Coronavirus Sparks Rise in Cybercrime From Foreign Agents—How to Protect Yourself From These Internet Scams

The Department of Health and Human Services (HHS) has been hit by a cyberattack that may have spread disinformation to Americans.

According to Bloomberg, the department's computer system was hacked on Sunday night in an attempt to "slow the agency's computer system down". The hack prompted the National Security Council (NSC) to advise Americans that a national lockdown was not taking place.

On it's Twitter, the NSC says: "Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19." Bloomberg reports that this tweet was "related to the hacking" and was issued once the government realized a cyberattack had taken place. It also says that Secretary of State Michael Pompeo and other Trump administration officials are "aware of the incident," according to anonymous sources.

Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19. #coronavirus

— NSC (@WHNSC) March 16, 2020

The report says that the hack, which was conducted over several hours, overloaded the HHS servers with millions. In a statement, Caitlin Oakley, spokesperson for HHS, confirms: "HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities. On Sunday, we became aware of a significant increase in activity on HHS cyberinfrastructure and are fully operational as we actively investigate the matter. Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure."

Newsweek has contacted NSA and the Department of State for comment.

iStock Cyber security
Stock image: COVID-19 is being used as a "lure" to spread malware according to FireEye. iStock

Coronavirus-related Cybercrime on the Rise

The HHS attack is one of many COVID-19-related cybercrimes taking place across the world. According to cybersecurity company FireEye, espionage actors from China, North Korea and Russia have been using the pandemic to mask spear-phishing campaigns.

According to senior manager of intelligence analysis, Ben Read, a Chinese group known as TEMP.Hex "likely leveraged" the Coronavirus theme to target entities in Vietnam, the Philippines and Taiwan in late February and early March. "The lures were legitimate statements by political leaders or authentic advice for those worried about the disease, likely taken from public sources," Read told Newsweek. The analyst explained the cybercriminals most probably used SOGU and COBALTSTRIKE payloads to send convincing documents to people in these countries. Once opened, a virus would be let loose on the system.

FireEye Spearphishing Campaign 1 China
FireEye Spearphishing Campaign 2 China
FireEye Spearphishing Campaign 3 China
Examples of malicious documents used as part of a spear-phishing campaign by espionage groups from China

Further, another Chinese cluster targeted Mongolia with a coronavirus lure using POISONIVY malware—a backdoor widely available in the underground market. According to Read, the document shared contained "official statistics on infections in Mongolia" and was focused on the Mongolian government.

Espionage groups from Russia—TEMP.Armageddon— and North Korea have also targetted organizations in nearby countries using a COVID-19 theme. TEMP.Armageddon—which FireEye says is in support of Russian interests—sent a spear phish with a malicious document to Ukrainian entities. "This appeared to be a copied legitimate document," says Read.

A South Korea NGO was sent a spear phish with a Korean Language lure title "Coronavirus Correspondence", explains Read. "We're still analyzing this sample, but it has some similarities to previously observed North Korean activity," he told Newsweek.

North Korean document FireEye
An example of a malicious document used as part of a spear-phishing campaign from an espionage group from North Korea FireEye

How to Protect Against Coronavirus-Themed Spam

FireEye has also confirmed that is it tracking numerous financially motivated activities that also use "Coronavirus-themed lures" to compromise victims.

"We've seen financially motivated actors using coronavirus-themed phishing in many campaigns, with dramatic month-over-month volume increases from January through to today," the company told Newsweek. "We expect continued use by both opportunistic and targeted financially motivated attackers due to the global relevance of the theme."

Matt Shelton, director of technology risk and threat intelligence at the cybersecurity company, says organizations need to do better to protect their corporate environments from threats, especially as many adapt to a remote and distributed workforce in times of self-isolation and lockdowns. "Accessing corporate resources remotely creates an opportunity for attackers to blend in with the workforce," he explains. "Many organizations lose visibility into malicious activity targeting remote workers and should deploy a multi-layer endpoint agent on all employee endpoints.

Jens Monrad, the company's head of Mandiant threat intelligence in EMEA, adds that some lures claim to be from widely known healthcare sources such as the World Health Organization and use ransomware such as Emotet, Trickbot, Nanocore, AZORult, FormBook, Remcos RAT and AgentTesla.

"By taking advantage of current events, threat actors are better able to increase their chances of gaining access to targets of interest," he explains. "[FireEye] anticipates that malicious actors will continue to exploit populations' senses of urgency, fear, goodwill and mistrust to enhance their operations, particularly regarding events within the medical field, government announcements, economic implications, deaths of high-profile individuals, and civil disturbances."

Consumers should also be aware of cybercriminal activity linked to advertisements selling items and kits for combating COVID-19. "[FireEye] has also observed cybercriminal activity on forums where "sellers" have put out advertisements for selling items and kits designed to exploit the current situation," he told Newsweek. "This could either be malicious virus tracking maps or other malicious code used in COVID-19 campaigns.

"People should use government trusted sources for any information related to the current situation and, in the cases where they receive coronavirus related emails and were not expecting them, they should carefully examine why they are receiving them and consider not engaging with the emails."

According to the Federal Trade Commission (FTC), Americans should take the following steps when it comes to email phishing:

  • Use good computer security practices and disconnect from the internet when away from your computer—hackers can't get to a computer when it's not connected to the internet
  • Be cautious about opening any attachments or downloading files from emails you receive
  • Download free software only from sites you know and trust
  • Report spam to the relevant email providers—at the top of the message, state that it is a complaint about being spammed
  • Mark spam messages as junk mail to keep them out of the inbox
FireEye Criminal Phishing Example
An example of criminal phishing campaign email. FireEye