EclecticIQ
July 27, 2020

EclecticIQ Pandemic Intelligence Update - Week 31

EIQ_corona_FC_CTI_report_blogimage31As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 19th report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.

Key Findings
  • Threat actors remain persistent in Targeting COVID-19 Research.
  • The value of medical records now outstrips that of financial records, driving and incentivizing further attacks.
  • Threat actors will continue targeting and undermining government sponsored covid-19 public support services for exploitation.
  • Low download volume and privacy issues affect COVID-19 data collection of many European nations.

Persistent State Actors Targeting COVID-19 Research Undermine Global Vaccine Development.

The US has indicted two Chinese nationals for stealing “terabytes of sensitive data, including from companies developing COVID-19 vaccines, testing technology, and treatments while operating both for private financial gain and behalf of China's Ministry of State Security”.

The pair, and others, operated targeted cyberattacks in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the UK from approximately September 1, 2009, through July 7, 2020.

Rising Valuation of Medical Records Drives Attacks on Healthcare.

Increased dark marketplace valuation of patient records is driving a surge in healthcare attacks. Patient records are now worth more than financial records or other personal Identifiers, like Social Security Numbers. Medical record theft enables threat actors to engage in fraud and identity theft. Data theft from medical records is more difficult to detect in advance, before criminals utilize the information. Threat actors use spearphishing to target individuals to gain an initial foothold inside healthcare networks, where they can then pivot to medical record databases.

Ransomware deployment is one method of accessing medical records post-compromise. Most of the current ransomware families can exfiltrate data prior to encryption. Operators can monetize the data via Darkweb auction if the target company does not engage the extortionists.

Further Evidence of Threat Actors Targeting Government Sponsored COVID-19 Public Support Services For Exploitation.

Education institutions face cyberattack risk from attacks on individual students. Students in the United States were targeted by threat actors using spearphishing and spoofing CARES-act financial relief webpages in order to collect Microsoft Office credentials. The timing of the attacks come as students are debating participating in the next school year. COVID-19 has very likely strained financial resources for students, and relief programs are very attractive right now. EclecticIQ analysts highlighted the risk from similar attacks in last week´s update. It is likely that credential stealing attacks will capture information on valid accounts that will be used to further target education.

Low Download Volume And Privacy Issues Compromise COVID-19 Data Collection And Tracking Which Affect Public Policy.

Poor implementation of COVID-19 mobile-based tracking apps is generating compromised data that is very likely to undermine management of infection rates by generating poor results. Many issues derive from low download rates that prevent effective aggregation of data. Other issues include poor privacy, which has caused some operations to halt or be redesigned.

Results from the apps are used to direct public policy. Many governments are relying on app-based tracking software to manage the effect of the pandemic into the future. Australia, Italy, Ireland, the UK, France, Germany, and Switzerland have all reported issues with their tracking apps and data for COVID-19.

Cyberattacks From Non-COVID-19-Themed Attacks Introduce Greater Risk Compared to Prepandemic Levels.

Organizations will continue to face growing risk from cyberattacks after the pandemic winds down as attacks continue to change themes and increase in general volume. Research across large data reveals that as lockdowns ended in May and June, threat actors increased their non-COVID related activities, but still maintained a 34% increase in all types of attack at the end of June compared to April, from peak activity between March and April 2020. Most attacks used phishing to deliver cryptominers, both of which are measured at higher volume in 2020 compared to 2019.