Digital Threat Digest Insights Careers Let's talk

Keeping an eye on COVID-19 cyber security risks


As the world deals with the COVID-19 pandemic, cyber security issues may have taken a backseat for both individuals and companies. However, even when business as usual is no longer usual for most of us, nothing has really changed for cyber threat actors, with many exploiting the outbreak to continue their data theft and espionage activities; usually by leveraging people’s thirst for information about the virus to spread malware and steal sensitive data.

Given the many ways in which COVID-19 is being used to lure victims, we wanted to compile some of the key approaches to help you stay vigilant.

COVID-19 maps

One of the most successful attack vectors we’ve seen so far, has been exploiting interest in Coronavirus maps which are being used to track the spread of the virus. One of the most popular sites is a global tracking tool produced by the Johns Hopkins University, which provides a live heat map detailing the levels of infections and deaths around the world. This is regarded as one of the best sources of information for anyone wishing to track the virus, so it’s no surprise that threat actors are using very convincing copies of it to trick people into downloading and running a malicious application that installs malware which steals credentials, such as usernames, passwords and other sensitive information.

Another version of this crime is also affecting Android users and locking them out of their devices with ransomware. A malicious Coronavirusmap domain is distributing a version of an outbreak tracker app called COVID 19 Tracker, which claims to offer similar data to the Johns Hopkins map. However, anyone downloading the app will find that their screen becomes locked and they are presented with a ransom note claiming that their phone has been encrypted. Victims are then threatened that all their content—including pictures, videos and contact lists—will be erased if they do not pay $100 in Bitcoin within a set 48-hour period.

To help protect against these types of attacks, we recommend that anyone wishing to view a COVID-19 tracker map should seek out the relevant website via a traditional search engine and avoid clicking on any links sent via email or social media. Also, if you receive any emails or messages suggesting you try a different app on Apple or Android devices, you should only do this by visiting the official App Store or Google Play Store to minimise the risk. Finally, always back up your devices regularly so you can restore your data if necessary.

Cyber attacks and state espionage continue as usual

At a time when healthcare facilities are being overwhelmed across the globe, threat actors are making the most of the distraction. As one example, the COVID-19 testing laboratory in Brno University Hospital in Czechoslovakia was hit by what was described as “a severe cyber attack”, which resulted in it having to shut down its IT network. This news was reported alongside other claims in the US that the Department of Health and Human Services had also suffered an attack on its system. Exact details on both incidents are lacking, but the attack in the US is believed to have been an attempt to slow the agency’s systems down and there are unsubstantiated claims the actions were carried out by a malicious state actor.

In terms of state threats, security companies are continuously tracking state sponsored Advanced Persistent Threat (APT) groups from various countries across the world, and US cybersecurity firm FireEye recently reported that a Chinese-linked group, labelled as APT41, has actually been ramping up activity in recent weeks. Interestingly, the group’s activity dipped for two weeks in early February which is the time when China was concentrating its efforts on suppressing the source of the COVID-19 outbreak in Wuhan province.

Since then, the group has been seen targeting at least 75 organisations in 20 countries, stealing intellectual property and corporate data from the banking and finance, defence, government, technology, manufacturing, oil and gas, telecommunications and transport sectors. The campaign itself is leveraging current vulnerabilities in software and devices manufactured by Cisco, Citrix and Zoho. IT Security teams are encouraged to ensure that they have updated any relevant systems with the latest security patches, but every user should be vigilant regarding suspicious emails and messages because phishing campaigns and potential attacks are still continuing.

Fake news and virus misinformation

There are a number of campaigns currently leveraging people’s concerns over COVID-19 and their desire to stay informed. Social networks say they are fighting against the tide of false stories, but the sheer volume of information and the speed at which it can be shared makes this a very difficult task.

While many online users will say that they are well aware of fake news and are unlikely to fall for anything overtly bogus, many fake COVID-19 related messages have been shared widely across the world millions of times. Why does fake news spread so far and so quickly? Many of the stories are being forwarded to people by someone they trust, such as a friend or colleague, so they are less likely to question it. For example, the widely shared COVID-19 message from Microsoft’s Bill Gates—which was shared on many national newspaper sites—was recently revealed to be a fake. In another slightly different example, a string of WhatsApp messages circulated warning people to stay indoors after 11.30pm because helicopters were going to spray disinfectant into the air to eradicate the virus.

Even more concerning is the volume of scam messages claiming to be from either government officials or law enforcement. These have included a text message from the Police that threatens to fine anyone £3,500 for leaving home too often, and a message from HMRC that asks customers for their bank details so they can issue a COVID-19 related tax refund. It’s important to note that while the government did send out a recent text explaining the new rules for the current lockdown guidelines, it has confirmed that any others claiming to be from the UK government are false. If you receive any type of message that asks for any personal credentials or account details, you should ignore and delete it immediately.

Don’t let your cyber security fall to the wayside

Cyber criminals never close up shop and in a major crisis, such as the COVID-19 pandemic, they will be making the most of the distraction. Please make sure your organisation continues to keep cyber security as a priority as well as including it in business continuity plans. If your organisation needs assistance with cyber security, contact us.