How COVID-19 became a dominant issue in the cyber threat environment

Ilmar Üle from CERT-EU writes how COVID-19 became a dominating topic in current cyber threat environment as seen from the point of view an experts tasked with protecting the EU institutions, bodies, and agencies. Data related to research offers great interest to data thieves and teleworking from home via unsecured home networks is an additional favour COVID-19 has done to malicious hackers.

CERT-EU is the computer incident response team for EU institutions, bodies, and agencies. In addition to hands-on incident response, we also provide our constituents with information on cyber threats that they have been subjected to or that may become important in the foreseeable future.

When EU CyberNet asked me to write about the current cyber threat environment as seen from the point of view of the EU institutions, bodies, and agencies, I can say that the last year has been dominated by one topic: COVID-19. The coronavirus plays an important role even in cyberspace. The threat of the virus and the drastic measures taken globally to stop its spread have left their mark on everything, including cybersecurity. Data related to COVID-19 research, the development and approval procedure of vaccines, distribution and cold-chain logistics – all this is of deep interest to data thieves and espionage agencies. Online fraud attempts and prevalent phishing messages now often involve the topic of COVID-19 one way or another.

The increased number of employees working from unsecured home networks is an additional favour COVID-19 has done to malicious hackers. Numerous companies expect employees to use their own computing devices when working from home, leaving the security setting to the wits of the user. With the risk of overusing an old proverb, we can say that a chain is only as strong as its weakest link. An unconfigured, mismanaged, or neglected home computer connecting to a corporate environment can end up being just that link.

Working from home needs an up-to-date and properly configured Virtual Private Networking (VPN) service to be available to employees. Anecdotal evidence shows that many institutions and companies were, and still are, woefully unprepared for this. At the time of writing, numerous companies are still not using multi-factor authentication (MFA) for their VPN access. This has led to cases where cyber threat actors, be they criminally motivated or cyber-spies, simply log on to corporate networks with a valid username and password combination. How they get them is not always immediately clear, but most probably the credentials are phished or retrieved from compromised workstations of mobile devices. None of this would happen if the VPN log on process would use one more authentication factor, such as a PIN generated by a dongle or a mobile app.

However, MFA is no panacea and needs to be combined with common sense. We can call it cyber hygiene. Cyber hygiene encompasses not clicking on links that arrive in unexpected e-mails, not installing software from dubious sources, not storing multiple MFA components (such as passwords and software tokens) on the same computer, etc. A few significant cyber break-ins CERT-EU has witnessed recently have been the result of lapses in cyber hygiene and could have been less trivial to carry out if users had employed more common sense.

Speaking about other dominant threats, in early 2019 it looked like cryptojacking was going to oust ransomware from the top position of easy compromise monetisation. Cryptojacking happens when criminals gain access to targets of opportunity and deploy cryptomining software to monetise the computing resources available on the victim computer. However, that trend was only temporary as ransomware has now grown into big business. This is aided by several new tactics. First of all, ransomware authors are running affiliate programs. Previously, when a malicious hacker had compromised the infrastructure of a company, it was relatively difficult to monetise that access. One could steal some sensitive information and try to sell it on or reveal the breach to the affected company and hope for some sort of a reward. Things are much better now for the criminally-minded, because affiliate programs allow them to use ransomware as a service, deploying it on victim systems and splitting the profits with the people running that service.

Another new tactic is to download a copy of victim files before encrypting. Should the victim refuse to pay the ransom, these files are then sold on to a highest bidder or released on a dedicated leak site. The threat of that counts as an additional motivation for the victims to pay up.

Trying to predict the future is always a risky undertaking. However, I am quite confident that in the near future, the ongoing COVID-19 pandemic is going to fuel both criminal and espionage activities online. The upcoming vaccination will add another spin to this trend, with espionage actors trying to find out details of vaccine composition, production, and distribution and cybercriminals exploiting the topic any way they can. There is a chance that cybercriminals will conduct what will look like espionage operations, aiming to steal COVID-19 or vaccine related information in order to pass it on for financial profit.

Unfortunately, ransomware is also here to stay, at least in the foreseeable future. Ransomware operators will come up with ever more ingenious ways to “persuade” victims to pay up, forcing the victims to make hard and unpleasant choices between losing their data or paying the ransom, and spurring the growth of niche industries such as ransomware insurance.

The author expresses his personal views in this article.

Keep reading similar articles
Regional training on “Designing and Executing Cybersecurity Exercises”

The Latin America and Caribbean Cyber Competence Centre (LAC4) in Santo Domingo started the new training year with a regional seminar focused on the foundations of designing and executing cybersecurity exercises.

By Liina Areng, Regional Programme Lead, EU CyberNet
Cyber Capacity Building Collaborative Transformation: Good practice from the Dominican Republic [1]

This article takes a look on lessons from the Dominican Republic on how capacity building endeavours are enhanced if the recipient country adopts and replicates delivered trainings to engage wider local audience.

By César Moline Rodríguez, LAC4 Policy Expert
Regional Cybersecurity Conference for Internet Service Providers in Santo Domingo

The EU CyberNet, in collaboration with Cyber4Dev, Dominican Institute of Telecommunications (INDOTEL) and the National Cybersecurity Centre of the Dominican Republic are hosting a Regional Cybersecurity Conference for Internet Service Providers in Santo Domingo, Dominican Republic from 19-21 October 2021.

By Liina Areng, Regional Programme Lead, EU CyberNet
EU CyberNet – same kid, new and larger block

EU CyberNet, the EU’s external cyber capacity building network introduced in GCEM issue 6, has recently been granted an extended mandate with new tasks. With the CynAct platform now online and regular events taking place for the cyber security experts enlisted in the network, the project is to launch a new competence center for the Latin American and Caribbean region as well as to reach out to the EU Delegations worldwide. Siim Alatalu, Director of EU CyberNet, explains why this would be a good time to get involved.

Global Cyber Expertise Magazine / By Siim Alatalu, Director, EU CyberNet
To those who commit cyber crimes, national borders are meaningless lines on a map

It can prove rather difficult to explain the digitalised nature of Estonia to a complete stranger, particularly if they have zero experience of e-services and online solutions. But I’ll give it a go.

Margus Noormaa
By Margus Noormaa, Director General, Estonian Information System Authority
A trusted and cyber secure Europe

The EU Agency for Cybersecurity (ENISA) aims to act as a centre of expertise in cybersecurity, assisting with the development of Union policy, operational cooperation, cybersecurity certification and standardisation, and promoting capacity building.

By Juhan Lepassaar, Executive Director, European Union Agency for Cybersecurity (ENISA)