Over 1,000 files on cyberattacks collected by security provider CrowdStrike in March mentioned the COVID-19 coronavirus, and Adam Meyers, the company’s VP of Intelligence, said the trend will only continue through April.
“By the end of January, the threat actors had picked up that this was something that might be pretty useful for them,” Meyers said. From there, it’s been “wide open.”
In February, just a couple of files in the Crowdstrike malware repositories had been related to COVID-19 before the March spike.
Meyers explained, “They [threat actors] quickly pivoted once it became clear that COVID was in a news cycle … They started leveraging that to enable their operations.”
Often, threat actors will use social engineering to impersonate health organizations to take advantage of users. Spoofing documents from the World Health Organization or impersonating charities are ways threat actors may use the pandemic to enable fraud.
“Threat actors know that people are looking for information from these organizations,” Meyers said. “They’re going to create fictitious email from them in order to target individuals to get the credentials or to get them to open a document or click on a link.”
Crowdstrike also detected Chinese actors spreading misinformation online about the coronavirus. As much of the blame fell on China for the virus, Meyers said, the organization has detected Twitter bots propagating positive news about the country. To spot a Twitter bot, users should look for accounts with alphanumeric handles that display a positive view of China after having been dormant for long periods of time, he said.
Iranian actors have also been active throughout the COVID-19 situation. “We’ve observed more hostility between the United States, the West, and Iran,” Meyers said.
“The other thing that we’ve been observing is a potential targeting of healthcare by nation-states,” he said. While Crowdstrike hasn’t documented any “economic espionage” at this time, the organization is continuing to monitor the situation.
