The Evolving Cyber Threat Landscape During the Coronavirus Crisis
Total Page:16
File Type:pdf, Size:1020Kb
The Syrian cyber-battlefield CYBERDEFENSE REPORT The Evolving Cyber Threat Landscape during the Coronavirus Crisis Zürich, December 2020 Cyberdefense Project (CDP) Center for Security Studies (CSS), ETH Zürich 1 The Evolving Cyber Threat Landscape during the Coronavirus Crisis Available online at: css.ethz.ch/en/publications/risk- and-resilience-reports.html Author: Sean Cordey ETH-CSS project management: Myriam Dunn Cavelty, Deputy for Research and Teaching; Benjamin Scharte, Head of the Risk and Resilience Team; Andreas Wenger, Director of the CSS. Editor: Jakob Bund Layout and graphics: Miriam Dahinden-Ganzoni © 2020 Center for Security Studies (CSS), ETH Zurich DOI: 10.3929/ethz-b-000458221 2 The Evolving Cyber Threat Landscape during the Coronavirus Crisis Table of Contents Executive Summary 4 Introduction 5 1 Cyber Threat Landscape: Dynamics 6 1.1 Changes in the Attack Surface: Use of Technology and User Behavior 6 1.2 Changes in Adversarial Behavior: Adaptation of Modus Operandi and Targeting 12 1.3 Relative Continuity in Adversarial Behavior 16 1.4 Takeaways for the Future 17 2 Cyber Threat Landscape: Overview of Different Coronavirus-Related Cyber Threats 20 2.1 Actors and Aims 20 2.2 Types of Cyber Threats: Tactics, Tools, and Procedures 25 2.3 Distribution and Types of Targets 35 Conclusion 41 Bibliography 43 Annexes 52 Annex 1: Abbreviations 52 Annex 2: Glossary 53 3 The Evolving Cyber Threat Landscape during the Coronavirus Crisis Executive Summary cooperation between threat actors has also been recorded. In light of the societal changes wrought by the 3) While all sectors have been targeted in some coronavirus pandemic, this report aims to examine the way or other, threat actors have increasingly impact this crisis had on the general cybersecurity shifted from individuals to the critical landscape, notably in terms of the attack surface and infrastructure sectors most affected and exploitation opportunities; to investigate the changing under pressure by the pandemic. and recurring patterns of adversarial behaviors; and to Geographically, targeting focused on areas illustrate and provide an overview of how threats actors particularly affected by the pandemic have leveraged said epidemic in Q1/Q2 2020. following hotspots as the first wave of Accordingly, this report highlights that the infections made its way around the world. coronavirus pandemic has generated a set of 4) The motivations of state-sponsored actors remarkable and psycho-societal, technical, and have expanded to coronavirus-related logistical-economic circumstances upon which malicious actors have capitalized. These factors include: espionage targeting healthcare and research infrastructure. 1) an expanded socio-technical attack surface Lastly, the cyber threat landscape of Q1/Q2 2020 due to the greater use and dependency on is characterized by heightened risks and a plethora of services and applications for telework threats, from ransomware to credential phishing, and provided through digital infrastructure in business email compromise. general and cloud infrastructure in While some qualification of threat perspectives particular; has set in following an initial rise of blanket concern, 2) a psycho-informational environment ample opportunities for abuse and adaptation remain, characterized by anxiety, uncertainty, and especially as the “special” circumstances will endure. high demand for information; This report thus emphasizes the value of three key 3) a nexus of economic and trade uncertainty/ recommendations: disruption, emergency procurement 1. As economic pressure increases and cyber processes, compounded by the wide threats continue to grow and adapt, the availability of nefarious cyber tools. importance of cybersecurity awareness- raising, capacity building, and Additionally, the analysis of coronavirus-related communication to all stakeholders will be cyber threats has underlined that, despite some alarmist critical, not limited to but with a particular public reporting, some degree of continuity can be focus on authentication methods and basic found, notably with respect to the dynamic nature and cyber-hygiene. types of attacks observed, the types of threat actors, and 2. Quality threat intelligence, information the overall volume of certain cyber threats (e.g. phishing exchange, cooperation, and coordination and malspam). Adversarial behavior has nonetheless between all stakeholders are critical for changed and evolved in at least four important respects: fostering a better understanding and more comprehensive perspective of the evolving 1) Many threat actors were directly affected by cyber threat landscape, bringing institutional the pandemic and had to adapt their criminal gaps into view, and fostering trust. The business models, leading to a reduction in efforts and initiatives various stakeholders certain types of threats and an increase in took in this direction during the first six others. This was also reflected in the months of the pandemic should therefore be grayware and darkweb marketplaces. continued as much as possible. 2) The scale, sophistication, and modus 3. The accelerated digitization and expanded operandi of certain cyberattacks has adoption of telework has brought the issues increased or evolved. Coronavirus-related of remote and cloud security to the forefront credential phishing and ransomware were of cybersecurity efforts. Besides all the among the most prolific threats in terms, security flaws and vulnerabilities linked to with threat actors deploying evermore widely popular cloud-based applications, sophisticated ploys (e.g. double extortion, users and companies, especially SMEs, need shorter reconnaissance requirements, more to start addressing the issues around the use powerful and complex denial of service of personal devices and configuration of attacks) against larger targets. Increased remote access technologies. 4 The Evolving Cyber Threat Landscape during the Coronavirus Crisis Introduction and quantitative analysis of the data – while acknowledging its incomplete and anecdotal nature – is The coronavirus is not only a health hazard but also thus the underlying goal of this report. The more cause for worries in the digital domain. As the specific aims of this report are threefold: coronavirus pandemic has been ravaging the world for First, it aims to examine the impact the the past year, upending the livelihood of billions and coronavirus epidemic has had on the general transforming social and professional norms, malicious cybersecurity landscape, notably in terms of the attack actors in cyberspace have jumped at the chance of surface and exploitation opportunities. Second, this exploiting this crisis and the unique circumstances it has study aims at shedding some light on both the changing created for their benefit. As the months went by, the and recurring patterns of adversarial behaviors in this cybersecurity community and a rising number of media space – in other words: changes and continuities. Third, outlets have been apt to report on new cyberattacks to put things into perspective, it aims at illustrating and involving the coronavirus – and there were plenty. providing an overview of how the epidemic has been However, in the first half of 2020, the general media and leveraged by threats actors. private-sector reporting on these issues has been Accordingly, the structure of this report reflects fraught with exaggerations of increased volume and these overarching objectives. The first section, following novelty, leading to a general narrative that the cyber an introductory section that sets the context and threat situation during the first two quarters of 2020 discusses how the pandemic has socio-technically was without precedent (e.g. Arampatzis, 2020; Check affected the attack surface, discusses and highlights Point Software Technologies, 2020a; Miller, 2020; specific observed changes and continuities in adversarial Richardson and Mahle, 2020). While this is an appealing behavior. In the second, more descriptive section, the narrative – echoing that of the pandemic at large – its landscape of coronavirus-related cyber threats is laid underpinnings need to be critically assessed before any out. It provides a snapshot of the actors, their tactics, definitive conclusion can be made. and their targets. While cyber-enabled influence Cyber threats – whether they include the operations have been of considerable importance and exploitation of vulnerabilities in software and hardware prevalence throughout this pandemic, this report or of the fear and lack of awareness of users or cyber- focuses on “conventional” cyberattacks, such as enabled disinformation – are by nature a dynamic phishing, distributed denial of service (DDoS) or business phenomenon that reacts to the evolving analog and email compromise (BEC) attacks. The report then digital environments. This is even more true for an event concludes by summing up the main findings alongside of this magnitude, transformation potential, and global some open-ended thoughts with regard to preparations reach. for future developments. As a result, we would reasonably expect change As a general disclaimer, this report was and adaptation to occur on both ends of the conducted based on open-source material only. This includes reporting from (mostly western) journalistic1, cybersecurity/-defense spectrum – i.e. attackers and 2 defenders. In the case of adversarial behavior (the focus commercial, specialized , governmental, and of this report), this could