This is a guest post by William Akoto, a postdoctoral researcher jointly appointed at the Sié Chéou-Kang Center for International Security & Diplomacy at the Korbel School of International Studies, University of Denver, and the One Earth Future Foundation. In the fall, he will begin a tenure-track appointment at Fordham University. 

As people have become consumed with concern about the coronavirus, organized cyber criminal groups are actively exploiting uncertainty, doubt and fear to target individuals and businesses in a variety of ways. Reports of cyber phishing attacks using coronavirus themes started appearing in early February 2020, but these attacks have since become widespread. The explosion of coronavirus-related scams, range from fake storefronts hawking fake vaccines to sophisticated phishing scams that take advantage of the uncertainty around the pandemic. For instance, Google’s threat analysis group reported in late April 2020 that they find an average of 18 million malware and phishing messages per day related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages that are automatically deleted by Gmail spam filters. 

Analysis by industry experts show that a significant portion of these attacks are carried out by state-sponsored hackers, some of whom are targeting coronavirus-related research. Responding to these state-sponsored attacks poses a significant challenge to targeted states as they seek to navigate the foreign policy and international relations implications of retributive action. While technical solutions provide the best bet for responding to these attacks, government policy could play a crucial supporting role. In this post, I review modalities of COVID-19 themed cyberattacks and outline some options available to governments as they seek to deal with them.

COVID-19 Themed Lures

COVID-19 cyberattacks take a variety of forms. For instance, there are coronavirus-themed phishing emails that come with infected attachments which exploit vulnerabilities in operating systems to run malicious code. Others attach a macro-enabled document purporting to contain health information but which, when opened, triggers the download of dangerous malware.    There is also an increase in voice phishing (“vishing”) robocall scams. Targets are called on the phone and informed there is a government COVID-19 payment waiting for them. The caller then demands their social security information and bank account details. In some cases, vishing is combined with “smishing” (text message phishing) to extract even more information from targets or load malicious content onto mobile devices.

Other campaigns leverage the trend of more employees working from home to move towards lures that attempt to spoof human resource correspondence. The objective of these attacks is to trick targets into transferring money to cyber criminals posing as someone from within the company.

There are also reports of COVID-19 themed apps offering safety masks and vaccines. Once these apps are downloaded, they install Trojan software that secretly collects victim’s contact lists and sends text messages to contacts to spread itself. Cyber criminals are also setting up websites that pretend to be those of legitimate organizations and government agencies. Users are requested to enter their credit card information, which are then harvested by the criminals behind the website. There has also been an increase in website domain names using the word “corona”. One such website lures targets with promise of aid or relief payments and then asks for personal information and bank account details.

In addition to ongoing activity by cyber criminals, state-sponsored hackers are also actively exploiting the pandemic. These groups are using the pandemic as cover for digital reconnaissance and espionage alongside phishing campaigns targeted at international organizations, public health agencies and their workers. For instance, hacking groups aligned with the Russian and Chinese governments are known to have sent out coronavirus-themed malicious email attachments. Two hacking groups associated with the Chinese government targeted Taiwan, Vietnam, Mongolia and the Philippines. 

A Vietnamese state-sponsored hacking group known as APT32 launched a series of coordinated cyberattacks against Chinese targets – including local government authorities in Wuhan – with the purpose of gathering intelligence on coronavirus research. An Iranian government-linked hacking group known as Charming Kitten targeted workers of the World Health Organization with coronavirus-themed lures to collect their login credentials. Similar activity has been observed from a South American group known as PackRat, with phishing emails that redirect to spoofed WHO login pages.

A Framework for Government Response

One key point of weakness in current efforts to deal with COVID-19-related cyber campaigns is the lack of public awareness about the various attack vectors that cyber criminals can exploit. Thus, in addition to public health messaging to wear masks and social distance, it is important to raise awareness to the heightened risk of COVID-19 themed cyber scams and how to stay safe online. It is important to impress on the public to install updated antivirus and malware detection software, particularly for those working from home. Towards this end, it might be time to explore a government-supported program aimed at providing access to discounted cybersecurity software for small firms and individuals.

Such technical solutions are critical for dealing with the surge in coronavirus-themed attacks but are by no means the only support government can provide. The rise in state-sponsored attacks is particularly worrying and deserves serious attention. However responding to these attacks poses a significant challenge to governments due to its foreign policy and international relations implications.

In spite of these challenges, government could an important role in responding to these attacks. Officials can issue public statements condemning the attacks as US officials recently did when they called out state-backed hackers from China and Iran for staging coordinated cyberattacks targeting universities, health and pharmaceutical companies in a bid to steal coronavirus-related research. Such public condemnations serve to reassure the public, businesses and other stakeholders that the government is taking the breach seriously. Public condemnations that name attackers are particularly helpful in removing the “cloak of invisibility” that cyber criminals have. This is an important first step in holding attackers and their state-sponsors accountable. Attacked states could also take a multilateral approach, soliciting condemnatory statements from allies and international organizations aimed at the attacker state.

Criminal indictments of organizations and individuals involved in cyber-attacks is also one possible option. This goes beyond simply naming and shaming perpetrators and brings criminal charges against them. While it is unlikely that perpetrators, particularly those based in foreign countries, will actually ever see a day in court, the reputational damage involved may serve as a powerful deterrent for future attacks. 

Effectively dealing with the threat of cyberattacks now will go a long way towards limiting the damage cyber criminals can do and may offer valuable lessons for dealing with similar attacks in future public health emergencies.