishing campaign disguised as official emails from the Centers for Disease Control (CDC) using the URLs “@cdc-gov.org” and “@cdcgov.org”₂. 

In early March, the Cybersecurity news website, Reason Blog, reported on a malware campaign that disguised itself as an interactive map of global COVID-19 cases. The app did not actually provide any real information and instead used a version of the AZORult virus to steal information from the user’s web browser including usernames, passwords, credit card numbers, and other sensitive information₃. 

For companies that are struggling to stay afloat forcing them to make hard decisions about which employees to retain, investing in information security can be a hard sell to company leadership who may not fully understand the risks. This, combined with shifting most employees from being on-site to working remotely, compounds the risk for unprepared companies. Companies that did not previously have a formal teleworking policy might not have developed and trained their employees on cybersecurity policies and best practices. As any cybersecurity professional will tell you, the #1 threat to any organization’s security is its own employees. No matter how robust the network infrastructure and security controls, one neglectful or disgruntled employee can cause massive damage.  

Anecdotally, a friend of mine who works in IT at his company has been struggling to manage the thousands of new devices remotely accessing the company network. This is due to limited VPN bandwidth, having to let employees use their own devices, and keeping up with an increase in troubleshooting tickets all while being short-staffed due to temporary layoffs. Another friend who is the lead IT security architect at his company was temporarily laid off and can no longer monitor system access logs / alerts. While he was away, a disgruntled employee on the IT team abused their access to employees’ emails (which would have alerted my friend) to leak confidential compensation information. Barring the details, it’s likely that these situations are not unique amid this world-wide upheaval.  

My job consulting for the Department of Health and Human Services (HHS) can be summed up as helping the private Healthcare Sector improve their overall cybersecurity posture. It is no secret that healthcare as a whole has a very poor track record when it comes to preventing hackers from stealing Private Health Information (PHI) and infecting their systems with ransomware. This is due to many factors including operating on very tight margins, small clinics /providers who lack technical knowledge or resources, the use of outdated operating systems to be compatible with legacy unpatchable medical devices, and (in my opinion) unspecific and outdated legislation regulating the protection of PHI. It’s not just hospitals and clinics getting hacked, but also the IT service providers that manage their billing, scheduling, and records management.  

According to a report by the National Capital Region Threat Intelligence Consortium (which I am not at liberty to publicly share as a whole), they “assess with high confidence that organizations within the Healthcare and Public Health Sector are at high risk of targeted and opportunistic cyber-attacks exploiting the COVID-19 pandemic to disrupt operations, steal sensitive data, and generate illicit revenue for profit-motivated cyber threat actors”. They report that last year, healthcare organizations were already among the top 3 most likely to be targeted by ransomware, and they cite numerous recent examples of ransomware attacks and phishing campaigns against both healthcare providers and public health government organizations. Even HHS recently had a distributed denial of service (DDoS) attempt attributed to a foreign-state actor. Luckily, this only resulted in a spotty VPN connection for a few hours. 

So combining all of the cybersecurity challenges that typical businesses are facing these days, the already poor cybersecurity posture of the healthcare sector, being on the front lines of a pandemic, and threat actors stepping up their attacks to take advantage of the situation, this is pretty close to a worst case scenario for healthcare cybersecurity. I cannot even imagine how much worse it would be if another Wannacry-esque worldwide cyber disaster were to hit right now (knock-on-wood)₄.  

So while everyone is reminded to wash their hands and not touch their face, please also do what you can to practice good cyber-hygiene on both an individual and organizational basis. Be extra vigilant about phishing scams and keep operating systems and security software updated. A vast majority of cyber-attacks can be prevented by just those two things. 

 

References: 

1. Mele, G., R., P., & Gould, T. (2020, March 23). COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication. Retrieved April 7, 2020, from https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication 

2. Vergelis, M. (2020, February 7). Coronavirus phishing. Retrieved from https://www.kaspersky.com/blog/coronavirus-phishing/32395/ 

3. COVID-19, Info Stealer & the Map of Threats – Threat Analysis Report. (2020, March 9). Retrieved from https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/. 

4. Fruhlinger, J. (2018, August 30). What is WannaCry ransomware, how does it infect, and who was responsible?. Retrieved from https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html.