M A L I C I O US AC TORS C APITALIZING ON

M AL I C IO U S AC TO R S CAPI TALI Z I N G ON

ABSTRACT – Coronavirus is spreading fast to all world regions, creating unprecedented confusion
and panic among people. Cyber malicious actors see this as an ideal situation to take advantage of
distracted individuals, organizations and nations, who must adapt fast to the changes affecting our
personal and business operations, by becoming security vigilant and resilient, and understand that
the risk of a cyberattack is much higher than usual in times of increased risks.

This paper provisions the risks caused by the increase of cyber malicious activities, showcases
short term mitigations to minimize these risks, looking that the situation requires immediate
action, then discuss long term mitigations to properly deal with future pandemics should they
occur again.
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON

When coronavirus (COVID-19) first started in Similarly, Crowdstrike, a cybersecurity

late 2019 in Wuhan, China, there was only few
confirmed cases, and they were spread
between far east countries. Then by end of
February 2020, the number of cases started to
grow exponentially in all world regions to
exceed 207K confirmed cases (as of March 18,
2020)1.
As COVID19- is showing no signs of slowing
down, the World Health Organization (WHO)
characterized it as pandemic. In the meantime,
population of the world were experiencing
extreme confusion and panic due to unclarity of
real consequences and inability to control it.
That said, people became distracted by the
impact of COVID19- on world public health and
economy to the point that entities on all levels
(i.e. National, Organizational, and Individual)
have taken immediate measures to minimize
the spread of the virus. One of these measures
is counting heavily on technological means for
remote communication, daily activities, and
business operations.
Malicious cyber actors, on the other hand,
found this distraction and these measures an
ideal situation and an opportunity to exploit
low guards of abovementioned entities and the
increased usage of technology.
technology company (NASDAQ: CRWD)
reported several spam campaigns relating to the
outbreak of the virus whereby cyber criminals are
sending Coronavirus-themed emails with
malicious attachments to prey on people’s fear
and trying to distribute a malware3.
From their side, Proofpoint the cybersecurity
company (NASDAQ: PFPT) believes that entire
industries are being targeted.
They noted Coronavirus-themed email attacks
tried to play on concerns about disruptions to
global shipping. The hackers behind the
operation were “exclusively targeting industries
that are particularly susceptible to shipping
disruptions including manufacturing, industrial,
finance, transportation, pharmaceutical, and
cosmetic companies”4.
On that note, the European Central Bank (ECB)
warned banks, earlier this month, to prepare for a
jump in the number of cyber-attacks following
the higher reliance on remote banking services as
part of Coronavirus outbreak5.

In a study, Check Point the IT Security software

company (NASDAQ: CHKP) found that there
have been over 4,000 coronavirus-related
domains registered globally. Out of these
websites, %3 were found to be malicious and an
additional %5 are suspicious. In principle,
Coronavirus- related domains are %50 more
likely to be malicious than other domains
registered at the same period2.

1 https://ourworldindata.org/coronavirus#data-and-dashboards-from-other-sources – Coronavirus Disease (COVID19-) – Statistics and Research

2 Update: Coronavirus-themed domains %50 more likely to be malicious than other domains
3 https://www.cbsnews.com/news/coronavirus-cybercriminals-capitalize-on-fears-cyber-firm-crowdstrike-says/
4 https://www.forbes.com/sites/thomasbrewster/12/03/2020/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/5#ab7656b1099
5 https://www.bloomberg.com/news/articles/06-03-2020/banks-told-to-prepare-for-cybercrime-jump-in-coronavirus-fallout
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON

Furthermore, The Brno University Hospital in 1- INDIVIDUAL LEVEL

Czech Republic, reported that it was hit by a
cyberattack on March 13, 2020 right in the middle In these circumstances a worldwide campaign
of a COVID-19 outbreak, the incident was urging people to stay at home is propagating.
deemed severe enough to cancel all surgeries, and And subsequently, people are in domicile
re-route new acute patients to a nearby hospital6. quarantine reducing their physical gatherings,
and refraining from conducting their daily
Another cybersecurity company, FireEye activities in person.
(NASDAQ: FEYE) found that it’s not just
opportunistic scammers who are making the most Among other practices, people are counting
out of coronavirus; espionage groups associated more on their home WiFi, communicating
with China, North Korea and Russia have been through video or voice calls over WiFi, and
seen sending out spear phishing emails trying to conducting their shopping (i.e. grocery and
find routes onto adversarial networks7, through others) and banking transactions online.
legitimate attachments with malicious malware
hidden underneath to steal confidential data. The increased online usage is equivalent to
increased exposure to malicious activities on the
Bearing in mind all the above, there is a clear net. Among which, phishing attempts through
pattern of increased malicious cyber activities emails or through the web, which will allow
capitalizing on the coronavirus outbreak for cyber criminals to lure individuals into installing
different types of gains. And we believe the malwares leading to data theft, and into
targets will be distributed on entities of the providing sensitive data such as personally
following three levels: identifiable information, banking and credit card
details, and passwords.
1- Individual Level
2- Organizational (sectorial) Level
3- National Level
In the paragraphs to follow, we will provision the
risks caused by the increase of cyber malicious
activities at each of the 3 levels. We will also
showcase short term recommendations to
minimize these risks, looking that the situation
requires immediate action, then discuss long term
recommendations that requires from entities a
broader and higher-level view to identify and
respond to cyber threats caused by future
pandemics or similar urgencies.

6 https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/
7 https://www.forbes.com/sites/thomasbrewster/12/03/2020/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/5#ab7656b1099
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON
On the short term, people are advised to take
steps that secure their staying at home
experience:
Secure your home WiFi router through
enforcing a stronger encryption (WPA-2) and
a more complicated password.
Refrain from clicking on ads that are too good
to be true, or untrusted news site. Cyber
criminals might use these times to entice you
and land you on their sites or spread fake
news.
Refrain from downloading any attachment
unless it is received from a trusted source
Make sure to shop from well-established and
trusted retailers, and that the shopping site
uses a secure payment method
Always monitor the bank and card statement
for any unrecognized transactions
Make sure the apps and operating system on
your mobile and/or laptop are up to date
On the longer term, people are advised to be
prepared for any future emergencies:
Track their digital footprint e.g. disclosed
information on social media, accounts for
cloud storage, saved credit cards on
shopping sites, weak passwords used for
accounts /emails, etc.
Cutting down their footprint to minimum by
minimizing information about themselves that
are shared online, making sure the cloud
provider encrypts stored data, deleting saved
credit cards on retail sites or apps, changing
passwords across accounts to more complex
ones, etc.
Request from your bank to put a limit on online
spending to avoid big losses in case of credit
card theft
Use multi-factor authentication for emails and
other accounts to harden credentials theft and
protect your information
Search for and invest in a reputable and
cost-effective internet security program (anti-virus,
etc.) to continuously monitor malicious activities on
your device
Search for and invest in a reputable VPN for
personal use to encrypt your connections and
protect your privacy
Educate your family members about their
cyber responsibilities to stay safe and secure
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON
2- ORGANIZATIONAL (SECTORIAL) LEVEL
Amid COVID-19 there is a surge in queries from
companies who anticipate employees will work
from home over the next three months, other
companies are implementing an employee shift
model. Both of which can leave companies from
different sectors becoming lucrative targets for
a myriad of cyber actors and threats, causing
different types of losses.
Although cybersecurity measures are usually set
up in workplaces to manage cyber risks, this is
not the case when employees work from home.
And with vulnerable home setup, it becomes
easier for malicious cyber actors to access the
company’s internal network should they wish to.
Once cyber actors are inside the network, they
can use it as starting point to initiate further
attacks, such as downloading malwares on
company’s servers or sending phishing emails
pretending to be from inside the company, and
lure employees into providing sensitive data.
Both of which will lead to company’s data
leakage.
Data leakage can have a major impact on
confidentiality, reputation, and competitiveness
of a company.
For example, while pharmaceuticals companies are
recording their test for a cure to Coronavirus, a
state-sponsored group could infiltrate the
company’s network to spy on and steal information
about the cure and test records. Which could also
land in the hands of a competitor who will gain a
competitive advantage.
Other examples of bad cyber practices that
could lead to data leakage are:
Employees working from home on company
data using a personal device and home WiFi
Employees working from home and using flash
memories to transfer data, as employees can
flee the cybersecurity controls in the
workplace
Employees working from home and don’t feel
the urge of browsing the internet safely
On a similar note, connecting to company’s
servers directly without using the company’s
VPN server have tremendous impact on privacy.
Loosing privacy of a connection to company’s
internal servers can reveal sensitive information
about their network architecture which could be
used by cyber actors to initiate cyber-attacks
including ransomware and denial of service. And
therefore, lead to business disruption and
monetary losses.
A previously mentioned example is the Czech
hospital that was hit by a ransomware attack and
was obliged to cancel all surgeries, leading to not
only loose patients to neighboring hospitals, but
also loose patients’ trust.
It is worth noting that the sector to which a given
company belongs to, defines the type of potential
losses. For example, cyber-attacks on manufacturing
sector might cause the halt of supply chains, they
might also cause unauthorized bank transfers and
loosing customer data should they hit the banking
sector, and disruption of airports’ operations should
they hit the transportation sector.
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON
At times of increased risk, security teams must
be vigilant and resilient, and understand that the
risk of a cyberattack is much higher than usual as
malicious actors try to take advantage of
confused and panicked employees and third
parties that potentially have their guards down.
On a short term, organizations are required to
conduct quick fixes and intensify their
capabilities, as follows:
Conduct a quick review of the cyber risk
register to make sure it is up to date, and
aligned with organization strategy and
objectives
Keep all communication means open and urge
quick reporting between security team and
senior management for any major event
notification
Conduct a session with relevant stakeholders
to review the business continuity and disaster
recovery plans, and make sure everyone is
refreshed on their role and is on stand-by
Continuously monitor company network from
suspicious activities, whether external or
internal (originated from employees and/or
third parties)
Intensify threat hunting and threat
intelligence exercises to detect threats and
prevent incidents before occurring
Keep all servers, applications, and network
devices up to date
Send reminders to all employees from all
levels (executives, managers, and staff) on
security tips and appropriate use of assets
when off-site, including the usage of
organizations’ VPN server when remotely
connecting to the internal network
On longer term, organizations are required to review
their cyber security program altogether to make sure
it is agile enough to deal with future pandemics and
to factor in any lesson learned:
Update (or develop) a cyber strategy that aligns
with overall business strategy and objectives,
and with sectorial and regulatory requirements
Conduct a cyber risk assessment taking into
consideration the newly introduced threats and
caused impacts, compliance with regulatory,
sectorial and audit requirements
Update (or develop) a governance model that
takes into consideration emergency cases like
the Coronavirus pandemical situation. An
example would be to introduce an emergency
committee and underlying work groups with
decision making powers, that would allow for
taking quick decisions tackling the situation
appropriately and as needed
Update (or develop) cyber security processes to
factor in lessons learned to enact and accelerate
practices in times of emergencies, including
business continuity and disaster recovery, threat
hunting and threat intelligence, incident
response, patch management, etc.
Review contracts and SLA’s with third parties
and solution providers, including cyber
insurance policies
Coordinate & collaborate with law enforcement
on cyber security matters
Exchange incidents and events information on
sectorial level with peer organizations
Update (or develop) the security awareness
program taking into consideration best practices
in times of crises, including but not limited to
conducting red team and blue team exercises,
table-top and incident simulation exercises
Assess your technology performance during this
time and update or replace as appropriate. It is
also possible to introduce new technologies that
cater for times of emergencies
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON
3- NATIONAL LEVEL
Turmoil on international markets came as the
outbreak continued to deepen around the world
and bring more restrictions on movements from
governments.
Stock markets in Europe and the US are braced for
their biggest falls since the 2008 financial crisis
caused by panic selling amid the threat of a
coronavirus-driven global recession8.
Additionally, manufacturers in more than a dozen
industries are facing supply chain crisis and
struggling to manage the pandemic’s growing
impact on their supply chains9.
On the other hand, Iranian, Russian, and Chinese
government-backed campaigns started to blame
the United States as the source of the emerging
public health crisis, claiming that the U.S had
developed this virus and using it as a biological
weapon.
There is no denying that different political,
economic, and military conflicts have had cyber
components for a number of years now, and
criminal and espionage activities happen every day.
Shamoon and Stuxnet, are perfect examples of
cyber-attacks, from distant and recent past,
hitting vital and critical infrastructure in the
Middle East due to political and economic
conflicts among the known adversarial axes.
Critical infrastructure in Ukraine was also hit by
a Russian cyber-attack as a result of a volatile
political environment between the two nations
following the conflict over Crimea annexation.
A very recent example, and amid the Coronavirus
outbreak, the US health and human services
(HHS) was hacked, and reported that the attack
was geared to slowing down HHS operations
related to the coronavirus
8 https://www.theguardian.com/world/2020/mar/09/panic-hits-global-markets-amid-threat-of-coronavirus-and-oil-price-slump
9 https://hbr.org/03/2020/coronavirus-is-proving-that-we-need-more-resilient-supply-chains
At the time of writing this paper, the reported
attack on HHS is still being investigated and
there is not yet an indication of who or what may
have been behind it.
With all the above in mind, and along the
unprecedented level of international tensions on
economic and political fronts, it is evident to
expect further cyber disruptions or espionage
activities of economic and political nature, that
might be originating from state-sponsored or
other organized groups.
Nations should therefore focus on the vigilance
and resilience of their infrastructure, particularly
the critical and vital parts of it.
On short term, nations are required to leverage
their existing cyber capabilities and enable quick
steps:
Conduct meetings on the level of miniature
government or supreme council of defense, to
confirm readiness in protecting the nation’s
critical infrastructure from novel cyber
incidents
Mobilize national CSIRTs teams responsible
for cyber protection of the nation and its
economy, and increase the level of their
readiness to maximize capabilities of
incidents response and recovery
Intensify law enforcements monitoring of
dark web forums, coordinating with
intelligence sources, and continuously
monitoring nation networks and information
for any suspicious activity
M AL I C IO U S AC TO R S CAPI TALI Z I N G ON

On longer term, nations are required to re-assess

their nation-wide cyber security capabilities and
strategic risks, factor in all lessons learned, and
make sure they have the required defenses and
action plans to deal with future pandemics:

Identify / validate the nation’s critical infrastructure

and
underlying assets

Re-assess nation-wide strategic threat and

capability analysis

Re-assess nation-wide strategic cyber security risks

Develop / review a nation-wide cyber security

roadmap and action plan to strengthen the nation’s
cyber capabilities, protect critical infrastructure and
foster a resilient economy. The roadmap must take
into consideration capabilities of all levels: strategy,
governance, talents and people, processes, and
technology.
BO O K A F REE CONSULTATION SE SSION

Mohamad Lawand
mohamad@blackhatch.me
(M): +971-0-52-340-1981
Zoom Personal Meeting ID: 346-780-9844