The U.K. and U.S. Security Agencies Issue Joint COVID-19 Cyber Threat Update
On 8 April 2020, the U.K.’s National Cyber Security Centre (“NCSC”) and the U.S. Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Agency (“CISA”) published a
The Advisory seeks to highlight the increase in COVID-19-related themes being used by malicious cyber actors and includes a non-exhaustive list of examples thereof (discussed further below). The Advisory states that it is expected that the frequency and severity of COVID-19-related cyber attacks will rise, and as the pandemic continues internationally, the rise in successful cyber attacks will undoubtedly also increase with the cyber criminals focusing efforts to prey on the natural vulnerabilities of individuals as human beings globally during this time.
The message from the Advisory is clear—individuals and organisations must remain “vigilant” during this time. Only guidance from trusted public sources should be followed and if there is any doubt as to the legitimacy of a communication received, the recipient should not carry out the act requested by the communication.
Examples of Attacks
The Advisory details certain cybercrime scenarios it has seen be used with COVID-19 as the lure or cover story. Whilst the COVID-19 element to the cybercrimes is new, the Advisory notes that the “goals and targets are consistent with long-standing priorities such as espionage and information operations”, meaning that the cyber criminals have identified a new angle based on the global emergency that they can manipulate to replicate a long standing practice of committing crimes for their financial gain.
The Advisory explains that cyber criminals are seeking to take advantage of human traits such as curiosity and concern around COVID-19 in order to persuade potential victims to carry out acts such as clicking on a link or downloading an app that may lead the victim to a phishing website, or opening a file which contains malware. As with non-COVID-19 related cybercrimes, the perpetrators attempt to create an impression of authenticity of the sender by saying the communication is from a trustworthy source, such as the Government or, on a more personal level, a colleague in the HR department or even a superior at work.
More specifically, examples detailed in the Advisory include:
Phishing emails for malware deployment
A number of threat actors have used COVID-19 related lures to deploy malware. Emails persuade victims to open an attachment or download a malicious file from a linked web page. When they open the attachment the malware is executed, compromising the victim’s device.
For example, the NCSC has observed various email-distributed malware which deploys the Agent Tesla keylogger malware. The email appears to be sent from a doctor of the World Health Organization. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.
Whilst less common than email phishing, the NCSC and CISA have observed attempts to carry out phishing using SMS. The SMS phishing attempts thus far appear to have had a financial focus, as is fairly common with non-COVID-19 related SMS phishing attempts. The SMS messages are taking advantage of the economic impact of the pandemic and, in some circumstances, are based on the financial support packages offered by governments.
For example, a series of SMS messages use a U.K. government themed lure to harvest email, address, name, and bank account information. These SMS messages, purporting to be from ‘COVID’ and ‘UKGOV,’ lead victims to malicious websites which look similar to official sites. In recent weeks, the U.K. Government started a campaign to communicate COVID-19 SMS messages to U.K. residents which means criminal SMS messages purporting to be from the U.K. Government are more easily trusted by victims.
Home working vulnerabilities
As recently discussed in depth in aninsightproduced by Paul Hastings, the Advisory also highlighted that malicious cyber actors are looking to take advantage of the vast increase in work forces working from home.
The cyber actors are doing so by exploiting a variety of publically known vulnerabilities in VPNs and other remote working tools and software. Malicious cyber actors are also attempting to exploit the increased use of popular communications platforms used by businesses by sending phishing emails purporting to be from such platforms and by creating phishing websites purporting to be the official website of such platforms.
These are just some of the examples noted in the Advisory, and indeed it is likely the Advisory itself only comments on some of the trends the NCSC and CISA have identified. However, it is clear from the examples provided in the Advisory that the malicious cyber actors are taking a sophisticated approach to their activities, and businesses and individuals should be extremely cautious of all COVID-19-related communications they receive.
Tips for Remaining Vigilant
How do in-house legal and security teams, as well as their workforces, combat this tide?
We’ve prepared the following list of tips that businesses and individuals should consider:
Ensure employees are made aware of the increase in COVID-19 related cyber threats as soon as possible and reinforce its existing privacy and security principles, policies, procedures, and any guidance as it pertains to IT security and cybercrime. Indeed, if such internal documentation does not exist, then they should promptly be prepared and distributed throughout the business. Whilst not all businesses will find themselves a target of such attacks, promoting cyber security awareness throughout the business is always encouraged and will enhance employees’ alertness to issues with respect to their own, as well as work, devices and accounts. And in all events, regulators will likely take the view that a business without a sufficiently documented security program is falling short of expected best practices.
Ensure the remote working setup offers sufficient security whilst also delivering the needs of the business. Businesses must, for example, ensure regular updates are made to both the VPN and remote desktop systems, carry out tests as regards the sufficiency and efficiency of the security systems in place, and keep the dialogue open with employees who are using the systems daily.
Keep up to date with industry guidance—in addition to agencies such as the NCSC and CISA, other regulators and authorities are also trying to increase awareness of cyber threats. Data protection regulators, such as theInformation Commissioner’s Officein the U.K., have been using their respective platforms to highlight the prevalence of cyber criminal activity, particularly as it relates to the security requirements of legislation.
The overriding message within any organisation should be: if you are even slightly concerned about a communication received, do not action the request and immediately report it. If this is a communication received in a work context, the report should be made in accordance with internal rules and procedures. However, if it is received in an individual capacity, the Advisory urges us to consider reporting it to the relevant local cybercrime authority through the official channels. COVID-19 continues to have a huge impact on businesses and the lives of individuals around the world and it is unknown how long this will continue. Unfortunately, this means that we are only set to see a continued increase in the number of COVID-19 related cybercrimes perpetrated and it is essential that businesses and individuals take heed of the message being given by the agencies and others.