These are interesting times – the world is witnessing an unprecedented onslaught of upheavals not just in the ‘real-world’ but also in the cyber world. We greeted 2020 gingerly knowing the trade war between the US and China was going to bring about economic uncertainty, but little did we know a global pandemic was upon us.
While healthcare workers are battling the COVID-19 virus, countries are lockdown mode, and global economy hangs in the balance, another war is raging in cyberspace.
Cyber risks and threats have multiplied with many more attack vectors, and hackers’ techniques are evolving faster than ever, blending technical prowess with sophisticated social engineering. The current challenge with the virus pandemic is a test of nations’ and businesses’ preparedness and resiliency on all fronts.
CYFIRMA’s threat visibility and intelligence research revealed a massive increase of over 600% of cyber threat indicators related to the Coronavirus pandemic from February to early March. Threat indicators are made up of conversations observed and uncovered in the dark web, hackers’ forums, and closed communities. What our researchers have seen and heard in these communities do not bode well for governments and businesses – hackers are hard at work, actively planning how to leverage this climate of fear and uncertainty to attain their political and financial objectives.
The United States Computer Emergency Readiness Team (US-CERT) has sent out alerts on scams tricking people into revealing personal information or donating to fraudulent charities, all under the pretext of helping to contain and manage the coronavirus. The Federal Trade Commission has also warned about similar scams.
CYFIRMA’s research team and multiple security vendors have reported that threat actors have used fear tactics to spread malware, including LokiBot, RemcosRAT, TrickBot, and FormBook.
These hackers’ communities span far and wide, communicating in Cantonese, Mandarin, Russian, English, and Korean, unleashing campaigns one after another to wreak havoc on unsuspecting nations and enterprises.
On Dark Web forums, a group from Hong Kong hatched a plan to create a new phishing campaign targeting the population from mainland China. The group aimed to create distrust and incite social unrest by assigning blame to the Chinese Communist Party.
Deeper analysis of hackers’ conversations also revealed groups from Taiwan discussing similar phishing and spam campaigns, specifically targeting influential persons in mainland China to cause further unrest.
Korean-speaking hackers were planning to make financial gains using sophisticated phishing campaigns, loaded with sensitive data exfiltration malware and creating a new variant of EMOTET virus (EMOTET is a malware strain that was first detected in 2014 and is one of the most prevalent threats in 2019). These hackers were planning to target Japan, Australia, Singapore, and the US.
Our researchers also observed North Korean hackers targeting South Korean businesses. The phishing email had the Korean language title “Coronavirus Correspondence”, tricking recipients into opening them and launching malware into machines and network.
With COVID-19, many hacker groups were observed to be using brand impersonation with fake emails claiming to represent authoritative bodies such as the Centers for Disease Control (CDC) and the World Health Organization (WHO). The subject line and content of these emails were very enticing, offering news updates and cures to the ailment.
We also noticed coronavirus-themed emails designed to look like emails from the organizations’ leadership team and sent to all employees. Embedded with malware that would infect corporate networks, these phishing attacks deploy social engineering tactics to steal data and assets.
Other than unleashing cyberattacks to steal data, we also witnessed the planning of fake websites to sell face masks and other health apparatus using bitcoin in China, Japan, and the US.
To aggravate matters, hackers were also strategizing to spread fake news to create further confusion. By investigating the dark web marketplace, CYFIRMA uncovered illicit groups selling organic medicine claiming to cure and eradicate the COVID-19 virus. These discussions in the hackers’ communities were carried out in Mandarin, Japanese and English.
A new malware called ‘CoronaVP’ was being discussed by a Russian hacking community; this could lead to a new ransomware or EMOTET strain, designed to steal personal information.
Hackers leveraging on the COVID-19 pandemic are motivated by a combination of personal financial gain as well as political espionage to cause social upheavals. Threat actors in the world of cyber-crime are well-equipped with tools, technology, expertise and financing to further both commercial and political agendas. In our hyper-connected digital world, cyber- crime is a lucrative business, and we should expect attacks to be more frequent and more sophisticated as the pandemic continues to cast a shadow over the global economy.
What we have witnessed in the field of cyber-intelligence has taught us the importance of staying vigilant, and frequently, the most dangerous forces at work are those we cannot see. The importance of relevant and timely threat intelligence cannot be over-emphasized as early detection of cyber threats could save organizations from hefty financial penalties and irreversible brand damage.