Cyber Security in the Age of COVID-19: a Timeline and Analysis of Cyber-Crime and Cyber-Attacks During the Pandemic

Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic

Harjinder Singh Lallie1, Lynsay A. Shepherd2, Jason R. C. Nurse3, Arnau Erola4, Gregory Epiphaniou1, Carsten Maple1, and Xavier Bellekens5

1WMG, University of Warwick, {HL, CM, gregory.epiphaniou}@warwick.ac.uk 2School of Design and Informatics, Abertay University, [email protected] 3School of Computing, University of Kent, [email protected] 4Department of Computer Science, University of Oxford, [email protected] 5Department of Electronic and Electrical Engineering, University of Strathclyde, [email protected]

Abstract—The COVID-19 pandemic was a remarkable the globe, it also led to a secondary significant threat to a unprecedented event which altered the lives of billions of technology-driven society; i.e., a series of indiscriminate, citizens globally resulting in what became commonly re- and also a set of targeted, cyber-attacks and cyber-crime ferred to as the new-normal in terms of societal norms and the way we live and work. Aside from the extraordinary campaigns. Since the outbreak, there have been reports impact on society and business as a whole, the pandemic of scams impersonating public authorities (e.g., WHO) generated a set of unique cyber-crime related circumstances and organisations (e.g., supermarkets, airlines)[2, 3], tar- which also affected society and business. The increased geting support platforms[4, 5], conducting Personal Pro- anxiety caused by the pandemic heightened the likelihood tection Equipment (PPE) fraud[6] and offering COVID- of cyber-attacks succeeding corresponding with an increase in the number and range of cyber-attacks. 19 cures[7, 8]. These scams target members of the This paper analyses the COVID-19 pandemic from a public generally, as well as the millions of individuals cyber-crime perspective and highlights the range of cyber- working from home. Working at home en-masse has attacks experienced globally during the pandemic. Cyber- realised a level of cyber security concerns and challenges attacks are analysed and considered within the context of never faced before by industry and citizenry. cyber- key global events to reveal the modus-operandi of cyber- attack campaigns. The analysis shows how following what criminals have used this opportunity to expand upon their appeared to be large gaps between the initial outbreak attacks, using traditional trickery (e.g., [9]) which also of the pandemic in China and the first COVID-19 related prays on the heightened stress, anxiety and worry facing cyber-attack, attacks steadily became much more prevalent individuals. In addition, the experiences of working at to the point that on some days, 3 or 4 unique cyber-attacks home revealed the general level of unpreparedness by were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber-criminals software vendors, particularly as far as the security of leveraged key events and governmental announcements to their products was concerned. arXiv:2006.11929v1 [cs.CR] 21 Jun 2020 carefully craft and design cyber-crime campaigns. Cyber-attacks have also targeted critical infrastructure Coronavirus; COVID-19; cyber security; cyber-attack; such as healthcare services[10]. In response to this, on cyber-crime; attack timeline; home working; April 8th 2020, the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Depart- ment of Homeland Security (DHS) Cybersecurity and I.INTRODUCTION Infrastructure Security Agency (CISA) published a joint The coronavirus pandemic (COVID-19) which started advisory on how cyber-criminal and advanced persistent in 2019 quickly became a global crisis event, resulting threat (APT) groups were exploiting the current COVID- in the mass quarantine of 100s of millions of citizens 19 pandemic[11]. This advisory discussed issues such as across numerous countries around the world. At the phishing, malware and communications platform (e.g., time of writing, the World Health Organisation (WHO) Zoom, Microsoft Teams) compromise. What is arguably Coronavirus Disease (COVID-19) Dashboard reported lacking here and in research, however, is a broader over 7.5 million confirmed cases and in excess of assessment of the wide range of attacks related to the 430,241 deaths[1] globally. As COVID-19 spread across pandemic. The current state of the art is extremely 2 dispersed, with attacks being reported from governments, and low risk level (as cyber-criminals can launch attacks the media, security organisations and incident teams. It from anywhere across the globe), it is clear that cyber- is therefore extremely challenging for organisations to crime is here to stay. develop appropriate protection and response measures cyber-crime, as traditional crime, is often described by given the dynamic environment. the crime triangle[17], which specifies that for a cyber- In this paper we aim to support ongoing research crime to occur, three factors have to exist: a victim, a by proposing a novel timeline of attacks related to the motive and an opportunity. The victim is the target of COVID-19 pandemic. This timeline and the subsequent the attack, the motive is the aspect driving the criminal analysis can assist in understanding those attacks and to commit the attack, and the opportunity is a chance how they are crafted, and as a result, to better prepare for the crime to be committed (e.g., it can be an innate to confront them if ever seen again. Our timeline maps vulnerability in the system or an unprotected device). key cyber-attacks across the world against the spread of Other models in criminology, such as Routine Activity the virus, and also measures such as when lockdowns Theory (RAT)[18] and the fraud triangle[19] use similar were put in place. The timeline reveals a pattern which factors to describe crimes, with some replacing the highlights cyber-attacks and campaigns which typically victim by the means of the attacker, which it can be follow events such as announcements of policy. This considered otherwise as part of the opportunity. allows us to track how quickly cyber-attacks and crimes While attacks today have become more sophisticated were witnessed as compared to when the first pandemic and targeted to specific victims depending on attacker’s cases were reported in the area; or, indeed, if attacks motivation, for example for financial gain, espionage, preempted any of these events. We expand the timeline coercion or revenge; opportunistic untargeted attacks are to focus on how specific attacks unfolded, how they were also very prevalent. We define “opportunistic attacks” as crafted and their impact on the UK. To complement these attacks that select the victims based on their susceptibil- analyses, we reflect more broadly on the range of attacks ity to be attacked[20]. Opportunistic attackers pick-up reported, how they have impacted the workforce and victims that have specific vulnerabilities or use hooks, how the workforce may still be at risk. In many ways usually in the form of social engineering, to create those this timeline analysis also forms a key contribution of vulnerabilities. Thus, we define as hook any mechanism our work both in terms of the chronological sequencing used to mislead a victim into falling prey of an attack. of attacks and the representation of campaigns using These hooks take advantage of distraction, time con- an accepted attack taxonomy. This therefore provides a straints, panic and other human factors to make them platform which aligns with current literature and also work[21, 9]. When victims are distracted by what grabs provides the foundation which other research can easily their interest/attention or when they are panicked, they build on. are more susceptible to be deceived. Similarly, time This paper is structured as follows. Section II reflects constraints put victims under more pressure which can on relevant cyber-attack and cyber-crime literature, and lead to mistakes and an increased likelihood to fall victim considers how opportunistic attacks have emerged in the to scams and attacks. Other examples include work past due to real-life crises/incidents. We then present our pressure, personal change of situation, medical issues, or COVID-19-related cyber-attack timeline in Section III events that cause deep and traumatic impact in the whole as well as a dedicated focus on the United Kingdom society in general such as fatalities and catastrophes. as a case study of key-cyber-criminal activity. This is Opportunistic attackers always seek to maximise their followed by a broader reflection on the attacks (those gain, and therefore, will wait for the best time to launch within and outside of the timeline). In Section IV we an attack where conditions fit those mentioned above. A discuss the impact of attacks on those working from natural disaster, ongoing crisis or significant public event home and wider technology risk. Section V concludes are perfect cases of these conditions[22]. In the past, the paper and outlines directions for future work. several opportunistic attacks have been observed that took advantage of specific incidents; below, we provide II.LITERATURE REVIEW few examples: With the broad adoption of digital technologies many • Natural disasters: In 2005 Hurricane Katrina caused facets of society have moved online, from shopping and massive destruction in the city of New Orleans social interactions to business, industry, and unfortu- and surrounding areas in the USA[23]. Not long nately, also crime. The latest reports establish that cyber- after, thousands of fraudulent websites appeared crime is growing in frequency and severity[12], with appealing for humanitarian donations, and local a prediction to reach $6 trillion by 2021 (up from $3 citizens received scam emails soliciting personal trillion in 2015)[13] and even take on traditional crime in information to receive possible payouts or govern- number and cost[14, 15]. Due to its lucrative nature[16] ment relief efforts. Similar scams and attacks have 3

been witnessed in countless natural disasters since, vestments in stocks related to COVID-19, and imperson- such as the earthquakes in Japan and Ecuador in ations of representatives of public authorities like WHO 2016[24], Hurricane Harvey in 2017[25], or the and aid scams[6, 37]. bush fires in Australia in 2020[26]. Brute force attacks on the Microsoft Remote Desktop • Notable incidents or events: On 25th June 2009, Protocol (RDP) systems have increased as well[38], the tragic death of Michael Jackson dominated signaling attacks also on technology, not only on human news around the world. Only 8 hours after his aspects. It is clear then that attackers are trying the make demise, spam emails claiming knowing the de- the most of the disruption caused by pandemic, partic- tails of the incident were circulating online[27]. ularly given it continues to persist. As a consequence, Waves of illegitimate emails echoing the fatality several guidelines and recommendations have also been appeared soon after, containing links promising published to protect against attacks[39, 40, 41]. These access to unpublished videos and pictures or Jack- guidelines are imperative for mitigating the increasing son’s merchandise, that in reality were linked to threat, but to strengthen their basis, there first needs malicious websites, or emails with malware in- to be a core understanding of the cyber-attacks being fected attachments[28]. Noteworthy public events launched. This paper seeks to address this gap in research also attract a range of cyber-crime activities. During and practice by defining a timeline of cyber-attacks the FIFA World Cup in 2018 for instance, there and consideration of how they impact citizens and the were various attempts to lure individuals with free workforce. tickets and giveaways[29]. These were, in fact, scams leading to fraud. III.TIMELINEOF COVID-19 RELATED • Security incidents: In 2012, 164 million of email ad- CYBER-ATTACKS dresses and passwords were exposed in a LinkedIn The cyber-crime incidents erupting from the COVID- data breach[30]. This data was not disclosed until 19 pandemic pose serious threats to the safety and 4 years later, 2016, when it appeared for sale global economy of the world-wide population, hence in the dark market. Soon after that, opportunistic understanding their mechanisms, as well as the propa- attackers began to launch a series of attacks. Many gation and reach of these threats is essential. Numer- users experienced scams, such as blackmail and ous solutions have been proposed in the literature to phishing, and some compromised accounts that had analyse how such events unfold ranging from formal not changed their passwords since the breach, were definitions to systemic approaches reviewing the nature used to send phishing links via private message and of threats[42, 43, 44]. While these approaches enable InMail[31]. the categorisation of the attack, they often lack the Considering the variety of scams and cyber-attacks ability to map larger, distributed events such as the ones occurring around the events above, it is unsurprising presented in this manuscript, where numerous events that similar attacks have emerged during the ongoing stem from the pandemic are, however, unrelated. To this COVID-19 pandemic. The outbreak has caused mass end, we opted for temporal visualisation, enabling us disruption worldwide, with people having to adapt their to map events without compromising the narrative[45]. daily routines to a new reality: working from home, Furthermore, this type of visualisation is used across lack of social interactions and physical activity, and the cyber-security domain to represent consequent cyber- fear of not being prepared[32, 33]. These situations can attacks[46, 47, 48]. overwhelm many, and cause stress and anxiety that can increase the chances to be victim of an attack. Also, the sudden change of working contexts, has meant that A. Approach to timeline creation companies have had to improvise new working struc- In this section, we outline the methodology used tures, potentially leaving corporate assets less protected to create the timeline. We explain the search terms than before for the sake of interoperability. used to gather relevant COVID-19 cyber-attack data, the Since the COVID-19 started, the numbers of scams data sources (search engines) utilised, the sources of and malware attacks have significantly risen[34], with information we chose to focus on, and types of attack. phishing being reported to have increased by 600% in We also acknowledge the potential limitations of the March 2020[35]. During April 2020, Google reportedly work. blocked 18 million malware and phishing emails related 1) Nomenclature: We explore a range of cyber- to the virus daily[36]. To increase likelihood of success, attacks which have occurred during the COVID-19 pan- these attacks target sale of goods in high demand (e.g., demic. The novel coronavirus has been referred to by Personal Protection Equipment (PPE) and coronavirus several different terms in the English-speaking world, in- testing kits and drugs), potentially highly profitable including Coronavirus, Covid19, COVID-19, 2019-nCoV, 4 and SARS-CoV-2. We use the term COVID-19 to refer below and are presented in a similar way to existing to the virus, which falls in line with terminology used reviews in cyber security literature[54, 55]. The structure by the World Health Organization [49]. of the timeline is described in further detail in Section 2) Construction of the timeline: To aid in the con- III-B. struction of the timeline, we initially conducted a number Search engines: Several search engines were used of searches to identify cyber-attacks associated with in the creation of the table and timeline. These were- the pandemic. These cyber-attacks were categorised by Google1 (US-based and dominates the search engine attack type, delivery method, and were ordered by date. market share), Baidu2 (Chinese-based search provider), The information gathered has been collated and is pre- Qwant3 (French-based search engine with a focus on sented in Figure 2 which serves as a baseline for the privacy), and DuckDuckGo4 (US-based search engine construction of Table I. with a focus on privacy). Information presented in the timeline includes the date Keywords used: A variety of keywords were used China alerted the WHO about the virus, the date the pan- when collating reports of cyber-attacks. Non-English demic was officially declared, and cyber-attacks which terms were translated using the Google Translate service specifically relate to hospitals or medicine. Additionally, [56] and additional independent sources were used as a key countries involved in the pandemic were identified, means of validating the translation. When focussing on and for those, we present the first identified case, the date the virus itself, the following key words were used: sars- lockdown was implemented, and the first cyber-attack cov-2, Covid, Covid19, Coronavirus, 冠状病毒(Chinese they suffered. The table seeks to examine a sub-set of translation for Coronavirus, confirmed by the World the information from the timeline. Health Organization[57]), コロナウイルス(Japanese Furthermore, we have chosen to include a number translation for Coronavirus, confirmed by the Japanese of sources offering reports of attacks. The sources are Ministry of Health, Labour and Welfare[58]). a mixture of reputable news outlets (such as Reuters, When searching for cyber-attacks, the following key and the BBC), blog articles, security company reports, phrases were used: 网络攻击(Chinese translation means and social media posts. Though blog articles and social Network Attack[59] or Cyber Attack[60]), サイバ media posts are not considered to be an academic source, 攻(Japanese translation for Cyber Attack or Hacking in the context of this research where we are examining Attack [61]), Attaque Informatique (French translation an emerging threat, they offer important insights into for Computer Attack [62]), Attacco Informatico (Italian trends of cyber-attacks. It is also important to note that translation for Cyber Attack [63]). cyber-attacks may first be presented in these domains, Time range: We attempted to find the earliest reported before being highlighted by mainstream media outlets. cyber-attack which was associated with the COVID-19 With regards to the inclusion of news reports in the pandemic. To allow for development of the timeline, and table of attacks and subsequent timeline, it should be analysis of findings, mid-May 2020 was defined as a cut- acknowledged that these attacks are being presented off point, with the most recent news article being dated through a journalistic lens, and as such may be written 13th May 2020[5]. in an attempt to grab headlines. Nevertheless, these Exclusion criteria: Although we have created a com- reported cyber-attacks still pose a tangible threat to the prehensive table and timeline, a number of results were general public during the COVID-19 pandemic. The excluded from the research. These included results which timeline seeks to provide an overview of attacks which a) were behind a paywall, b) required account creation have occurred. before full article was displayed, c) were duplicates of The state-of-the-art review of reports was performed existing news reports, and d) could not be translated. from mid-March to mid-May 2020. The timeline limits 3) Types of cyber-attacks : To guide our analysis and cyber-attacks to those experienced by 31st March. This is the creation of a timeline of COVID-19-related cyber- because we reached what we believed to be a saturation attacks, we decided to define attacks based on their point comprising a sufficient number of cyber-attacks to types. This allowed us to examine the prominence in be representative. Following the conclusion of the search, certain types of attacks. Although there exist numerous the earliest reported attack was on 6th January 2020 [51], taxonomies relating to attacks and cyber-crimes (e.g., whilst the most recently listed attack in the timeline was [64, 9, 65, 66]), there exists no universally accepted 31st March 2020 [52]. The most recently listed attack in model[67]. In this work therefore, we relied on the the table was 13th May 2020 [53]. The table progresses UK’s Crown Prosecution Service (CPS) categorisation of the time period a bit further as it intends to provide more 1www.google.com detail in regards to cyber-attacks experienced during this 2www.baidu.com time. Sources were gathered from a number of locations. 3www.qwant.com The criteria used to locate reports have been defined 4www.duckduckgo.com 5

Fig. 1. Cyber-dependent and cyber-enabled crimes[50] cyber-crime. This definition includes cyber security by technical capabilities. Financial fraud generally involves default and has inspired many international definitions deceiving individuals or organisations using technology of cyber-crime. for some financial gain to the attacker or criminal. The CPS guidelines categorise cyber-crime into two Extortion refers to actions that force, threaten or coerce broad categories: cyber-dependent and cyber-enabled individuals to perform some actions, most commonly, crimes[50]. A cyber-dependent crime is an offence, “that releasing finances. can only be committed using a computer, computer Hacking, Malware and Denial of Service (DoS) at- networks or other form of information communications tacks are forms of crime that are often favoured by more technology (ICT)”[68]. Cyber-enabled crimes are, “tra- technical attackers. Hacking involves compromising the ditional crimes, which can be increased in their scale confidentiality or integrity of a system, and requires or reach by use of computers, computer networks or a reasonable about of skill; its techniques can involve other forms of information communications technology exploiting system vulnerabilities to break into systems. (ICT)”[69]. These categories as well as examples of Malware refers to malicious software and can be used for their subcategories can be seen in Figure 1. Some of disrupting services, extracting data and a range of other the elements described by CPS are often interlinked in attacks. Ransomware is one of the most common type a cyber-attack. For instance, a phishing email or text of malware today[72, 73], and combines malware with message (e.g., SMS or WhatsApp) might be used to lure extortion attempts. DoS attacks target system availability a victim to a fraudulent website. The website then may and work by flooding key services with illegitimate gather personal data which is used to commit financial requests. The goal here is to consume the bandwidth fraud, or it may install malware (more specifically, used for legitimate server requests, and eventually force ransomware) which is then used to commit extortion. the server offline. This notion of cyber-attack sequences is explained in These types of attack provide the foundation for further detail in Section III-B. our analysis in the timeline and how we approach our Similarly Denial of Service (DoS) attacks are in- discussion in later part of this research. creasingly used by cyber-criminals to distract (or, 4) Limitations of the table: Within Table I, two act as ‘smokescreens’ for) businesses during hacking columns referring to dates are provided. The first column attempts[70, 71]. In what follows, we consider the types “Article Date” refers to the date the reference was of these attacks and reflect on how they have been initially published. We acknowledge that in some cases, launched, including any human factors or technical as- the web pages linked to the references continued to be pects (e.g., vulnerabilities) they attempt to exploit. updated with information following its inclusion with Phishing, or Social Engineering more broadly, in- the paper. The table has been ordered by “Article Date” cludes attempts by illegitimate parties to convince indi- to provide a consistent chronological representation of viduals to perform an action (e.g., share information or events. visit a website) under the pretence that they are engaging We have also provided a second column,“Attack with a legitimate party. Quite often email messages Date”. When examining each reference, if a specific date are used, occasionally SMS or WhatsApp messages are was provided as to when the attack was executed, it was used (referred to as smishing). Pharming is similar to included. The rational behind including the attack date phishing but instead of deceiving users into visiting and report date is that an attack may not surface until malicious sites, attackers rely on compromising systems several days after it has been carried out. (e.g., the user’s device or DNS servers) to redirect 5) Limitations of the timeline: Two types of cyber- individuals to illegitimate sites. This type of attack is attack reports are considered within this manuscript, less common in general, as it requires more access or those which describe cyber-attacks without providing 6 the date of the attack and those which describe cyber- we use the UK as a case study to analyse COVID-19 attacks and include the date of the perpetration. When related cyber-crime. The discussion herein demonstrates the date of the attack is not included, the date provided that as expected and outlined above, there was a loose in the timeline refers to the date of the publication. The correlation between policy/news announcements and as- rationale behind the inclusion of both types of reports sociated cyber-crime campaigns. The analysis presented is based on providing a chronological representation herein focuses only on cyber-crime events specific to of events. Furthermore, while the table provides an the UK. So for example, although many of the incidents extensive overview of the threat landscape, it is by no identified in the previous section and particularly in means an exhaustive list of all the attacks carried out in [102] are global cyber-attacks, the discussion herein relation to the pandemic, as gathering such information ignores these. Consequently, numerous announcements would not be possible in this context due to the lack and purportedly coming from reputed organisations such as quality of reporting, the number of targeted incidents, WHO and a plethora of malware which reached UK the number of incidents targeted at the general public, citizens is ignored as these were not UK specific issues. the global coverage of the pandemic and the number of Indications of the extent of the UK cyber-crime in- malicious actors carrying out these attacks. cident problem experienced during the pandemic are However, despite these limitations we have explored provided by the reported level of suspect emails and all resources available to depict the threat landscape as fraud reported. By early May (07-05-20), more than accurately as possible. 160,000 ‘suspect’ emails had been reported to the Na- tional Cyber Security Centre [103] and by the end of B. The timeline May (29-05-20), £4.6m had been lost to COVID-19 related scams with around 11,206 victims of phishing In this section, we examine the cyber-attacks in and / or smishing campaigns [104]. In response, the further detail. Figure 2 provides a detailed temporal National Cyber Security Centre (NCSC) took down 471 representation of the chain of key cyber-attacks in- fake online shops [105] and HMRC (Her Majesty’s duced by the COVID-19 pandemic. The timeline in- Revenue and Customs) took down 292 fake websites cludes the first reported cases in China, Japan, Ger- [106]. many, Singapore, Spain, UK, France, Italy, and Portu- The timeline in Figure 3 shows a series of UK specific gal and then the subsequent lockdown announcements. events and cyber-crime incidents. The timeline indicates The timeline presents 43 cyber-attacks categorised using a direct and inverse correlation between announcements the CPS taxonomy described in Section III-A3 and and incidents. abbreviated as: P:phishing (or smishing), M:malware. Direct correlations are instances where perpetrators Ph:pharming, E:extortion, H:hacking, D:denial of ser- appear to follow announcements or events, they may vice and F:financial fraud. The events related to the crisis have drawn on these events and carefully configured were validated against WHO timeline of events to ensure cyber-attacks around policy context. These are shown an accurate temporal reproduction. in the figure with a solid coloured connecting arrow. Table I describes a number of cyber-attacks in fur- Inverse correlations are instances where an incident ther detail. Within the table, cyber-attacks have been has no clear correlation with an event or announce- organised by attack date. If the attack date was not ment. Although inverse correlations do not appear to available within the reference, then the article date has have a direct correlation, these may exist because a been used. The target-country of each cyber-attack has number of events were being actively highlighted in the been listed, alongside a brief description of the methods media. For example, the issue of personal protective involved. Finally, the attack type has also been classified equipment (PPE) was in active discussion well before in accordance with the CPS taxonomy described earlier the UK government gave this priority consideration. where it has been mentioned within the reference. Similarly, the likelihood of a tax rebate scheme was in Both the figure and the table present specific cyber- active consideration in early March before the budget attacks and incidents and exclude: general advisories announcement on 11-03-20. The first tax rebate phishing (e.g. from governmental departments), general discus- campaigns were in active circulation before the budget sions and summaries of attacks, and detailed expla- announcement. In both cases, we should emphasise that nations of techniques and approaches utilised by the these are loose correlations and more work needs to be attackers. done in terms of whether a predictive model can be built using this data and data around the world as examples. C. COVID-19 cyber-attacks in the United Kingdom On 11th March 2020, the UK government made a The extent of the cyber-security related problems number of important budgetary announcements [107] faced in the UK was quite exceptional, and in this section which included: a £5bn emergency response fund to 7 Fig. 2. Timeline of Key Events Related to Cyber-Attacks and the COVID-19 Pandemic 8 Fig. 3. UK Timeline 9

TABLE I DESCRIPTIONSOF COVID-19 RELATED CYBER-ATTACKS

ID Ref. Country Attack Description Article Attack Type Date Date 1 [51] China P.M Vietnam accused of launching a METALJACK phishing campaign against the Wuhan 22/04 06/01 district offices 2 [74] Global P.M International reports that both phishing and smishing campaigns are taking place 19/01 - 3 [75] China, P.M Chinese hackers accused of distributing the Vicious Panda malware to Mongolia through 12/03 20/01 Mongolia emails purporting to come from the Mongolian ministry of affairs 4 [76] Phillipines P.M.F REMCOS malware distributed to Phillipino citizens 13/03 23/01 5 [77] Singapore P Phishing campaign steals email log-in credentials 28/01 - 6 [78] Japan P.M.F Safety measures phishing campaign distributes Emotet malware 28/01 28/01 7 [79] China P.M.F ’Safety measure’ email from a ’Singaporian specialist’ distributes Emotet malware 06/02 29/01 8 [77] USA P Email purporting list of COVID-19 cases in victim’s city takes user to website which 11/02 31/01 steals credentials 9 [80] China H DoS on epidemic prevention units 09/02 02/02 10 [80] China P Phishing campaign steals email log-in credentials 09/02 02/02 11 [81] World P.M.F First cases of AZORult a data theft malware 10/02 - 12 [82] China P.M Email purporting specialist safety measures from WHO prompts malware download 12/02 - 13 [76] Vietnam P.M LOKIBOT malware spread through email purporting incorrect invoice payment 13/03 03/02 14 [83] China P.Ph Phishing attack on medical groups in China (from India) 06/02 06/02 15 [84] China P.M.E Distribution of CXK-NMSL ransomware through COVID-19 themed emails 18/02 09/02 16 [84] China P.M.E Distribution of Dharma/Crysis ransomware through COVID-19 themed emails 18/02 13/02 17 [76] Italy P.M Trickbot malware distributed through email 13/03 02/03 18 [85] Global P.M.F MBR wiper malware disguised as contact tracing information 04/03 - 19 [76] USA P.M FORMBOOK malware distributed through email purporting parcel shipment advice 13/03 08/03 20 [86] USA M Health systems in Champaign Urbana Public Health District (Illinois) affected by the 12/03 10/03 netwalker ransomware 21 [76] Spain P.M Email purports COVID-19 remedy as mooted by Israeli scientists days in advance 13/03 10/03 22 [87] Czech H Cyber-attack on Czech hospital 14/03 14/03 23 [88] USA H Denial of Service on U.S. Health Agency 16/03 - 24 [89] Libya P.M Corona live 1.1 is the SpyMax malware which in this case is a trojanised app which 18/03 - exfiltrates user data 25 [90] World P.M Corona mask offer installs what appears to be a harmless malware which distributes an 19/03 - SMS to all contacts. Presumably an update to the app will mobilise the malware 26 [91] Global P.E Extortion campaign threatens to infect the recipient with COVID-19 unless a $4,000 bitcoin 17/04 20/03 payment is made 27 [92] Spain P.M Netwalker ransomware attack disguised as an email advising on restroom use 24/03 - 28 [93] USA P.M SMS asks recipient to take a mandatory COVID-19 ‘preparation’ test, points to website 24/03 24/03 which downloads malware 29 [94] UK P.M SMS informs recipient to stay at home with a link for more information. Link directs 24/03 - recipient to a malware ridden website 30 [95] UK P.Ph.F Free school meal SMS directs recipient to website which steals payment credentials 25/03 24-03 31 [96] World M.F Ginp Trojan distributed in an Android app. App charges e0.75 for information on infected 25/03 - persons in the recipients region. In actual fact, it steals the payment information 32 [52] Global P Skype credentials stolen through a crafted phishing campaign 23/04 31/03 33 [97] World P.Ph.M.F Free Netflix offer directs users to a malware ridden website 27/03 - 34 [98] UK M Fake NHS website gathers user credentials 28/04 - 35 [99] UK P.M Email purports to offer job retention payment as per the UK governmental announcement 30/04 19/04 36 [100] Global M Coronalocker locks a computer and appears to cause rather more annoyance than any real 21/04 - damage 37 [101] Global P.M Docusign recipients directed to fake website offering COVID-19 information 08/05 - 38 [5] UK P.M Recipients are directed to a fake track and trace website which collects user credentials 13/05 - key: P:Phishing (or smishing); Ph:Pharming; E:Extortion; M:Malware; F:Financial fraud; H:Hacking support the NHS and other public services in England; an nouncements to support the citizenry and economy. entitlement to statutory sick pay for individuals advised These announcements included: a scheme to support to self-isolate; a contributory Employment Support Al- children entitled to receive free school meals (19-03- lowance for self-employed workers; a £500m hardship 20); a hardship fund (24-03-20); help for supermarkets fund for councils to help the most vulnerable in their to target vulnerable people (25-03-20); the potential areas; a COVID-19 Business Interruption Loan Scheme availability of home test kits (25-03-20); a job retention for small firms; and the abolishment of business rates scheme (17-04-20); and the launch of the much awaited for certain companies. track and trace app (04-05-20).

Soon after, the government continued to make an- Events such as these increase the likelihood of a 10

TABLE II SELECTEDCORRELATIONSBETWEENEVENTSANDCYBER-CRIMINAL CAMPAIGNS

Event date Event Incident date & Incident type 21-02-20, Doctors warn GPs are running out of PPE; 17-04-20 p,ph,f Fake PPE offers through email. Link to URLs 09-03-20 Hospitals running out of PPE 27-05-20 p,ph,f which capture credit card and other details 11-03-20 Government announces a range of financial 20-03-20 p,ph,f Smishing campaign promising a COVID-19 assistance packages in the budget financial relief payment. Respondents are directed to a fake gov.uk website which requests credit/debit card details 19-03-20 Government announces a scheme which entitles 24-03-20 p,ph,f A smishing campaign which targeted parents children who qualify for a free school meal to with a promise of help with their free school a food voucher or alternatives if they are not meals in return for banking details. Banking able to continue attending school. details are defrauded 23-03-20 Lockdown announced. £60 contravention fine, 27-03-20 p,e Lockdown contravention SMS later (10-05-20) increased to £100 24-03-20 COVID-19 hardship fund enables councils to 15-05-20 p,ph,f Council tax rebate scam reduce council tax bills by £150 for residents of working age and who have had their bill reduced by an award of council tax reduction 25-03-20 Government announce intention to make home 31-03-20 p,f, Phishing campaigns in England and Scotland testing kits available 17-04-20 p,f, direct victims to fake websites which claim to 27-05-20 p,f sell PPE equipment 17-04-20 Government announces job retention scheme 19-04-20 p,f Fake job retention scheme phishing campaign. positive response to a cyber-criminal campaign and per- of the pandemic. From the point that the first case petrators are very likely to hook onto events. Although was announced in China (08-12-19), the first reported there appears to be a link between some of the events COVID-19 inspired cyber-attack took 30 days. The next and incidents, a number of scams cannot easily be traced reported cyber-attack was 14 days (19-01-20). From this to a single event or announcement. Examples of this point onwards, it is clear that the timeframe between include a goodwill payment of £250 (21-03-20), an events and cyber-attacks reduces dramatically. NHS financial donation request (02-04-20), vouchers for The 43 cyber-attacks presented in the timeline can be UK supermarkets (02-04-20, 15-04-20, 28-04-20), and a further categorised as follows: charitable donation to the recipient. None of these events • 37 (86%) involved phishing and / or smishing have associated governmental announcements or even • 2 (5%) involved hacking general public speculation. • 2 (5%) involved denial of service Examples supporting our notion of a correlation be- • 28 (65%) involved malware tween events and cyber-security campaigns are provided in Table II and illustrated in Figure 3. These examples indicate a loose correlation between events and cyber- criminal campaigns. Many of the cases outlined in Table II and Figure 3, were very simple. Potential victims were provided URLs through email, SMS, or Whatsapp. An example of this is provided in Figure 4. In this case, the URL pointed to a fake institutional website which requests credit/debit card details. Although there are elements of this process which are obviously suspicious to a more experienced computer user, for example, spelling errors (relieve instead of relief in the COVID-19 relief scam), suspect reply email addresses and clearly incorrect URLs, these are not immediately obvious to many users.

D. Analysis of cyber-attacks and associated risks The timeline shown in Figure 2 and the UK case study above creates an ideal platform through which to analyse the cyber-attacks that have occurred in light Fig. 4. The COVID-19-relieve scam[108] 11

• 15 (34%) involved financial fraud involve malware in the same way that the global analysis • 6 (13%) involved pharming reveals. There may be a number of reasons for this. • 6 (15%) involved extortion Launching a malware connected campaign requires more Whilst this analysis is useful, the sequence of events sophistication and time. There may be less opportunity to in the complete attack can also provide key attack directly connect it to a specific event or announcement. insights. The timeline reveals these sequences and shows The time delay between some of the announcements the complete campaign comprising of, for instance, the and the associated campaigns was remarkably short. distribution of malware (m) through phishing (p) which For instance, the time delay between the lockdown an- steals payment credentials which are used for financial nouncement (23-03-20) and the ‘lockdown contravention fraud (f ). We can describe this cyber-attack sequence as fine’ (25-03-20) was 2 days, and the time delay between p,m,f. Analysing cyber-attacks in this way is important the job retention scheme announcement (17-04-20) and because this indicates multiple points in a cyber-attack the job retention scam (19-04-20) was also 2 days. where protections could be applied. The timeline reveals To reflect more generally on the cyber-attacks dis- the following cyber-attack sequences: covered, we can see that phishing (including smishing) • p,m: n=8, 19% were, by far, the most common based on our analysis. • p,m,f: n=10, 23% In total, it was involved in 86% of the global attacks. • ph,m: n=1, 2% This is however, unsurprising, as phishing attempts are • p,ph: n=1, 2% low in cost and have reasonable success rates. In the • p.m.e: n=5, 12% case of COVID-19, these included attempts at imper- • p,ph,m: n=2, 5% sonating government organisations, the WHO, the UK’s • p,ph,f: n=1, 2% National Health Service (NHS), airlines, supermarkets • p,e: n=1, 2% and communication technology providers. The specific • p,ph,m,f: n=1, 2% context of the attacks can be slightly different however This analysis does not include the sequence of events the underlying techniques, and the end goal is identical. that took place in the two hacking and two denial For instance, in one email impersonating the WHO, of service incidents. It should be noted that although attackers attach a zip file which they claim contains an e- financial fraud is the most likely goal in most of the book that provides, “the complete research/origin of the cyber-attacks described in the timeline, financial fraud corona-virus and the recommended guide to follow to was only recorded in the timeline where reports have protect yourselves and others”[109][2]. Moreover, they clearly indicated that this was the outcome of a cyber- state: “You are now receiving this email because your attack. In reality, the p,m,f and p,ph,f cases are life count as everyone lives count”. Here, attackers are likely to be higher. using the branding of WHO, posing as helpful (the Figure 5 provides a summary of the countries that were the target of early cyber-attacks during the pandemic, organised by attack date. As shown, China and the USA account for 39% of the attacks reported. It is also clear from Table I that both of these countries were primary target from the start of the pandemic. The attacks then spread to the United Kingdom and more other countries. By March 2020 however, a vast majority of the attacks are targeted at the whole world, with a reminder of attacks specifically focused at events in a single country, such as tax rebates due to COVID-19, or contact tracing phishing messages. It is useful to consider this in the context of UK specific cyber-attacks. This examination reveals that phishing was a component of all (n=17) the cyber- attacks analysed. 1 involved extortion as the final goal, the remaining 16 involved financial fraud. 9 cyber- attacks comprised the sequence: p,ph,f, 7 comprised the sequence p,f, the remaining 1 comprised of p,e. It is notable that although an NHS malware distribution website was discovered and removed on 23- 04, none of the cyber-attacks we analysed appeared to Fig. 5. Cyber-attack distribution across countries examined 12 remainder of the email contains legitimate guidance), downturn [114]. There were offers of cures, vaccines, and appealing to people’s emotions in crafting their and advice on effective treatments for the virus. The attack email[110, 9]. Similar techniques can be seen in a Food and Drugs Administration (FDA) issued 16 warn- fake NHS website created by criminals detected online, ing letters between 6th March and 1st April 2020 to which possesses identical branding but is riddled with companies “for selling fraudulent products with claims malware[111], and a malicious website containing mal- to prevent, treat, mitigate, diagnose or cure” COVID- ware which also presents the legitimate Johns Hopkins 19[115, 116]. The European Anti-Fraud Office (OLAF) University COVID-19 dashboard[4]. It is notable that the has responded to the flood of fake products online by fake WHO email contains spelling/grammatical errors. opening an enquiry concerning imports of fake products The discussion in Section III-C provides further specific due to COVID-19 pandemic[117], and in the UK, the examples of this. Medical and Healthcare products Regulatory Agency To further increase the likely success of phishing (MHRA) has began investigating bogus or unlicensed attacks cyber-criminals have been identified register- medical devices currently being traded through unautho- ing large numbers of website domains containing the rised and unregulated websites[118]. words ‘covid’ and ‘coronavirus’[112]. Such domains Extortion attacks were witnessed in our analysis but are likely to be believable, and therefore accessed, were less prevalent (appearing in only 13% of cases) especially if paired with reputable wording such as compared to the others above. The most prominent WHO or Centers for Disease Control and Preven- case of this attack was an extortion email threatening tion (CDC) or key words (e.g., Corona-virusapps.com, to infect the recipient and their family members with anticovid19-pharmacy.com, which have been highlighted COVID-19 unless a Bitcoin payment is made[119]. To as in use[113]). Communications platforms, such as increase the believability of the message, it included Zoom, Microsoft and Google, have also been imper- the name of the individual and one of their passwords sonated, both through emails and domain names[112]. (likely gathered from a previous password breach). After This is noteworthy given the fact that these are the demanding money, the message goes on to state: “If primary technologies used by millions across the world I do not get the payment, I will infect every member to communicate, both for work and pleasure. These of your family with coronavirus”. This attempts to use facts, in combination with convincing social engineering fear to motivate individuals to pay, and uses passwords emails, text messages and links, provide several notable (i.e., items that are personal) to build confidence in the avenues for criminals to attack. Pharming attacks were criminal’s message. much less common but did occur in 13% of cases. As Malware related to COVID-19 increased in promi- can be seen Table I, these often occur alongside other nence during the pandemic and impacted individuals attacks. and organisations across the world. As shown above, COVID-19-inspired fraud has leveraged governmen- it was the second largest cyber-attack type, appearing tal/scientific announcements to exploit the anxieties of in 65% of cases. Vicious panda and MBR Loader users and seek financial benefit. From our analysis, fraud were the only new malware discovered in this pe- was typically committed through phishing and email riod. The remaining malware attacks were variants attacks—we also can see this in our sequencing above. In of existing malware and included Metaljack, REM- one case, criminals posed as the CDC in an email and COS, Emotet, LOKIBOT, CXK-NMSL, Dharma-Crysis, politely requested donations to develop a vaccine, and Netwalker, Mespinoza/Pysa, SpyMax (disguised as the also that any payments be made in Bitcoin[105]. Typical Corona live 1.1 app) GuLoader, Hawkeye, FORMBOOK, phishing techniques were used, but on this occasion these Trickbot and Ginp. Ransomware, in particular, was a included requests for money: “Funding of the above notable threat and an example of such was COVIDLock, project is quite a huge cost and we plead for your good an Android app disguised as a heat map which acted as will donation, nothing is too small”. A notable point ransomware; essentially locking the user’s screen unless about this particular attack is that it also ask recipients to a ransom was paid[120]. share the message with as many people as possible. This At the organisational level, ransomware has signifi- is concerning given that people are more likely to trust cantly impacted healthcare services—arguably the most emails they believe have been vetted by close ones[9]. fragile component of a country’s critical national in- There were a range of other fraud attempts, largely frastructure at this time. Attacks have been reported based on threats or appeals. For instance, our analysis in the United States, France, Spain and the Czech identified offers of investment in companies claiming Republic[121, 10], and using ransomware such as Net- to prevent, detect or cure COVID-19, and investment walker. Such attacks fit a criminal modus operandi if in schemes/trading options which enable users to take we assume that malicious actors will target areas where advantage of a possible COVID-19 driven economic they believe they stand to capitalise on their attacks; i.e., 13 health organisations may be more likely to pay ransoms People’s Republic of China (PRC) as a perpetrator in to avoid loss of patient lives. Interestingly there have a joint FBI/CISA announcement[128]. since been promises from leading cyber-crime gangs that they will not (or stop) targeting healthcare services. In IV. IMPACT ON WORKFORCE one report, operators behind CLOP Ransomware, Dop- The effects of the pandemic, the mass quarantine of pelPaymer Ransomware, Maze Ransomware and Nefilim staff and the measures put in place to facilitate remote Ransomware stressed that they did not (normally) target working and resilience of existing cyber-infrastructures, hospitals, or that they would pause all activity against against the attacks and timelines previously described, healthcare services until the virus stabilises[122]. had a profound effect on the workforce – the people Other notable malware examples during the pandemic engaged in or available for work. The pandemic also had include: Trickbot, a trojan that is typically used as a an effect on the resilience of technology, socio-economic platform to install other malware on victims’ devices— structures and threatened, to a certain degree, the way according to Microsoft, Trickbot is the most prolific people live and communicate. Figure 6 illustrates the malware operation that makes use of COVID-19 themed COVID-19 impact on the workforce across eight differ- lures for its attacks[123]; a Master Boot Record (MBR) ent categories. All categories seemingly integrate with rewriter malware that wipes a device’s disks and over- cyber-enabled assets and tools and different categories writes the MBR to make them no longer usable[124]; may be impacted differently. The pandemic created risk and Corona Live 1.1, an app that leveraged a legitimate conflicts, for example, strict compliance with security COVID-19 tracker released by John Hopkins University standards which discourage data sharing, could be more and accessed device photos, videos, location data and harmful than sharing the data. So, whilst there may be the camera[53]. As the pandemic continues, there are strict requirements for patient data not to be accessed at likely to be more strains of malware, targeting various home by GPs (general practitioners), this causes a greater types of harm, e.g., physical, financial, psychological, harm during quarantine than enabling GPs to access pa- reputational (for businesses) and societal[125]. tient data. Also, the way confidential patient information During the COVID-19 pandemic our analysis only is processed requires a data protection impact assessment identified a very small amount (5%) of DoS attacks, (DPIA) to enable further NHS support where needed. but there were several reports of hacking. These reports This can have an impact in terms of the timely delivery suggested that hacking was not indiscriminate but in- of medical interventions in response to COVID-19. stead, targeted towards institutions involved in research In traditional risk classification, elements like asset on coronavirus. registration and valuation, threat frequency and vulnera- In one report, FBI Deputy Assistant Director stated, bility probability are at greater risk of cyber threat. We, “We certainly have seen reconnaissance activity, and therefore, anticipate changes on the way the workforce some intrusions, into some of those institutions, espe- accesses those information assets and how strategic, cially those that have publicly identified themselves as tactical and operational tasks are executed to generate working on COVID-related research”[126]. This was socio-economical outputs. These changes can be cap- further supported by a joint security advisory a month tured by the development and testing of risk statements later from the UK’s NCSC and USA’s CISA[127]. In this capturing 1) threat agents, 2) vulnerabilities, 3) Pol- advisory, Advanced Persistent Threat (APT) groups— icy/process violation and 4) overall asset exposure on some of which may align with nation states—were all emerging threat landscapes as illustrated in Figure 6. identified as targeting pharmaceutical companies, med- These changes unavoidably cascade further changes to ical research organisations, and universities involved in the threat landscapes associated with remote workforce COVID-19 response. The goal was not necessarily to activities and the increasing frequency of weaponised disrupt their activities (as with the ransomware case), attack vectors related to the coronavirus spreading. Given but instead to steal sensitive research data or intellectual the current climate, it is difficult to predict whether these property (e.g., on vaccines, treatments). changes will have a long-lasting effect on the work- While a detailed analysis of these attacks has not force, but their significance is already recorded [129]. yet surfaced, password spraying (a brute-force attack Therefore, it is increasingly important that the control which applying commonly-used passwords in attempting of information (storage, processing, transmission) has an to login to accounts) and exploiting vulnerabilities in elevated importance given the increase of cyber-attacks Virtual Private Network (VPN) have been flagged[127]. on important infrastructures. Attribution is another important consideration during Governments, private and public sectors throughout such attacks. Determining the true origin of cyber-attacks Europe currently consider measures to contain and has always been difficult, however, in response to these mitigate COVID-19 impact on existing data structures COVID-19-related threats, the US openly named the and information governance frameworks (for example, 14

d n a

l a c

i COVID-19 s

y Workforce h P

Impact , e v i t a r l t a s i c i n i n Information Health & Digital and Employment Public Supply h m Advanced Lifestyle c d Governance Healthcare Circular Finance

e Rules and chain & A Manufacturing T

- Economy and civil

Policies Transport )

s protection ( t n e m e t a t S

Threat Sources k s i R

Vulnerabilities

Policy / Process Violation

Exposure

Require Access to: Evolving Threat Landscape Information Assets

For the execution of: Evolving Threat Landscape Strategic, Tactical and Operational Tasks

In order to generate: Evolving Threat Landscape Socio-economic Impact(s)

Fig. 6. COVID-19 Impact on Workforce

[130]). Particular emphasis is placed upon the impli- governments had to derive a plan that would enable them cations of the pandemic in the processing of personal to understand epidemiological data further and identify data. The General Data Protection Regulation (GDPR) positive interventions to contain and mitigate the impact legislation in the UK dictates that personal data must of the pandemic. Research shows a high correlation be- be processed only for the specific and explicit purposes tween the use of big data that includes private identifiable for which it has been obtained [131]. In addition, data information in the effectiveness of these epidemiological subjects should always receive explicit and transparent investigations [134]. That meant that in most cases, citi- information with regard to the processing activities un- zens had to provide this information voluntarily and that dertaken, including that of features and nature of the quickly resulted in discussions and debates on the trade- activity, retention period and purpose of processing. offs between public safety versus personal privacy [135]. There are challenges related to the governance legal The information has also been obtained through internet and regulatory compliance landscape in terms of con- communication technology. Medical testing equipment formance versus rapid access and processing of data by and coronavirus testing at a large-scale were used as different entities. This is quite apparent in cases where instruments for data collection in the fight to reduce public authorities seek to obtain PII to reduce the spread mortality rates. The legal and regulatory compliance of COVID-19. Typical examples also include contact frameworks differ between countries; thus, managing tracing applications and platforms in which the data personal information was subject to different privacy is aggregated online for post-processing [132]. Specific protection measures. legislative measures have to be re-deployed or introduced to safeguard public security while maintaining privacy at The de-identification of personal information was an- scale, while legal and regulatory principles continue to other component that governments had to exercise to upheld [133]. satisfy personal privacy requirements and increase the trust of human participants during the epidemiological With the rapid increase of COVID-19 symptoms, investigations. The process of collecting and process- 15 ing personal information by applying de-identification there may be implications for policing around the World- technologies raised technical challenges with regards law enforcement must ensure it has the capacity to deal to accuracy and consent, safe and legally defensive with cyber-crime [140]. data disposal and robustness of associated policies of The analysis presented in this paper has highlighted a data processing and management for epidemiological common modus-operandi of many cyber-attacks during research. The urgency of the situation and the speed at this period. Many cyber-attacks begin with a phishing which the data had to be acquired and processed, created campaign which directs victims to download a file or a sense of distrust amongst citizens and challenged access a URL. The file or the URL act as the carrier the efficacy of the existing processes in place [135]. of malware which, when installed, acts as the vehicle The extensive lockdown periods introduced in many for financial fraud. The analysis has also shown that to countries (described in Section III) have also tested their increase the likelihood of success, the phishing campaign ability to deploy strategies for business recovery after leverages media and governmental announcements. these periods. These strategies had to ensure smooth and Although this analysis is not necessarily novel, we phased out recovery within an ongoing pandemic, which believe this is the first time that this has been supported has proved to be a challenging task. However, there is with a context of actual live events. This analysis gives an unprecedented speed and scale on the R&D activities rise to the recommendation that governments, the media in response to the COVID-19 outbreak forcing cross- and other institutions should be aware that announce- organizational multilateral collaborations [136, 137]. ments and the publication of stories are likely to give There is currently a challenge across Europe to or- rise to the perpetration of associated cyber-attack cam- chestrate information sharing in a timely and accurate paigns which leverage these events. The events should manner as even mainstream media sources seem to be accompanied by a note / disclaimer outlining how in- have propagated false information [138]. The increase formation relating to the announcement will be relayed. on both frequency and impact of these attacks will test Our research presents opportunity for further research. further our existing monitoring and auditing capabilities, This research has shown what can best be described as a logical and physical access controls, authentication and loose direct and inverse correlation between events and verification schemes currently deployed. Also, as part cyber-attacks. Further research should investigate this of the current enterprise risk management approaches phenomenon and outline whether a predictive model can the way organisations sanitise incident reporting, media be used to confirm this relationship. There is an abundant disposal and data destruction and sharing processes will supply of cyber-attack case studies relating to countries also be tested alongside to traditional defence-in-depth around the world and a wider analysis of the problem principles currently established as de-facto. The finance can help in affirming this phenomenon. sector is also affected as the predicted financial recession will leverage the sophistication and scale of targeted attacks as threat actors grow their capabilities [139]. REFERENCES [1] W. H. O. (WHO), “Who coronavirus disease (covid-19) V. CONCLUSIONAND FUTUREWORK dashboard,” 2020, thttps://covid19.who.int/, (Accessed 15 June 2020. The COVID-19 pandemic has generated remarkable [2] MalwareBytes, “Cybercriminals impersonate World and unique societal and economic circumstances lever- Health Organization to distribute fake coronavirus aged by cyber-criminals. Our analysis of events such e-book,” 2020, https://blog.malwarebytes.com/social- as announcements and media stories has shown what engineering/2020/03/cybercriminals-impersonate-world- appears to be a loose correlation between the announce- health-organization-to-distribute-fake-coronavirus-e- book/, (Accessed 15 June 2020). ment and a corresponding cyber-attack campaign which [3] The Times, “Fraudsters impersonate airlines utilises the event as a hook thereby increasing the and Tesco in coronavirus scams,” 2020, likelihood of success. https://www.thetimes.co.uk/article/fraudsters- The COVID-19 pandemic, and the increased rate of impersonate-airlines-and-tesco-in-coronavirus-scams- cyber-attacks it has invoked have wider implications, 5wdwhxq7p, (Accessed 15 June 2020). [4] Krebs on Security, “Live Coronavirus which stretch beyond the targets of such attacks. Changes Map Used to Spread Malware,” 2020, to working practises and socialization, mean people https://krebsonsecurity.com/2020/03/live-coronavirus- are now spending increased periods of time online. map-used-to-spread-malware/ (Accessed 15 June In addition to this, rates of unemployment have also 2020). increased, meaning more people are sitting at home [5] R. Smithers, “Fraudsters use bogus nhs contact-tracing app in phishing scam,” 2020, online- it is likely that some of these people will turn to https://www.theguardian.com/world/2020/may/13/ cyber-crime to support themselves. The combination of fraudsters-use-bogus-nhs-contact-tracing-app-in- increased levels of cyber-attacks and cyber-crime means phishing-scam (Accessed 30 May 2020). 16

[6] Europol, “Pandemic Profiteering: How 201819720.html (Accessed 9 May 2020). Criminals Exploit COVID-19 Crisis,” 2020, [23] FBI, “Hurricane katrina fraud,” 2016, https://www.europol.europa.eu/publications- https://www.fbi.gov/history/famous-cases/hurricane- documents/pandemic-profiteering-how-criminals- katrina-fraud (Accessed 9 May 2020). exploit-covid-19-crisis (Accessed 15 June 2020). [24] FTC, “How to help the earthquake [7] Norton, “Coronavirus Phishing Emails: How victims in Ecuador and Japan,” 2016, to Protect Against COVID-19 Scams,” 2020, https://www.consumer.ftc.gov/blog/2016/04/how- https://us.norton.com/internetsecurity-online-scams- help-earthquake-victims-ecuador-and-japan (Accessed coronavirus-phishing-scams.html (Accessed 15 June 15 June 2020). 2020). [25] CNET, “Watch Out For Hurricane Harvey Phishing [8] The Guardian, “US Authorities Battle Surge in Coron- Scams,” 2017, https://www.cnet.com/news/hurricane- avirus Scams, From Phishing to Fake Treatments,” 2020, harvey-charity-donations-scam-phishing-attack/ https://www.theguardian.com/world/2020/mar/19/ (Accessed 15 June 2020). coronavirus-scams-phishing-fake-treatments (Accessed [26] E. Elsworthy, “Hundreds of bushfire donation scams 15 June 2020). circulating,” 2020, https://www.abc.net.au/news/2020- [9] J. R. C. Nurse, “Cybercrime and You: How Criminals 02-07/australia-fires-sees-spike-in-fraudster- Attack and the Human Factors That They Seek to behaviour/11923174 (Accessed 15 June 2020). Exploit,” in The Oxford Handbook of Cyberpsychology. [27] Naked Security, “Michael jack- OUP, 2019. son’s death sparks off spam,” 2009, [10] Wired, “Hackers Are Targeting Hospi- https://nakedsecurity.sophos.com/2009/06/26/michael- tals Crippled by Coronavirus,” 2020, jackson-harvesting-email-addresses (Accessed 9 May https://www.wired.co.uk/article/coronavirus-hackers- 2020). cybercrime-phishing (Accessed 15 June 2020). [28] S. Hoffman, “Michael jackson’s death spurs spam, [11] UK’s National Cyber Security Centre (NCSC) and the malware campaigns,” 2009, https://www.crn.com/blogs- US’ Department of Homeland Security (DHS) Cyber- op-ed/the-channel-wire/218101623/michael-jacksons- security and Infrastructure Security Agency (CISA), death-spurs-spam-malware-campaigns.htm (Accessed 9 “Advisory: COVID-19 Exploited by Malicious Cyber May 2020). Actors,” 2020, https://www.ncsc.gov.uk/news/covid-19- [29] ESET, “You Have NOT Won! A Look at Fake FIFA exploited-by-cyber-actors-advisory (Accessed 15 June World Cup-themed Lotteries and Giveaways,” 2018, 2020). https://www.welivesecurity.com/2018/06/06/fake-fifa- [12] Hiscox, “The hiscox cyber readiness report 2019,” 2019, world-cup-themed-lotteries-giveaways/ (Accessed 15 https://www.hiscox.co.uk/cyberreadiness (Accessed 9 June 2020). May 2020). [30] T. Jansson, “Blackmailing and passwords leaks,” [13] Cybersecurity Ventures, “2019 offi- 2018, https://www.linkedin.com/pulse/blackmailing- cial annual cybercrime report,” 2019, passwords-leaks-thomas-jansson (Accessed 17 June https://www.herjavecgroup.com/the-2019-official- 2020). annual-cybercrime-report (Accessed 17 June 2020). [31] J. Segura, “Compromised linkedin accounts used [14] CBS Netherlands, “Less traditional crime, to send phishing links via private message and more cybercrime,” 2020, https://www.cbs.nl/en- inmail,” 2017, https://blog.malwarebytes.com/threat- gb/news/2020/10/less-traditional-crime-more- analysis/2017/09/compromised-linkedin-accounts-used- cybercrime (Accessed 9 May 2020). to-send-phishing-links-via-private-message-and-inmail [15] R. Anderson, C. Barton, R. Bolme,¨ R. Clayton, (Accessed 9 May 2020). C. Ganan,´ T. Grasso, M. Levi, T. Moore, and M. Vasek, [32] WHO, “#healthyathome,” 2020, “Measuring the changing cost of cybercrime,” Workshop https://www.who.int/news-room/campaigns/connecting- on the Economics of Information Security (WEIS), 2019. the-world-to-combat-coronavirus/healthyathome [16] M. McGuire, Understanding the Growth of Cybercrime (Accessed 9 May 2020). Economy. Bromium, 2018. [33] NHS, “10 tips to help if you are worried about coro- [17] M. Cross and D. L. Shinder, Scene of the cybercrime. navirus,” 2020, https://www.nhs.uk/oneyou/every-mind- Syngress Pub., 2008. matters/coronavirus-covid-19-anxiety-tips (Accessed 9 [18] M. Yar, “The novelty of ’cybercrime’ an assessment in May 2020). light of routine activity theory,” European Journal of [34] S. Gallagher and A. Brandt, “Facing Criminology, vol. 2, no. 4, pp. 407–427, 2005. down the myriad threats tied to covid- [19] D. R. Cressey, Other people’s money; a study of the 19,” 2020, https://news.sophos.com/en- social psychology of embezzlement. Free Press, 1953. us/2020/04/14/covidmalware (Accessed 9 May 2020). [20] N. Dhanjani, B. Rios, and B. Hardin, Hacking: The Next [35] F. Shi, “Threat spotlight: Coronavirus-related phishing,” Generation: The Next Generation. O’Reilly Media, 2020, https://blog.barracuda.com/2020/03/26/threat- Inc., 2009. spotlight-coronavirus-related-phishing (Accessed 9 May [21] F. Stajano and P. Wilson, “Understanding scam victims: 2020). seven principles for systems security,” Communications [36] N. Kumaran and S. Lugani, “Protecting businesses of the ACM, vol. 54, no. 3, pp. 70–75, 2011. against cyber threats during covid-19 and beyond,” [22] K. Tysiac, “How cybercriminals prey 2020, https://cloud.google.com/blog/products/identity- on victims of natural disasters,” 2018, security/protecting-against-cyber-threats-during-covid- https://www.journalofaccountancy.com/news/2018/ 19-and-beyond (Accessed 17 June 2020). sep/cyber-criminals-prey-on-natural-disaster-victims- [37] T. L. O’Brien, “Covid aid scams and dodgy 17

deals could have been avoided,” 2020, espionage,” 2020, https://www.fireeye.com/blog/threat- https://www.bloomberg.com/opinion/articles/2020- research/2020/04/apt32-targeting-chinese-government- 05-01/coronavirus-trillions-in-aid-draws-scams-and- in-covid-19-related-espionage.html (Accessed 17 June dodgy-deals (Accessed 9 May 2020). 2020). [38] D. Galov, “Remote spring: the rise of rdp bruteforce [52] L. O’Donnell, “Skype phishing attack attacks,” 2020, https://securelist.com/remote-spring-the- targets remote workers’ passwords,” 2020, rise-of-rdp-bruteforce-attacks/96820 (Accessed 9 May https://threatpost.com/skype-phishing-attack-targets- 2020). remote-workers-passwords/155068/ (Accessed 30 May [39] NCSC, “Home working: preparing 2020). your organisation and staff,” 2020, [53] CNET, “Fake Coronavirus Tracking Apps https://www.ncsc.gov.uk/guidance/home-working Are Really Malware That Stalks You,” 2020, (Accessed 9 May 2020). https://www.cnet.com/news/fake-coronavirus-tracking- [40] NIST, “Security for enterprise telework, remote access, apps-are-really-malware-that-stalks-its-users/ (Accessed and bring your own device (byod) solutions,” 2020, 15 June 2020). https://csrc.nist.gov/CSRC/media/Publications/Shared/ [54] L. Shepherd and K. Renaud, “How to design browser documents/itl-bulletin/itlbul2020-03.pdf (Accessed 9 security and privacy alerts,” in AISB 2018. Society May 2020). for the Study of Artificial Intelligence and Simulation [41] FTC, “Online security tips for for Behaviour (AISB), Apr. 2018, pp. 21–28, 2018 working from home,” 2020, AISB Convention : Symposium on Digital Behaviour https://www.consumer.ftc.gov/blog/2020/03/online- Intervention for Cyber Security. security-tips-working-home (Accessed 9 May 2020). [55] S. Chockalingam, W. Pieters, A. Teixeira, and P. van [42] G. Tsakalidis and K. Vergidis, “A systematic approach Gelder, “Bayesian network models in cyber security: a toward description and classification of cybercrime in- systematic review,” in Nordic Conference on Secure IT cidents,” IEEE Transactions on Systems, Man, and Cy- Systems. Springer, 2017, pp. 105–122. bernetics: Systems, vol. 49, no. 4, pp. 710–729, 2017. [56] Google, “Google Translate,” 2020, [43] I. Kotenko and A. Chechulin, “A cyber attack modeling https://translate.google.co.uk/ (Accessed 30 May and impact assessment framework,” in 2013 5th Inter- 2020). national Conference on Cyber Conflict (CYCON 2013). [57] World Health Organisation (WHO), “Coron- IEEE, 2013, pp. 1–24. avirus disease (COVID-19) pandemic,” 2020, [44] H. Hindy, D. Brosset, E. Bayne, A. Seeam, C. Tachtatzis, https://www.who.int/zh/emergencies/diseases/novel- R. Atkinson, and X. Bellekens, “A taxonomy and survey coronavirus-2019 (Accessed 18 June 2020). of intrusion detection system design techniques, network [58] The Ministry of Health, Labour and Welfare, “Latest threats and datasets,” arXiv preprint arXiv:1806.03517, information on Coronavirus disease 2019 (COVID-19).” 2018. 2020, https://www.mhlw.go.jp/stf/seisakunitsuite/bunya/ [45] O. Kolomiyets, S. Bethard, and M.-F. Moens, “Extract- 0000164708 00001.html (Accessed 30 May 2020). ing narrative timelines as temporal dependency struc- [59] G.-y. Wang, H.-m. Wang, Z.-j. Chen, and M. Xian, tures,” in Proceedings of the 50th Annual Meeting of “Research on computer network attack modeling based the Association for Computational Linguistics: Long on attack graph [j],” Journal of National University of Papers-Volume 1. Association for Computational Lin- Defense Technology, vol. 4, 2009. guistics, 2012, pp. 88–97. [60] World Health Organisation (WHO), “Who reports [46] R. Van Heerden, S. Von Soms, and R. Mooi, “Classifica- fivefold increase in cyber attacks, urges vigilance,” tion of cyber attacks in south africa,” in 2016 IST-Africa 2020, https://www.who.int/zh/news-room/detail/23-04- Week Conference. IEEE, 2016, pp. 1–16. 2020-who-reports-fivefold-increase-in-cyber-attacks- [47] N. Horton and A. DeSimone, “Sony’s nightmare before urges-vigilance (Accessed 18 June 2020). christmas: The 2014 north korean cyber attack on sony [61] Jisho, “Cyber attack,” 2020, https://jisho.org/search (Ac- and lessons for us government actions in cyberspace,” cessed 30 May 2020). JHUAPL Laurel United States, Tech. Rep., 2018. [62] Le Parisien, “Municipal:“massive” computer [48] N. Falliere, L. O. Murchu, and E. Chien, “W32. stuxnet attack at the town hall of marseille,” 2020, dossier,” White paper, Security Response, vol. 5, no. 6, http://www.leparisien.fr/elections/municipales/municipales- p. 29, 2011. attaque-informatique-massive-a-la-mairie-de-marseille- [49] World Health Organisation (WHO), “Naming the coron- 15-03-2020-8280114.php (Accessed 30 May 2020). avirus disease (COVID-19) and the virus that causes it,” [63] la Repubblica, “Cyber attack on easyjet, compromised 2020, https://www.who.int/emergencies/diseases/novel- the data of nine million customers,” 2020, coronavirus-2019/technical-guidance/naming-the- https://www.repubblica.it/tecnologia/sicurezza/2020/05/19/ coronavirus-disease-(covid-2019)-and-the-virus-that- news/attacco informatico a easyjet causes-it (Accessed 15 June 2020). compromessi i dati di nove milioni di clienti- [50] CPS, “Cybercrime - prosecution guidance,” The 257099879/ (Accessed 30 May 2020). Crown Prosecution Service (CPS), Tech. Rep., 2019, [64]S. O.´ Ciardhuain,´ “An extended model of cybercrime in- https://www.cps.gov.uk/legal-guidance/cybercrime- vestigations,” International Journal of Digital Evidence, prosecution-guidance (Accessed 17 June 2020). vol. 3, no. 1, pp. 1–22, 2004. [51] S. Henderson, G. Roncone, S. Jones, J. Hultquist, and [65] J. L. Cebula and L. R. Young, “A taxonomy of opera- B. Read, “Vietnamese threat actors apt32 targeting tional cyber security risks,” Carnegie Mellon University, wuhan government and chinese ministry of emergency Software Engineering Institute, Tech. Rep., 2010. management in latest example of covid-19 related [66] A. Nicholson, T. Watson, P. Norris, A. Duffy, and R. Is- 18

bell, “A taxonomy of technical attribution techniques for [79] smzdm.com, “Hackers are using the ”coronavirus” fear cyber attacks,” in European Conference on Information for phishing, please pay attention to prevention!” 2020, Warfare and Security. Academic Conferences Interna- https://post.smzdm.com/p/a07ol5x0/ (Accessed 30 May tional Limited, 2012, p. 188. 2020). [67] H. Hindy, D. Brosset, E. Bayne, A. Seeam, C. Tach- [80] CSDN, “Take advantage of the fire! “the tatzis, R. Atkinson, and X. Bellekens, “A taxonomy epidemic is a bait” cyber attack,” 2020, of network threats and the effect of current datasets https://blog.csdn.net/weixin 43634380/article/details/ on intrusion detection systems,” IEEE Access, pp. 1–1, 104237121 (Accessed 30 May 2020). 2020. [81] TechRepublic, “Global shipping industry [68] M. McGuire and S. Dowling, “Chapter 1: Cyber- attacked by coronavirus-themed malware,” 2020, dependent crimes,” Home Office, Tech. Rep., 2013, https://www.techrepublic.com/article/global-shipping- https://assets.publishing.service.gov.uk/government industry-attacked-by-coronavirus-themed-malware/ /uploads/system/uploads/attachment data/ (Accessed 30 May 2020). file/246751/horr75-chap1.pdf (Accessed 18 June [82] cqgbxa.com, “Fighting the spread of coronaviruses 2020). who faces severe cybersecurity threats,” 2020, [69] ——, “Chapter 2: Cyber-enabled crimes - fraud www.cqgbxa.com/newshy/67936.html (Accessed and theft,” Home Office, Tech. Rep., 2013, 30 May 2020). https://assets.publishing.service.gov.uk/government/uploads [83] S. Patranobis, “Indian Hackers Targeting Chinese /system/uploads/attachment data/file Medical Institutes Amid Coronavirus Outbreak, Says /248621/horr75-chap2.pdf (Accessed 18 June 2020). Report,” 2020, https://www.hindustantimes.com/world- [70] Kaspersky, “Research Reveals Hacker news/indian-hackers-targetting-chinese-medical- Tactics: Cybercriminals Use DDoS as institutes-amid-coronavirus-outbreak-says-report/story- Smokescreen for Other Attacks on Business,” piDHQeY4UfTVy8BWa2GG3O.html, (Accessed on 12 2016, https://www.kaspersky.com/about/press- June 2020). releases/2016 research-reveals-hacker-tactics- [84] freebuf.com, “Analysis and suggestions on cybercriminals-use-ddos-as-smokescreen-for-other- several types of network security threats attacks-on-business (Accessed 15 June 2020). during the epidemic prevention and control [71] X. Bellekens, G. Jayasekara, H. Hindy, M. Bures, period,” 2020, https://www.freebuf.com/company- D. Brosset, C. Tachtatzis, and R. Atkinson, “From cyber- information/227585.html (Accessed 30 May 2020). security deception to manipulation and gratification [85] Stonefly, “Coronavirus and ransomware through gamification,” in International Conference on infection - what’s the connection?” 2020, Human-Computer Interaction. Springer, 2019, pp. 99– https://stonefly.com/blog/coronavirus-ransomware- 114. infection-whats-the-connection (Accessed 12 June [72] J. Fruhlinger, “Recent ransomware attacks 2020). define the malware’s new age,” 2020, [86] The Register, “Fresh virus misery for illinois: https://www.csoonline.com/article/3212260/recent- Public health agency taken down by... web ransomware-attacks-define-the-malwares-new-age.html ransomware. great timing, scumbags,” 2020, (Accessed 30 May 2020). https://www.theregister.co.uk/2020/03/12/ [73] Malwarebytes, “2020 state of malware report,” 2020, ransomware illinois health/ (Accessed 30 May 2020). https://resources.malwarebytes.com/files/2020/02 [87] R. Millman, “Coronavirus test results delayed /2020 State-of-Malware-Report.pdf (Accessed 30 May by cyber-attack on czech hospital,” 2020, 2020). https://www.scmagazineuk.com/coronavirus- [74] AON, “Social engineering attacks and covid-19,” 2020, test-results-delayed-cyber-attack-czech- https://www.aon.com/cyber-solutions/thinking/social- hospital/article/1677194 (Accessed 30 May 2020). engineering-attacks-and-covid-19/ (Accessed 17 June [88] S. Stein and J. Jacobs, “Cyber-attack hits u.s. 2020). health agency amid covid-19 outbreak,” 2020, [75] Forbes, “Chinese hackers ‘weaponize’ coronavirus data https://www.bloomberg.com/news/articles/2020-03- for new cyber attack: Here’s what they did,” 2020, 16/u-s-health-agency-suffers-cyber-attack-during-covid- https://www.forbes.com/sites/zakdoffman/2020/03/12/ 19-response (Accessed 30 May 2020). chinese-hackers-weaponized-coronavirus-data- [89] K. D. Rosso, “New threat discovery shows commercial to-launch-this-new-cyber-attack/#196851b03861 surveillanceware operators latest to exploit covid- (Accessed 30 May 2020). 19,” 2020, https://blog.lookout.com/commercial- [76] F-Secure, “Coronavirus email attacks evolving surveillanceware-operators-latest-to-take-advantage-of- as outbreak spreads,” 2020, https://blog.f- covid-19 (Accessed 30 May 2020). secure.com/coronavirus-email-attacks-evolving-as- [90] S. Desai, “New android app offers coronavirus outbreak-spreads/ (Accessed 30 May 2020). safety mask but delivers sms trojan,” 2020, [77] Kaspersky, “Coronavirus phishing,” 2020, https://www.zscaler.com/blogs/research/new-android- https://www.kaspersky.com/blog/coronavirus- app-offers-coronavirus-safety-mask-delivers-sms-trojan phishing/32395/ (Accessed 30 May 2020). (Accessed 30 May 2020). [78] J. Walter, “Threat Intel:Cyber Attacks Leveraging [91] N. FitzGerald, “Scams, lies, and coronavirus,” 2020, the COVID-19/CoronaVirus Pandemic,” 2020, https://www.welivesecurity.com/2020/04/17/scams-lies- https://labs.sentinelone.com/threat-intel-update-cyber- coronavirus/ (Accessed 30 May 2020). attacks-leveraging-the-covid-19-coronavirus-pandemic/, [92] Murica Today, “Cyber-attack threatens (Accessed 10 June 2020). spanish hospital computer systems,” 2020, 19

https://murciatoday.com/cyber attack threatens spanish magazine.com/news/hmrc-covid19-phishing-scams/, hospital computer systems 1367723-a.html (Accessed 10 June 2020). (Accessed 30 May 2020). [107] U. Government, “Budget 2020: [93] B. Koenig, “Covid sms phishing attempt,” 2020, What You Need to Know,” 2020, https://twitter.com/BigBenKoenig/status/ https://www.gov.uk/government/news/budget-2020- 1242503232527589376 (Accessed 30 May 2020). what-you-need-to-know, (Accessed 10 June 2020). [94] Glos Safe Cyber, “Our @glospolice fcr have had calls [108] Swansea Council, “Coronavirus Scams,” 2020, asking if covid-19 texts like the below are genuine,” https://www.swansea.gov.uk/coronavirusscam, 2020, https://twitter.com/GlosSaferCyber/status (Accessed 10 June 2020). /1242525105508532225 (Accessed 30 May 2020). [109] X. Bellekens, A. Hamilton, P. Seeam, K. Nieradzinska, [95] J. Rodger, “The school meals coronavirus text scam Q. Franssen, and A. Seeam, “Pervasive ehealth services which could trick parents out of thousands,” 2020, a security and privacy risk awareness survey,” in 2016 https://www.birminghammail.co.uk/news/midlands- International Conference On Cyber Situational Aware- news/school-meals-coronavirus-text-scam-17975311 ness, Data Analytics And Assessment (CyberSA). IEEE, (Accessed 30 May 2020). 2016, pp. 1–4. [96] P. Muncaster, “Android malware takes [110] C. Iuga, J. R. C. Nurse, and A. Erola, “Baiting the hook: payment for ’coronavirus finder’ map,” 2020, factors impacting susceptibility to phishing attacks,” https://www.infosecurity-magazine.com/news/android- Human-centric Computing and Information Sciences, malware-payment/ (Accessed 30 May 2020). vol. 6, no. 1, p. 8, 2016. [97] G. Strawbridge, “Warning over [111] Daily Mail, “Cyber Criminals Create a Spoof coronavirus netflix scam,” 2020, Copy of the NHS Website in the Midst of https://www.metacompliance.com/blog/warning-over- the Coronavirus Pandemic to Trick Users Into coronavirus-netflix-scam/ (Accessed 30 May 2020). Downloading Dangerous Malware That Can Steal [98] J. Chadwick, “Cyber criminals create a spoof copy of Their Passwords and Credit Card Data,” 2020, the nhs website in the midst of the coronavirus pandemic https://www.dailymail.co.uk/sciencetech/article- to trick users into downloading dangerous malware 8250737/Kaspersky-detects-fake-NHS-site-steals- that can steal their passwords and credit card data,” credit-card-data.html (Accessed 15 June 2020). 2020, https://www.dailymail.co.uk/sciencetech/article- [112] Check Point, “Coronavirus Cyber-attacks 8250737/Kaspersky-detects-fake-NHS-site-steals-credit- Update: Beware of the Phish,” 2020, card-data.html (Accessed 30 May 2020). https://blog.checkpoint.com/2020/05/12/coronavirus- [99] D. C. R. Magazine, “Hackers exploit hmrc coronavirus cyber-attacks-update-beware-of-the-phish/ (Accessed 17 job retention scheme with phishing email scam,” May 2020). 2020, https://datacentrereview.com/news/1680-hackers- [113] Forbes, “There Are Now More Than 40,000 ’High- exploit-hmrc-coronavirus-job-retention-scheme-with- Risk’ COVID-19 Threats On The Web,” 2020, phishing-email-scam (Accessed 30 May 2020). https://www.forbes.com/sites/thomasbrewster/2020/04/22/ [100] L. Abrams, “New coronavirus screenlocker there-are-now-more-than-40000-high-risk-covid-19– malware is extremely annoying,” 2020, threats-on-the-web/ (Accessed 17 May 2020). https://www.bleepingcomputer.com/news/security/new- [114] US Department of Justice (DOJ), “Covid-19 fraud,” coronavirus-screenlocker-malware-is-extremely- 2020, https://www.justice.gov/usao-edky/covid-19- annoying/ (Accessed 30 May 2020). fraud-1 (Accessed 15 June 2020). [101] Dark Reading, “Docusign phishing cam- [115] X. J. Bellekens, K. Nieradzinska, A. Bellekens, paign uses covid-19 as bait,” 2020, P. Seeam, A. W. Hamilton, and A. Seeam, “A study on https://www.darkreading.com/attacks- situational awareness security and privacy of wearable breaches/docusign-phishing-campaign-uses-covid- health monitoring devices.” IJCSA, vol. 1, no. 1, pp. 19-as-bait/d/d-id/1337776 (Accessed 30 May 2020). 74–96, 2016. [102] Mimecast, “New Threat Intelligence Re- [116] Food and Drugs Administration (FDA), “Fraudulent port:100 Days of Coronavirus,” 2020, coronavirus disease 2019 (covid-19) products,” https://www.mimecast.com/blog/2020/05/100-days- 2020, https://www.fda.gov/consumers/health-fraud- of-coronavirus/, (Accessed 15 June 2020). scams/fraudulent-coronavirus-disease-2019-covid-19- [103] NCSC, “NCSC Shines Light on Scams Being Foiled products (Accessed 15 June 2020). via Pioneering New Reporting Service,” 2020, [117] European Anti-Fraud Office (OLAF), “OLAF Launches https://www.actionfraud.police.uk/news/cyber-experts- Enquiry into Fake COVID-19 Related Products,” 2020, shine-light-on-online-scams-as-british-public-flag-over- https://ec.europa.eu/anti-fraud/media-corner/news/20- 160000-suspect-emails, (Accessed 7 May 2020). 03-2020/olaf-launches-enquiry-fake-covid-19-related- [104] Sky News, “Coronavirus: Fraud victims have lost products en (Accessed 17 May 2020). more than £4.6m to virus-related scams,” 2020, [118] UK Government, “UK Medicines and Medical https://news.sky.com/story/coronavirus-fraud-victims- Devices Regulator Investigating 14 Cases of Fake have-lost-more-than-4-6m-to-virus-related-scams- or Unlicensed COVID-19 Medical Products,” 2020, 11996721, (Accessed 10 June 2020). https://www.gov.uk/government/news/uk-medicines- [105] J. Tidy, “Coronavirus: Israel enables emergency spy and-medical-devices-regulator-investigating-14-cases- powers,” 2020, https://www.bbc.co.uk/news/technology- of-fake-or-unlicensed-covid-19-medical-products 51930681 (Accessed 30 May 2020). (Accessed 17 May 2020). [106] M. Hill, “HMRC Shuts Down Almost 300 COVID19 [119] Sophos, “Dirty little secret extortion email Phishing Scam Sites,” 2020, https://www.infosecurity- threatens to give your family coronavirus,” 2020, 20

https://nakedsecurity.sophos.com/2020/03/19/dirty- (Accessed 19 June 2020). little-secret-extortion-email-threatens-to-give-your- [132] A. Downey, “NHS contact-tracing app family-coronavirus/ (Accessed 15 June 2020). ‘falls short of data protection law’,” 2020, [120] Domain Tools, “Covidlock update: Deeper analysis https://www.digitalhealth.net/2020/05/nhs-contact- of coronavirus android ransomware,” 2020, tracing-app-falls-short-of-data-protection-law/ https://www.domaintools.com/resources/blog/covidlock- (Accessed on 20 June 2020). update-coronavirus-ransomware (Accessed 15 June [133] NHSXIG Team, “Covid-19 information 2020). governance advice for ig professionals,” 2020, [121] Incisive Media: Computing, “Spanish Hospitals https://www.nhsx.nhs.uk/covid-19-response/data-and- Targeted With Coronavirus-themed Phishing information-governance/information-governance/covid- Lures in Netwalker Ransomware Attacks,” 2020, 19-information-governance-advice-ig-professionals/ https://www.computing.co.uk/news/4012969/hospitals- (Accessed 18 June 2020). coronavirus-ransomware (Accessed 15 June 2020). [134] W. Price and I. Cohen, “Privacy in the age of medical [122] BleepingComputer, “Ransomware Gangs to Stop big data,” Nature Medicine, vol. 25, 01 2019. Attacking Health Orgs During Pandemic,” 2020, [135] N.-Y. Ahn, J. E. Park, D. H. Lee, and P. C. Hong, https://www.bleepingcomputer.com/news/security “Balancing personal privacy and public safety in covid- /ransomware-gangs-to-stop-attacking-health-orgs- 19: Case of korea and france,” 2020. during-pandemic/ (Accessed 15 June 2020). [136] AstraZeneca, “AstraZeneca Advances Response to [123] InfoSecurity, “Trickbot Named Most Prolific Global COVID-19 Challenge as it Receives First #COVID19 Malware,” 2020, https://www.infosecurity- Commitments for Oxford’s Potential New Vaccine,” magazine.com/news/trickbot-named-most-prolific/ 2020, https://www.astrazeneca.com/media-centre/press- (Accessed 15 June 2020). releases/2020/astrazeneca-advances-response-to-global- [124] SonicWall, “Coronavirus Trojan covid-19-challenge-as-it-receives-first-commitments- Overwriting The MBR,” 2020, for-oxfords-potential-new-vaccine.html (Accessed on https://securitynews.sonicwall.com/xmlpost/coronavirus- 20 June 2020). trojan-overwriting-the-mbr/ (Accessed 15 June 2020). [137] A. Downey, “COVID-19: Collaboration is the Engine of [125] I. Agrafiotis, J. R. C. Nurse, M. Goldsmith, S. Creese, Global Science – Especially for Developing Countries,” and D. Upton, “A Taxonomy of Cyber-harms: Defining 2020, https://www.weforum.org/agenda/2020/05/global- the Impacts of Cyber-attacks and Understanding How science-collaboration-open-source-covid-19/ (Accessed They Propagate,” Journal of Cybersecurity, vol. 4, no. 1, on 20 June 2020). 2018. [138] M. Gagne, “The danger of mainstream media [126] Reuters, “FBI official says foreign hackers infections with viral and fake information,” have targeted COVID-19 research,” 2020, 2020, https://alibi.com/news/60740/The-Danger-of- https://uk.reuters.com/article/us-health-coronavirus- Mainstream-Media-Infections-with-Vir.html (Accessed cyber/foreign-state-hackers-target-u-s-coronavirus- 18 June 2020). treatment-research-fbi-official-idUKKBN21Y3GL [139] A. Cook, “Covid-19: Companies and (Accessed 15 June 2020). verticals at risk for cyber attacks,” 2020, [127] UK’s National Cyber Security Centre (NCSC) and the https://www.digitalshadows.com/blog-and- US’ Department of Homeland Security (DHS) Cyberse- research/covid-19-companies-and-verticals-at-risk- curity and Infrastructure Security Agency (CISA), “Ad- for-cyber-attacks/ (Accessed 17 June 2020). visory: APT groups target healthcare and essential ser- [140] B. Collier, S. Horgan, R. Jones, and L. Shepherd, The vices,” 2020, https://www.ncsc.gov.uk/news/apt-groups- implications of the COVID-19 pandemic for cybercrime target-healthcare-essential-services-advisory (Accessed policing in Scotland: a rapid review of the evidence 15 June 2020). and future considerations, ser. Research Evidence in [128] The Federal Bureau of Investigation (FBI), Policing: Pandemics. Scottish Institute for Policing “People’s Republic of China (PRC) Targeting Research, May 2020, no. 1. of COVID-19 Research Organizations,” 2020, https://www.fbi.gov/news/pressrel/press- releases/peoples-republic-of-china-prc-targeting-of- covid-19-research-organizations (Accessed 15 June 2020). [129] A. Pipikaite and N. Davis, “Why cybersecurity matters more than ever during the coronavirus pandemic,” 2020, https://www.weforum.org/agenda/2020/03/coronavirus- pandemic-cybersecurity/ (Accessed 18 June 2020). [130] Data Protection Commission, “Data Protection and COVID-19,” 2020, https://dataprotection.ie/en/news- media/blogs/data-protection-and-covid-19 (Accessed on 20 June 2020). [131] The Information Commissioner’s Office, “General data protection regulation (gdpr): Principle (b): Purpose limitation,” 2020, https://ico.org.uk/for-organisations/guide- to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/principles/purpose-limitation/