Opportunistic shifts in criminal activity. Viral disinformation. Stimulus packages.
N2K logoApr 22, 2020

News for the cybersecurity community during the COVID-19 emergency: Wednesday, April 22nd, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Opportunistic shifts in criminal activity. Viral disinformation. Stimulus packages.

ESET suspects Russian services behind threat to Czech hospitals.

But the evidence seems tentative. Expats.cz reports that the security firm concluded that the CoViper malware found in Czech hospitals probably originated in Russia. “The origin of the attack cannot be determined unequivocally, but the tool MBR Locker, with which it was created, is in Russian. So are the instructions for the use of this tool, available at Russian hacker forums," ESET director for technologies Miroslav Dvořák told the press. There are, however, other indicators suggesting other origins: "We have also tracked down a digital trace on Chinese IP addresses,” Dvořák added.

Lidovky reported that unnamed sources inside the Czech government also incline to see a Russian origin of the campaign. The Russian embassy in Prague, Expats.cz says, denied any connection with the campaign, calling the reports "a fable, a dirty anti-Russian attack and an open provocation."

Does the COVID-19 emergency mean more cybercrime, or just an opportunistic shift in tactics and targets?

The Register has been talking with Secureworks, which has concluded that there's about the same amount of "badness" out there that we always see. It's just that the criminals have taken advantage of widespread fear of the coronavirus to change their phishbait to what the Register calls "the lure du jour." Secureworks' senior director of cyber intelligence, said: "The threat level is pretty much constant but the actors have significantly shifted their focus, their lures and their phishes to almost exclusive focus on COVID-19. But that's just the same lures and phishes that would have been coming out with a different subject matter four months ago."

A contrasting view comes from the Center for Counter Fraud Studies at the University of Portsmouth, whose director told Help Net Security that the pandemic can be expected to produce a very large increase in cybercrime. “Previous recessions show a direct correlation between a fall in economic output and a rise in fraud.” He adds, “The deep recession we face, if typical of past economic downturns, looks set to lead to a substantial increase in fraud. Possible economic pressures may also lead people to radically re-evaluate loyalties and to rationalise behaviour which, in normal times, they would not consider appropriate."

The argument for an increase, then, would be predictive, based on a combination of a larger telework attack surface, economic pressure, and people with both skills and time on their hands.

A successful cybersecurity volunteer organization?

The CTI-League (its full name is the Cyber Threat Intelligence League), a voluntary group of information security professionals, has gained some positive reviews for their work helping organizations, especially hospitals, during the COVID-19 pandemic. Founded just last month, on March 14th, the CTI-League's services are in, CyberScoop says, "in high demand," and the Hill describes the group's activities as "a quiet, daily war." US Cybersecurity and Infrastructure Security Agency Director Krebs tweeted his appreciation for the CTI-League's work during the emergency.

The CTI-League's inaugural report says the organization has grown to "over 1,400 vetted members in 76 countries, from 45 different sectors, including cybersecurity, healthcare, technology, telecommunications, Computer Emergency Response Teams (CERTs), government, and law enforcement." There have long been discussions of the ways in which volunteer organizations might help enhance cybersecurity, but the CTI-League may afford the first clear example of how one might actually work in practice. It seems closer in conception to earlier models from outside the sector, like the US Civil Air Patrol or the ham operators of the American Radio Relay League.

US Senate approves $310 billion in Paycheck Protection Program.

Tuesday afternoon the US Senate voted to approve an additional $310 billion in the Small Business Administration's Paycheck Protection Program (PPP). Fortune reports that the House, which is expected to vote in favor of the measure, could do so as early as tomorrow. The entire stimulus bill is larger than the amount allocated for the PPP—Bloomberg says the package totals $484 billion.

Five Senators ask US Cyber Command and CISA to move against cyber threats to the US pandemic response.

On Monday US Senators Blumenthal (Democrat of Connecticut), Cotton (Republican of Arkansas), Warner (Democrat of Virginia), Perdue (Republican of Georgia), and Markey (Democrat of Massachusetts) wrote to CISA Director Krebs and US Cyber Command's General Nakasone, asking that their organizations increase their efforts against cyber threats that have emerged during the COVID-19 pandemic. "We write to urge the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with United States Cyber Command, and its partners to issue guidance to the health care sector, convene stakeholders, provide technical resources, and take necessary measures to deter our adversaries in response to these threats," they said in their letter.

The call for deterrence is directed against Russia, China, Iran, and North Korea, all of whom the Senators say are currently engaged in attacks against "healthcare, public health, and research" organizations, a particularly threatening target set as the US attempts to contain and recover from the COVID-19 pandemic.

US State Department report describes converging COVID-19 disinformation campaigns.

POLITICO has reviewed a report by the State Department's Global Engagement Center that concludes three governments—those of Russia, China, and Iran—are pushing complementary lines of disinformation:

  1.  COVID-19 is an American bioweapon.
  2. The US is making political capital from the pandemic.
  3. The virus did not originate in China.
  4. US Army troops spread the virus.
  5. US sanctions are killing Iranians during the pandemic.
  6. China responded to the crisis effectively and responsibly, but the US response was marked by negligence.
  7. Russia, Iran, and China are handling the pandemic well.
  8. The US economy cannot withstand the toll COVID-19 is exacting.

The false stories are being distributed by a mix of official, semi-official, and cooperating outlets. Some of the official outlets aren't shy about disseminating surprisingly tabloidesque stories: a Russian military paper Zvezda, for example, in March began retailing the story that the novel strain of coronavirus was developed by the Bill and Melinda Gates Foundation, an unspecified secret laboratory, and a cabal of pharmaceutical companies. Their goal was evidently profit. (This particular accusation, facially preposterous, was nonetheless picked up by "unknown activists," the Washington Post reports, and distributed through 4chan.)

Zvezda added a further dimension to the Gates Foundation conspiracy story with the manifestly false claim that the virus is known to be racially targeted. POLITICO quotes Zvezda: "It is noteworthy that the famous pharmaceutical giants and the Pentagon leadership participated in this theater of cruel cynicism. The fact is that while the disease affects only the representatives of the Mongoloid race, such suspicious selectivity raises questions from experts."

The lines of disinformation have both domestic and international audiences, and it seems likely that the convergence is an opportunistic matter: Iran, China, and Russia share a common adversary, the United States, and it's useful to deflect any blame for the crisis in that direction. The report describes the activity as a convergence, not necessarily a coordination, and that was partially confirmed by a comment a representative of the Global Engagement Center to the Wall Street Journal. Lea Gabrielle, the GEC’s special envoy, told the Journal that much of the cooperation did seem to be opportunistic. But she added that there was also some evidence of coordinated action between the three governments. “Russia, China and Iran do have media cooperation agreements and I think this is important because disinformation narratives are known to originate from official state news sources.” she said.

The Chinese and Russian embassies in Washington didn't respond to the Journal's request for comment, but Iran's mission to the United Nations in New York emailed the paper as follows: “For sure, any disinformation or propaganda on the coronavirus pandemic is emanating from the U.S. administration, not Iran. U.S. media [is full of] stories of lies and disinformation spread by the administration.”