APTs take advantage of the pandemic. Tracing contacts and origins.
the cyberwire logoMay 5, 2020

News for the cybersecurity community during the COVID-19 emergency: Tuesday, May 5th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

APTs take advantage of the pandemic. Tracing contacts and origins.

US Secretary of Defense accuses Russia, China, of exploiting COVID-19 pandemic.

Secretary of Defense Mark Esper yesterday said that Russia and China were exploiting the COVID-19 pandemic to gain influence in Europe, Reuters reports. The matter came up in an interview with La Stampa during the course of which Secretary Esper was asked about Russian and Chinese offers of aid to Italy during the emergency. Such aid, he said, represents a play to enhance their position in both Italy and Europe as a whole. In the case of China, the Secretary added that Beijing was also using the crisis as an opportunity for more tightly coupling its exports to European supply chains. (Russian prospects of capturing such supply chains are not generally reckoned as favorable.)

Joint UK-US warning on threats to healthcare organizations.

The UK's National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) this morning released a joint advisory warning that "APT Groups" are targeting both healthcare and essential services. While such attacks could be either state-sponsored or the work of criminal gangs, and while both kinds of threat actors have been active during the pandemic emergency, "APT" (advanced persistent threat) has come to be functionally equivalent to "state-sponsored threat actor." The advisory summarizes the goals of the campaigns as follows:

"APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

"APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.

"The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research."

The threat actors are actively scanning for specific vulnerabilities in their targets' systems, specifically Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private network products from Pulse Secure, Fortinet, and Palo Alto Networks. They're also engaged in large-scale password-spraying attacks.

The UK has been particularly concerned to block these threats, which have been particularly active against the country's biomedical research sector. The Wall Street Journal calls NCSC's response a "pivot," and reports that measures are being taken to protect institutions engaged in vaccine research.

Investigations into COVID-19's origins continue.

US Secretary of State Pompeo said over the weekend that the US Intelligence Community had found evidence that COVID-19 may have escaped from a virus research lab in Wuhan. The suspicion is not that the virus had been developed as a bioweapon, or that the virus itself was engineered in a research program, both of which possibilities are generally dismissed, but rather that samples of COVID-19 under study had escaped from the Wuhan lab.

The World Health Organization says (according to Agency France Presse) that the US hasn't so far provided it with any evidence of the laboratory's involvement, nor, Foreign Policy reports, have the other Five Eyes offered any confirmation. Canadian and British officials said the question remained open, "still too early to offer firm conclusions," as Canadian Prime Minister Trudeau put it. Australian Prime Minister Morrison, according to the Sydney Morning Herald, said his government's view was that the virus probably jumped to human populations in a Wuhan wet market, and while a lab accident was possible, Australian services estimated it as low ("5%"). In any case Prime Minister Morrison called for an independent investigation by the G20 into COVID-19's origins.

Dr. Anthony Fauci, Director of the US National Institute of Allergy and Infectious Diseases, told National Geographic that the virus probably emerged in the wild and made the jump to humans from there. More investigation remains to be done, as the BBC reports, noting as it does so the difficulty of working out attribution without running afoul of American and Chinese sensibilities.

Contact-tracing app development.

The UK has begun to pilot its contact-tracing app on the Isle of Wight. Matt Hancock, Secretary of State for Health and Social Care, gave the islanders a bucking up. “We’ll learn a lot, we’ll use it to make things better, and we want to hear from you,” the Telegraph quotes him as saying. “Where the Isle of Wight goes, Britain follows.”

The British system is something of an outlier among the more recent approaches to contact tracing in that it represents a centralized approach to collection and analysis of data. The Telegraph has a description of how the app is intended to work. It's an opt-in system that uses Bluetooth for sensing proximity, and that depends upon self-reporting of positive diagnoses. A skeptical piece in the Register outlines some of the challenges confronting the NHSX-developed app, and a second Register article reports that NHS has informed Parliament that it intends to retain the data it collects even after the pandemic passes. The centralized collection and analysis, and the plans to continue to use data for research, has led to calls, ComputerWeekly says, for close legislative oversight of the system.

The inadvertent exposure of a contact tracing database in India has aroused suspicion of such efforts' security and privacy, SC Magazine observes. The Washington Post has an overview of how such suspicions are currently being manifested around the world. In the US, while there are other projects under development, the joint Apple-Google exposure notification app has attracted the most interest. It's decentralized, opt-in, and will not, Reuters reports, use location tracking.

FireEye offers a security firm's perspective on the guidelines within which contact tracing ought to be developed. In brief, the company argues that these principles should be followed:

  • Secure consent for tracking data "on an individual level." This includes familiar strictures on transparency and disclosure: what's collected, why it's collected, how it's collected, what it's used for, and who gets to see it.
  • Establish time restrictions: when do collection and analysis stop?
  • "Use the right technology." GPS? Bluetooth? Video surveillance? Mobile antenna location? Different technologies are better adapted to different purposes.
  • "Properly secure the collected data."
  • "Prepare to facilitate data protection rights, including deletion rights."

Lawyers have their own perspective, and in Law360 Cooley offers a good example of the principles and practices they would recommend for a "cautious approach to contact tracing." They focus on transparency, and that includes clarity about the mission of any contact-tracing system. They urge devoting a good deal of attention to communicating effectively with the people who'll be affected by data collection—this is no time for hundred-page EULAs, but it would be a good time to get help from marketing specialists who know how to communicate with brevity and clarity. Minimize data collection, use, and retention. Anonymize any data collected. Limit the third-parties with whom data are shared, and make sure the users know who those third-parties are. Treat data collected as sensitive, and protect it accordingly.

Finally, there have been reports of lawful intercept vendors offering their services to governments for contact tracing. But there are other companies whose technology is likely to be more acceptable and perhaps more readily adaptable to the purpose: fitness app providers. And in fact the Telegraph reports that Fitbit has been in discussion with the US Government to see how its products might be used to trace exposure to COVID-19.

Animal adoption as phishbait during the pandemic.

Not all human-animal interaction during the pandemic has come in wet markets. There's been a striking rise in the rate of animal adoptions as people look for companions during a time of isolation, with WIRED having gone so far as to say that "animal shelters are empty." That's clearly an exaggeration, at least if taken generally and literally, but it does seem that pet adoption is up significantly.

Since demand equals opportunity for criminals, there's also been a spike in what Naked Security calls "puppy scams." These are like romance scams, only using cute pictures of dogs as the catphish. You send your money in for an adoption, and that money's gone, with nary a puppy in sight.

If you're looking for an animal to adopt, there are reputable local shelters who can put you in touch with a pet needing a home. In the Middle Atlantic region of the US, you might consider TreeTop Animal Rescue. They're the people who rescued the official editorial dog of the CyberWire, whose adoption page may be seen at the link. For now TreeTop is low on dogs, but they've still got some nice cats who could use a good home.