Published by The Lawfare Institute
in Cooperation With
Recently, Paul Rosenzweig shared his experiences as a government employee in the George W. Bush administration creating federal policies and procedures related to the preparation for, and response to, a potential outbreak of avian flu. Rosenzweig provides both a firsthand account into the “complexity of the questions that the government needs to address” when responding to a pandemic outbreak, along with insightful background for understanding recent response measures related to the new coronavirus and the disease it causes, COVID-19.
Rosenzweig’s post serves as a thorough description of the health and safety concerns arising directly from the coronavirus itself. But both the government and the private sector must also address new and evolving ancillary threats: phishing attempts and cyberattacks taking advantage of the spread of the virus. These threats weren’t present during the avian flu scare, but they cannot be ignored now. If unchecked, they have the potential to damage business and administrative operations during an already serious health emergency.
A phishing attack is generally defined as the use of an email or a website to fraudulently solicit personal information or other confidential data by posing as a trustworthy or reputable organization or individual. According to a 2019 study on cybersecurity in the private sector, “[p]hishing and social engineering attacks are now experienced by 85 percent of organizations, an increase of 16 percent over one year.” For several weeks, cybersecurity firms and the federal government alike have been warning organizations about phishing attacks where the perpetrators are seeking to exploit the fears of the coronavirus by masquerading as the Centers for Disease Control and Prevention (CDC), health care organizations, charities or other entities. These phishing attacks appear to be increasing steadily.
For example, as early as January 2020, KnowBe4 identified a “new malicious phishing campaign that is based on the fear of the Coronavirus” and even posted a “sample message” of a phishing attempt. The phishing email misrepresented that it was sent on behalf of the CDC, stated that the CDC was actively engaged in responding to the coronavirus and directed recipients of the message to click on an embedded link to access an “[u]pdated list of new [Coronavirus] cases around your city.” Of course, the link contained malicious code designed to compromise the end user’s device. Other cybersecurity firms and platforms, such as Reason Cybersecurity, TrustWave and IBM, have published similar intelligence.
In February, Proofpoint published an article uncovering a plot in which threat actors were sending phishing emails specifically targeting industries that are susceptible to shipping disruptions caused by COVID-19, such as manufacturing and transportation. The phishing attempt included a malicious Microsoft Word document that ostensibly contained information related to the disease’s impact on shipping, which if accessed could result in the installation of malware on the user’s device. According to Proofpoint, “[t]he malware actors doing this appear to be from Russia and Eastern Europe.”
According to NortonLifeLock Inc., phishing emails related to COVID-19 have become more sophisticated. In particular, although many phishing emails purport to be from the CDC or other health officials, cybercriminals have now begun to target employees’ workplace email accounts by impersonating senior company officials. NortonLifeLock describes one phishing email that represents itself as being from the human resources department of an organization, pretends to contain a new company policy drafted and implemented in response to COVID-19, and reads as follows: “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If employees receiving the phishing email attempt to access the fake company policy, they will inadvertently download malicious software that could potentially shut down their information technology assets and environment.
The federal government has been unfortunately disorganized in its response to the public health concerns posed by COVID-19. But there seems to be a clear and unified message with regard to these ancillary cyber threats. For example, on March 6, the Department of Homeland Security issued a cybersecurity bulletin warning individuals to “remain vigilant” for COVID-19-related scams. According to Homeland Security, “[c]yber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes.” The department states that individuals need to “[e]xercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.” Similarly, the Federal Trade Commission warned consumers that “[s]cammers are taking advantage of fears surrounding the Coronavirus” and are “setting up websites to sell bogus products, and using fake emails, texts, and social media posts as a ruse to take your money and get your personal information.”
Even the Federal Aviation Administration (FAA) issued a cyber alert stating that “[m]alicious cyber actors are using the Coronavirus Disease (COVID-19) as a theme to disguise phishing emails and entice users to click on malicious links or attachments[,]” which “direct users to websites requesting they input their credentials, allowing malicious cyber actors to use the stolen credentials to obtain unauthorized access.” The FAA warned that aviation personnel who are involved in responding to the coronavirus are likely “more susceptible” to the phishing emails because “they may resemble legitimate emails that these personnel expect to receive as part of their normal duties.”
These messages are not limited to the United States. The World Health Organization (WHO) has issued a warning on its website that “[c]riminals are disguising themselves” as WHO officials to steal money or sensitive information and that the organization is “aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency.”
It would be crucial to counter these attacks even if the cyber realm were otherwise calm. But to make matters more difficult, these cyberattacks are occurring against the backdrop of an elevated cyber threat environment that U.S. businesses and critical infrastructure have faced since the U.S. strike on Iranian General Qassem Soleimani in January. Following the strike, Homeland Security issued a cyber alert to U.S. businesses and the cybersecurity community describing several of Iran’s previous cyber operations that targeted a variety of industries in the U.S. and warning that Iran could reengage in such operations. Now, organizations already burdened with monitoring and preparing for potential cyber threats emanating from Iran will need to spend even more resources to implement and maintain cybersecurity measures to protect against COVID-19-related phishing attacks.
The phishing emails related to the coronavirus are not the first time that cyber criminals have sought to exploit fears and tensions for financial gain—and they will not be the last. As the U.S. government and domestic businesses continue to respond to the coronavirus from a safety and health perspective, they must remain vigilant about their information security vulnerabilities in a cyber environment riddled with increased threats.