How COVID-19 became a dominant issue in the cyber threat environment

Ilmar Üle from CERT-EU writes how COVID-19 became a dominating topic in current cyber threat environment as seen from the point of view an experts tasked with protecting the EU institutions, bodies, and agencies. Data related to research offers great interest to data thieves and teleworking from home via unsecured home networks is an additional favour COVID-19 has done to malicious hackers.

CERT-EU is the computer incident response team for EU institutions, bodies, and agencies. In addition to hands-on incident response, we also provide our constituents with information on cyber threats that they have been subjected to or that may become important in the foreseeable future.

When EU CyberNet asked me to write about the current cyber threat environment as seen from the point of view of the EU institutions, bodies, and agencies, I can say that the last year has been dominated by one topic: COVID-19. The coronavirus plays an important role even in cyberspace. The threat of the virus and the drastic measures taken globally to stop its spread have left their mark on everything, including cybersecurity. Data related to COVID-19 research, the development and approval procedure of vaccines, distribution and cold-chain logistics – all this is of deep interest to data thieves and espionage agencies. Online fraud attempts and prevalent phishing messages now often involve the topic of COVID-19 one way or another.

The increased number of employees working from unsecured home networks is an additional favour COVID-19 has done to malicious hackers. Numerous companies expect employees to use their own computing devices when working from home, leaving the security setting to the wits of the user. With the risk of overusing an old proverb, we can say that a chain is only as strong as its weakest link. An unconfigured, mismanaged, or neglected home computer connecting to a corporate environment can end up being just that link.

Working from home needs an up-to-date and properly configured Virtual Private Networking (VPN) service to be available to employees. Anecdotal evidence shows that many institutions and companies were, and still are, woefully unprepared for this. At the time of writing, numerous companies are still not using multi-factor authentication (MFA) for their VPN access. This has led to cases where cyber threat actors, be they criminally motivated or cyber-spies, simply log on to corporate networks with a valid username and password combination. How they get them is not always immediately clear, but most probably the credentials are phished or retrieved from compromised workstations of mobile devices. None of this would happen if the VPN log on process would use one more authentication factor, such as a PIN generated by a dongle or a mobile app.

However, MFA is no panacea and needs to be combined with common sense. We can call it cyber hygiene. Cyber hygiene encompasses not clicking on links that arrive in unexpected e-mails, not installing software from dubious sources, not storing multiple MFA components (such as passwords and software tokens) on the same computer, etc. A few significant cyber break-ins CERT-EU has witnessed recently have been the result of lapses in cyber hygiene and could have been less trivial to carry out if users had employed more common sense.

Speaking about other dominant threats, in early 2019 it looked like cryptojacking was going to oust ransomware from the top position of easy compromise monetisation. Cryptojacking happens when criminals gain access to targets of opportunity and deploy cryptomining software to monetise the computing resources available on the victim computer. However, that trend was only temporary as ransomware has now grown into big business. This is aided by several new tactics. First of all, ransomware authors are running affiliate programs. Previously, when a malicious hacker had compromised the infrastructure of a company, it was relatively difficult to monetise that access. One could steal some sensitive information and try to sell it on or reveal the breach to the affected company and hope for some sort of a reward. Things are much better now for the criminally-minded, because affiliate programs allow them to use ransomware as a service, deploying it on victim systems and splitting the profits with the people running that service.

Another new tactic is to download a copy of victim files before encrypting. Should the victim refuse to pay the ransom, these files are then sold on to a highest bidder or released on a dedicated leak site. The threat of that counts as an additional motivation for the victims to pay up.

Trying to predict the future is always a risky undertaking. However, I am quite confident that in the near future, the ongoing COVID-19 pandemic is going to fuel both criminal and espionage activities online. The upcoming vaccination will add another spin to this trend, with espionage actors trying to find out details of vaccine composition, production, and distribution and cybercriminals exploiting the topic any way they can. There is a chance that cybercriminals will conduct what will look like espionage operations, aiming to steal COVID-19 or vaccine related information in order to pass it on for financial profit.

Unfortunately, ransomware is also here to stay, at least in the foreseeable future. Ransomware operators will come up with ever more ingenious ways to “persuade” victims to pay up, forcing the victims to make hard and unpleasant choices between losing their data or paying the ransom, and spurring the growth of niche industries such as ransomware insurance.

The author expresses his personal views in this article.

Keep reading similar articles
To those who commit cyber crimes, national borders are meaningless lines on a map

It can prove rather difficult to explain the digitalised nature of Estonia to a complete stranger, particularly if they have zero experience of e-services and online solutions. But I’ll give it a go.

Margus Noormaa
By Margus Noormaa, Director General, Estonian Information System Authority
A trusted and cyber secure Europe

The EU Agency for Cybersecurity (ENISA) aims to act as a centre of expertise in cybersecurity, assisting with the development of Union policy, operational cooperation, cybersecurity certification and standardisation, and promoting capacity building.

By Juhan Lepassaar, Executive Director, European Union Agency for Cybersecurity (ENISA)
COVID-19 impact measures & recommendations from EU cyber projects

The COVID-19 crisis and subsequent lockdown rules have left its mark on every aspect of our lives. The cross-border nature of capacity building work meant that lockdown presented also challenges to continuation of implementation to EU funded cyber capacity building projects.

By EU CyberNet team
EU CyberNet – The new kid on the EU cyber capacity building block

It has now been 7 years since the EU adopted its first strategy for dealing with cyberspace. The 2013 “EU Cybersecurity Strategy: An open, Safe and Secure Cyberspace” inter alia urged the European Commission to recognize the need to develop cybersecurity capacity building initiatives.

Global Cyber Expertise Magazine / By Siim Alatalu, Director, EU CyberNet
International projects of the Information System Authority (RIA)

International projects are very important for RIA, as they help maintain Estonia’s positive image and raise the level of cybersecurity worldwide. They also provide a good opportunity for our staff to put their training skills to the test, establish work-related contacts across the globe, and share their best knowledge and experience with other countries.

Riigi Infosüsteemi Ameti aastaraamat 2020 / By Estonian Information System Authority