Hired guns, professional spies, and le Grand Frère.
N2K logoMay 28, 2020

News for the cybersecurity community during the COVID-19 emergency: Thursday, May 28th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Hired guns, professional spies, and le Grand Frère.


Google's Threat Analysis Group says that various "hack-for-hire" outfits, most of them based in India, are spoofing World Health Organization operators using thinly disguised Gmail accounts. The campaigns are for the most part spearphishing efforts, and they use COVID-19-themed phishbait.

It's not entirely clear for whom the hired skids are working. Google's report comes wrapped in a discussion of how national espionage services are trying to take advantage of the pandemic, but the activity it ascribes to the hackers-for-hire (credential harvesting, identity theft, etc.) are at least as consistent with ordinary criminal activity. While espionage services have used criminal hired guns in the past, but there's certainly enough conventional crime underway to keep the hirelings busy.

(By the way, a study by INKY finds that an awful lot of the COVID-19 phishing traffic in circulation seems to come from US IP addresses, so we can all climb down off that high horse, fellow Yankees.)

France's exposure notification app advances.

The National Assembly and the Senate yesterday approved StopCovid, the exposure notification app developed for voluntary deployment to French users' smartphones. The Commission nationale de l'informatique et des libertés (CNIL), the national privacy watchdog agency, had approved the app on Tuesday, according to SecureWeek. Euro News says that the contentious debate that surrounded the vote focused on privacy concerns, and on getting assurances that StopCovid would be independent of Apple and Google, so Big Tech wouldn't become Big Brother.

Le Grand Frère or not, the app could be available for installation as soon as this coming Monday, Connexion reports. Designed for both iPhones and Android devices, users would voluntarily install the app, turn on Bluetooth, and accept notifications. The app will note any one-meter (or less) approach to other users' devices that lasts fifteen minutes (or more). Any user who's subsequently diagnosed with COVID-19 would receive a QR code from their testing lab which they would (again, presumably voluntarily) image with their device so the app would know they'd tested positive for the virus. At that point other users who'd been within a meter of the infected person's phone for a quarter of an hour would be pinged with an invitation "to take precautions and be tested themselves if necessary." Presumably this would involve some interaction with a centralized database, but the government has given assurances that the app won't identify infected persons, and that its data will all be encrypted and anonymous.

There are of course the foreseeable objections on grounds of privacy: “I do not want someone to know, or even to be able to know, who I have spent 15 minutes with, within one metre. It’s none of your business,” Connexion quotes Jean-Luc Mélenchon, head of the France Insoumise party. But critics also object on grounds of the app's expected usefulness, which they assess as low, and several complain that StopCovid is simply arriving too late to do much good.

Close-reading the National Health Service's Test and Trace website.

Computing's done it, and what they've extracted from the text of the British government's site isn't especially reassuring with respect to privacy protections. Sure it's in beta, so take what comfort you may from that, but Computing sniffs that the appearance of such Americanisms as "personal identifying information" (sic) suggests that the whole thing was rushed out. The site reads in part, "If you have had a positive test for COVID-19, we will ask for information about your illness, recent activities you did and people you met whilst you were potentially infectious. If you are a contact of a person who tested positive, we will ask about your health and provide health advice to keep yourself and others safe." You can ask the government to delete your data, but you've got no absolute right to such deletion, and the government plans to hang onto your information for twenty years.

Canadian security authorities warn that foreign intelligence services are exploiting the pandemic.

The CBC reports that Canada's Centre for Cyber Security (a unit of the Communication Security Establishment) has issued a Cyber Threat Bulletin in which the Centre offers an overview of how cyber threats have been shaped by the COVID-19 pandemic. The Bulletin is dated April 27th, but was posted only this Tuesday. Its seven conclusions are worth quoting in summary form:

  • "Cyber threat actors of varying motivations and sophistication are taking advantage of the COVID-19 pandemic as a thematic lure or subterfuge for their malicious activities, such as cyberespionage and cybercrime.
  • "The global health sector is under extreme pressure to mitigate the COVID-19 pandemic. We assess that, almost certainly, ransomware will continue to target healthcare and medical research facilities, jeopardizing patient outcomes and wider public health efforts.
  • "State intelligence collection requirements have shifted in response to COVID-19. We judge it is almost certain that cyber espionage directed at Canada will continue to attempt to steal Canadian intellectual property relating to COVID-19 medical research, as well as classified information regarding Government of Canada responses.
  • "We assess that multiple state-sponsored cyber threat actors have very likely reduced staff and temporarily slowed their operational tempo, but that their online operations will increase over the coming year as more traditional espionage activities remain hampered by travel restrictions and social distancing.
  • "Online influence campaigns continue to erode trust in official statements and figures, weakening public health responses and exacerbating the public anxiety and uncertainty that make COVID-19-themed cyber threats so effective.
  • "We expect the remote workforce almost certainly to be increasingly targeted by foreign intelligence services and cybercriminals. Cyber threat actors are already attempting to identify individuals working at home employed in areas of strategic interest and exploiting technologies deployed in support of a remote workforce, such as virtual private networks (VPNs) or video-conferencing platforms.
  • "We assess that it is very likely that authoritarian governments will use COVID-19 as a justification to procure and deploy surveillance technologies against their own citizens and expatriates residing in Canada or Canadians living abroad."

Both criminals and state espionage services have been using spoofed versions of Canadian government websites to collect information or install malware. The National Post reports that more than fifteen-hundred such bogus websites have been identified during the pandemic.

The point about state-sponsored threat groups facing staff reductions and adopting a lower operational tempo is interesting, and seems to represent the Centre's assessment of the probable effects the global economic downturn is having on intelligence services. The Bulletin mentions another probable effect of economic pain: intelligence services may well turn to revenue-generating cybercrime to make up their budget shortfalls.

Another caution in the Bulletin pertains to expatriate and immigrant communities: these are likely to come under pressure as authoritarian regimes tighten their own domestic controls.

The hostile influence campaigns the Centre alludes to are very much in the Russia disruptive style. The CBC observes that one such campaign has been active in Eastern Europe, where the Canadian-led battle group in Latvia has been fodder for rumors that it's a hotbed of COVID-19 infection.