Key Findings
- APT groups participate in opportunistic intelligence gathering targeting European government entities.
- School systems remain highly vulnerable to cyberattacks during the start of the school-year as a result of increased online remote collaboration.
- Research organizations participating in COVID-19 research face very high risk of cyberattacks on medical technology.
- Amplification of misinformation in social media regarding COVID-19 makes it easier for threat actors to redirect victims to malicious infrastructure.
Analysis
China-linked APT Targets European Government Entities Involved in COVID-19 Public Policy.
APT group TA413 has attempted to penetrate various European government offices involved in COVID-19 public policy and economics, with lures mimicking important communications from the WHO. The attacks primarily involve the use of a remote access trojan (RAT) dubbed Sepulcher, that uses Living-off-the-Land techniques to evade detection during installation and uses encrypted C2 communications. It is likely that these operations have expanded since March 2020 and represent broader, opportunistic intelligence gathering. Many nations are preoccupied focusing on continuous developments in the pandemic.
Threat actors will very likely intensify attacks against school systems.
New patterns of school operation decrease the resilience of education systems against cyberattacks. As students and faculty adjust to new learning patterns induced by social distancing, it will be easier for attackers to launch social engineering attacks. Threat actors will almost certainly use phishing to target students and faculty with the aim of either credential capture, or redirection to malicious websites that launch further payloads. Threat actor operations will seek to disrupt remote learning systems that include Zoom and other conferencing software. Techniques, tactics, and procedures (TTPs) are very likely to include Distributed Denial of Service (DDoS), exploitation of software vulnerabilities for unauthorized access, and exploitation of poorly protected valid accounts on remote infrastructure. Threat actors will seek to fulfill financial extortion and dystopian motivations.
Companies participating in COVID-19 research should remain on high alert from advanced threat actors.
Research organizations face a higher risk to attack because they are less likely to have a robust enterprise-grade security system. The highly collaborative nature of the global research effort for a COVID-19 cure creates many points between research departments, from which APT groups may attempt to steal information. State-backed groups have increased incentive to attack research as nations race to control and develop vaccine technology:
- Moderna was attacked after it entered final-phase clinical trials for a potential vaccine in August 2020.
- 10x Genomics had vaccine data stolen in April 2020.
- Hammersmith Medicines Research was attacked in March 2020, but stolen data did not include any proprietary research.
Social media manipulation operations are becoming more sophisticated and bring risk to a growing audience.
A recent study of Twitter activity featuring COVID-19 information found that bots comprised 20%-30% of all activity that involved spreading COVID-19 misinformation. Bots increasingly operate within their own semi-autonomous networks to drive curated media distribution. The internetworking of bot accounts mixed with human activity makes the initial seeding of material more difficult to detect.
Findings in the study are likely under representative as the data was driven and limited by “low-credibility domains” as a starting point for the research. There are many forms of media that misinformation operations can weaponize. An earlier study of COVID-19 and “Reopen America” themes from March 2020 found that bots represented 45%-60% of all traffic across 200 million tweets
As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 25th report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.
