Unfettered by social distancing measures or economic concerns, cyber threat actors are taking full advantage of opportunities created by the coronavirus pandemic. United States health agencies are being tested by distributed denial of service (DDoS) attacks and social media disinformation campaigns as they scramble to respond to an unprecedented viral outbreak, and these attacks are thought to be backed by a hostile foreign government.
Federal health agency hit with DDoS attack
A large-scale DDoS attack was directed at the U.S. Health and Human Services Department sometime around March 15. A spokesperson for the National Security Council stated that the attack did not do any substantial damage and that the networks are being “continuously monitored” to mitigate any future attempts.
The DDoS attack involved millions of requests on the health agency’s servers over a period of several hours. A Health and Human Services spokesperson indicated that the government does not know who was behind the attack, but suspects a foreign government. The DDoS attack did not involve any network compromise, nor did it significantly slow down operations. The spokesperson indicated that the agency has put unspecified “extra protections” in place going forward.
Fake texts and tweets part of organized disinformation campaign
In addition to the DDoS attack, the National Security Council indicated that there is an ongoing disinformation campaign intended to sow fear and confusion in the American public that focuses on the health agencies. This is also believed to be backed by a foreign government.
The agency warns about fake text messages that claim a mandatory national quarantine or lockdown is imminent. This disinformation campaign is also circulating widely on social media platforms such as Twitter and Facebook, and usually involves someone claiming they heard about imminent National Guard mobilization for a lockdown from some sort of friend or family member with inside information.
The most damaging aspect of the disinformation campaign was a hack that managed to penetrate emergency MMS and SMS text-messaging systems used in a number of different cities in the US, which occurred just after Italy opted to lock down the entire country. The attackers sent out a bogus “warning” message claiming that public and emergency services were about to be shut down due to the coronavirus. These messages did not initially get out to the general public on a large scale, but did make their way to various emergency services personnel in a number of major cities including Boston, Washington DC and New York City.
There is no indication at present that a national quarantine or lockdown is being considered. Such a move would be logistically difficult and extremely unpopular politically. While President Trump has mentioned that the possibility has been discussed, he has also signaled a desire to avoid action of this sort by the federal government on several occasions. During his March 21 briefing, Trump indicated that the government is focusing on action in coronavirus “hot zones” and that a national shutdown was not being seriously considered at the time.
Perpetrators, motives and methods
The assumption that a foreign government is behind these cyber incidents is primarily based on the lack of any sort of profit motive behind shutting down health agency servers or spreading false rumors on social media. While the rumors could potentially be used to manipulate stock prices in an indirect way, it seems more likely that this is a coordinated effort given that the DDoS attack and the disinformation campaign emerged at about the same time.
Anonymous officials told ABC News that they believe Russia or China are the most likely perpetrators. This would not at all be a surprising move by either of these American adversaries, but particularly not for Russia. Russian “troll farms” that use fake social media accounts to pose as Americans and stir up dissent and division have been making the news since the widespread interference in the 2016 election, but have likely been working for over a decade now. This sort of disinformation campaign is precisely their MO.
Any state-sponsored threat actor is capable of using a botnet, but DDoS attacks against other countries have been the hallmark of two particular hacking groups in recent years: APT 28, aka Russia’s infamous “Fancy Bear” group, and APT 33 (Elfin Team) out of Iran.
Greg Wendt, Executive Director of Appsian, points out that though these health agencies have been successfully able to mitigate DDoS attacks they may be ripe for more targeted and sophisticated breach attempts: ” … government institutions such as the HHS are key targets for cyberattacks, and given that the government has many applications and systems that were written and developed 35-40 years ago, the process to modernize and transform the critical nature of data is a lengthy one and not a process that can be successfully done overnight.”
New challenges for both government and private industry
The cyber challenges posed by the coronavirus outbreak are not limited to health agencies. Private industry and individuals can also expect online predators to attempt to take advantage of the situation. Thomas Hatch, CTO and Co-Founder at SaltStack, a Lehi, Utah-based provider of intelligent IT automation software, foresees an inevitable increase in attacks on certain business sectors: “Petty thieves will assume that classical attacks are going to be more effective because cyber defense staffing is likely distracted right now dealing with the influx of issues that come from a demand shift for specific services. Organized groups are likely empowered by the situation and will want to take advantage of it. They can attack specific services, particularly financial institutions because of the overall distracted nature of the defenders.”
Leading security firm Crowdstrike is reporting a significant increase in activity in phishing campaigns concurrent with global implementation of coronavirus restrictions. Early examples that have been spotted in the wild have promised free vaccines or offers of charity relief. Some targeted attacks on health care organizations have claimed to be related to shipments of ventilators or personal protective equipment. Hackers are also commonly attempting to pose as a legitimate health agency such as the WHO or CDC.