It’s hard to tell who’s benefitting most from the coronavirus – Russia, hackers or hand sanitizer vendors, the latter of whom are at least trying to help stop the spread of the dangerous disease.
A State Department official told Congress Thursday that Russian operatives are behind coronavirus conspiracy theories popping up on social media while the new illness has prompted phishing campaigns and other cybersecurity hijinks.
The coordinator for the State Department’s Global Engagement Center,
Lea Gabrielle, said the “entire ecosystem of Russian disinformation is at play,”
after an analysis of millions of tweets showed that known conspiracy theories
about coronavirus “amounted to about seven percent of the Twitter conversation”
between January 10 to February 20.
Some of the usual bad actors are looking to capitalize on fears over the virus. Check Point reported that “the most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet – the leading malware type for the fourth month running – in malicious email attachments feigning to be sent by a Japanese disability welfare service provider” with the emails appearing “to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document which, if opened, attempts to download Emotet on their computer.”
Trickbot’s operators trained their
efforts on Italy, where coronavirus has spread to 3,800 people with 148 deaths
reported. Recent messages aimed at Italian email addresses carry “a
document purported to be a list of precautions to take to prevent infection” but
is actually “a weaponized Word document, carrying a Visual Basic for Applications
(VBA) script that carries a dropper used to deliver a new Trickbot variant,” Sean Gallagher, senior threat researcher at Sophos,
wrote in a blog post. “With concerns about COVID-19 on the rise –
particularly in Italy, where cases are surging – the spam campaign’s subject
line is now in tune with the concerns of the day.
The emails, purporting to be from “Dr. Penelope Marchetti” read:
Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!
Proofpoint, which has seen an uptick in activity around
Coronavirus, wrote in a blog post that “the most
notable developments we’ve seen are attacks that leverage conspiracy
theory-based fears around purported unreleased cures for Coronavirus and
campaigns that abuse perceived legitimate sources of health information to
In an in-person interview on February 11, Sherrod DeGrippo, senior director of threat research and detection, told SC Media that the company is now seeing a new coronavirus email phishing campaign “every couple of days,” and predicted that more will come.
the campaigns have tended to use a mix of lures, some of which are coronavirus-themed,
while others are more conventionally designed to look like fake invoices,
shipping receipts and résumés. Some have exclusively targeted health care
professionals, while others have targeted shipping companies and operators of
large freighter fleets, she continued.
helping [the cybercriminals] is that a lot of HR departments are sending out
coronavirus updates for their workforce,” instructing employees to stay home if
they are sick, for example. So the phishing emails are “mixing in with the
legit HR coronavirus warnings and that makes it harder to tell [the difference]
and I think that that’s part of what the threat actor motivation is: ‘Well,
we knowyou’re getting a legit one, so we’re gonna send one with
IBM Security has noted scams related to the virus since January
and a Check Point report revealed registration of domains related to
coronavirus has risen, with the company noting in a Thursday blog post
that “Coronavirus- related domains are 50 [percent] more likely to
be malicious than other domains registered at the same period, and also higher
than recent seasonal themes such as Valentine’s Day.”
While cybersecurity pros track malicious incidents and
health officials as well as an anxious public mull the potential human toll of
the coronavirus and ways to mitigate its impact, organizations are planning for
the stress on resources, security challenges and even privacy issues wrought by
a pandemic that, among other things, provokes widespread telecommuting.
John Dickson, principal at The Denim Group, told SC Media
during a podcast
that his company was slated to hold a tabletop exercise to test its computing
resources after Dickson returned to the company’s San Antonio, Texas,
headquarters in the aftermath of the RSA Conference that AT&T, IBM, Verizon
and a slew of other companies had skipped due to coronavirus fears.
“What’s the impact on VPN concentrators,” for example, when
everyone is working remotely, Dickson asked. Businesses are really good at
using apps like Zoom and WebEx for optimization but mass teleworking will test
whether it’s a sustainable model.
JP Morgan Chase this week ordered 10 percent of the employees
in its more than 127,000-person strong consumer banking division to stay home,
not to avoid spreading the virus but to test its Project Kennedy coronavirus
Companies that aren’t already thinking about business
continuity and disaster recovery plans “or doing tabletops on this impact are
probably already behind the power curve,” Dickson said.
They’re also likely experiencing “much more of a panic” than
those that have properly prepared, Malcolm Harkins, chief security and trust officer
at Cymatic, told SC Media during a podcast.
While at Intel, Harkins worked on a number of such plans for pandemics and
disasters like SARS, Ebola and the earthquake and tsunami in Japan several
years back. Those strategies intertwined infosecurity, physical, logical, corporate
emergency management, business continuity and disaster recovery.
“It all gets back to risk management,” Harkins said. While companies can’t control pandemics or other disasters, “you can prepare for them.”