Hell hath no fury like the cybersecurity community during a pandemic. As Covid-19 continues to spread around the planet, bringing much of it to a standstill and claiming thousands of lives, cybercriminals are capitalising on the chaos. Malicious hackers are pumping out scams that prey on people’s fear. They are flooding health agencies with traffic to slow their systems. And they are even attacking the central nervous system of the planet’s coronavirus response – the World Health Organization.
These attacks, which in some cases pose a direct risk to life, have infuriated cybersecurity professionals.
“Hospital and medical organisations are already strained, and their work must not be jeopardised by computer attacks,” says Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure.
“We have a very clear message to ransomware gangs: do not target hospitals. If you do, you face the full wrath of the cybersecurity community.”
Hypponen has good reason to be angry. On 11 March, the Champaign-Urbana Public Health District was held hostage by a ransomware attack, just as the Illinois public health agency was gearing up for its coronavirus response.
Two days later, malicious hackers launched a cyberattack against Brno University Hospital in the city of Brno, Czech Republic. The attack forced the hospital to shut down its entire IT network and was severe enough to postpone urgent surgical interventions – all as the number of Covid-19 cases increased in the European country.
Then, on 15 March, threat actors launched a cyberattack against the US Health and Human Services Department (HHS). The attack appeared to be a low level, Distributed Denial of Service (DDoS) attack that flooded HHS’ servers with millions of hits over the period of a few hours.
While the damage was limited, it represented the latest in a disturbing trend of coronavirus-related attacks.
“Cybercriminals show no ethical boundaries and will continue to attack wherever there could be a vulnerability,” says Jake Moore, cybersecurity specialist at Slovak internet security firm ESET.
The grassroots fightback
For Lisa Forte, partner at Red Goat Cyber Security, enough was enough. Forte, alongside PwnDefend’s Daniel Card and Radosław Gnat, information security expert at pharmaceutical firm GSK, set up the Cyber Volunteers 19 group to provide cybersecurity assistance to healthcare agencies.
“We decided then and there that something had to be done, however small, to help [healthcare providers] defend against attacks so they can focus on making people well again,” she says.
The direction of the group’s support is led by the healthcare providers and charities, says Forte, and sees more than 3,000 volunteers contribute to regular threat briefings, advice on best practice and business continuity assistance.
“We believe strongly that attacking a healthcare provider at any time is disgraceful but attacking them now is quite frankly repulsive,” says Forte. “We want to send the message to healthcare providers, their supply chains and charities that ‘you are the heroes in this fight but 3,000 cyber volunteers have your back.’”
“I’ve noticed an increased willingness amongst security folks to break down traditional bureaucratic and cultural barriers”
Collaboration is not unusual in the cybersecurity community, with threat intelligence often shared between rival companies to assist each other in the perpetual game of cat and mouse with cybercriminals.
“On the other hand, we’re balkanised between commercial enterprises, government agencies, company IT security departments, and academia,” says Joshua Saxe, chief scientist at Sophos.
To overcome this problem, Saxe set up a Slack channel called the Covid-19 Cyber Threat Coalition, which brings together cybersecurity experts across all these disciplines. The result? A running update of the latest coronavirus email scams, malware samples, malicious domains and all things coronavirus and cybersecurity-related. These are then poured over by some 600 experts from agencies including the UK’s National Cyber Crime Unit, threat researchers for tech giants and independent researchers who want to help in any way they can.
“With the Covid-19 crisis, I’ve noticed an increased willingness amongst security folks to break down traditional bureaucratic and cultural barriers and collaborate with a speed and intensity that’s rare,” adds Saxe. “That’s one of the silver linings of a crisis like this.”
Coronavirus hackers attack the WHO
The coronavirus does not discriminate between race, gender or age. It knows no borders. As such, it is almost unthinkable that criminals would attack the organisation most essential to coordinating the planet’s response – the World Health Organisation (WHO). Yet hacking attempts against the agency have soared since the coronavirus outbreak.
On 13 March, Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, discovered a hacking group set up a website that mimicked the internal email system of the WHO. The goal? To steal passwords and credentials from WHO members of staff in what is known as a watering hole attack.
“I realised quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” Urbelis told Reuters, which first broke the news.
It is believed that an advanced group of hackers known as DarkHotel was behind the WHO cyberattack.
For Tony Cole, CTO at US cybersecurity firm Attivo Networks, if attacks on healthcare organisations – such as the WHO and HHS – are proven to be carried out by a nation state, it “should solicit the same response as bombing a hospital”.
“We should reserve the right to respond with force if someone does an attributed attack against a medical facility or facility doing research on vaccines, treatment, or cures during a pandemic,” he says.
“Just like our Geneva Convention agreements for wartime rules that you cannot bomb a medical care facility or a vehicle with the Red Cross emblem which could be administering care, you shouldn’t go after a facility working on care for pandemic victims.”
Coronavirus scams are rife
Not all coronavirus cyberattacks have been directed at health agencies. The majority of criminal activity is low level and casts a wide net: spam, phishing emails, malicious websites and malvertisements.
And with millions of workers switching to remote working to slow the spread of the virus, this has only created fresh opportunities for criminals to attack systems that might not be as protected outside of an office environment.
None of this opportunism is new; criminals have always taken advantage of panic to maximise the damage of scams. But the coronavirus is proving particularly fertile ground for fear. On 19 March, US cybersecurity firm Agari detected the first Covid-19 business email compromise attack, which saw scammers imitate an employee asking for company funds be sent to a new account in light of the pandemic.
Agari CEO and founder Patrick R. Peterson says that phishing and email authentication tools, as well as “leveraging the DMARC global standard to stop domain spoofing” are “extremely important right now to lessen the deluge of threats most companies are experiencing”.
Scammers have also been targeting healthcare professionals with phishing emails, with one asking them to click on a malicious link purporting to be a registration form for an online coronavirus awareness seminar.
“There have been a lot of criminal groups targeting medical workers who are already fatigued from their day to day work,” says Chad Anderson, senior security researcher at DomainTools. “This has not sat well with the security community and they’re aiming to do something about it.”
So what are they doing about it? In addition to the new levels of collaboration, firms such as Coveware and Emsisoft are offering free ransomware tools to healthcare providers, and many other cybersecurity companies are providing pro bono assistance during the crisis.
“We’ll hunt you down, no matter how long it takes”
But what offensive action can they take against malicious hackers capitalising on Covid-19?
“Legally it’s the same as it has been,” says Anderson. “Map the attacker infrastructure and talk to network operators for takedowns. If you can attribute to a specific person then hand that over to law enforcement contacts.”
But there is a sense that, for cybersecurity experts protecting health organisations and members of the public, the gloves are off and the community is united by one goal.
“The industry tends to be already pretty aggressive,” adds Peterson. “What’s changing is that the cyber community is coming together and joining forces to defend against these cybercriminals.”
And for the cybercriminals taking advantage of the biggest health crisis in more than a century, the message is clear.
“We’ll do what it takes to protect our hospitals,” says F-Secure’s Hypponen. “We’ll hunt you down, no matter how long it takes.”