Another Critical COVID-19 Shortage: Digital Security

John Scott-Railton
7 min readMar 23, 2020

--

We all know about global shortages of ventilators, protective equipment, and pharmaceuticals. But as work moves home, it will be much less secure, harder to defend, and easier to snoop on.

Working From Home & At Risk…From Hackers

As a researcher investigating state-sponsored hacking I’ve been trying to think about what COVID-19 means for cybersecurity. My guesses begin at as I look around me, with the massive growth of work-from-home, and how it will will make life easier on hackers, and harder on defenders.

Rule 34 for books on Amazon says…

Last week, as workplaces emptied into the stubble-and-sweatpants of full-time-remote-work most desktops stayed at the office. Some employers sent staff home with fleets of laptops and phones. Most did not.

…The new work desktop in the era of COVID-19 is an unpatched, crusty laptop that spent the past two years Netflix & chilling…

Predictably, the world’s business has slid into a world of personal devices, personal chat & calling apps, and un-administered, unpatched home wifi routers and networks. This is some remarkable, quick moving resiliency. It is also introducing serious new risks that could lead us to be re-victimized digitally.

The New Workplace Has More Doors, Fewer Locks

It has always been a challenge for administrators to make sure that sensitive work is conducted over work networks and on work devices. The new reality of COVID-19 is that employees need:

  • More remote access to networks and resources
  • To access new resources as colleagues take sick leave
  • To conduct business on personal devices, accounts and apps

Once it would be a rarity for a major deal, or sensitive negotiation to have someone joining from a home office, on a personal device. For a while, it will be the new normal.

Browsing in the time of COVID-19

The baseline for most personal devices is default-insecure. The new work desktop in the era of COVID-19 is going to be an unpatched, crusty laptop that spent the past two years Netflix & chilling.

We already see plenty of COVID-19 related internet opportunism, from themed phishing and ransomware, to more esoteric attacks. Most internet-connected personal (and work!) devices will swim in this threat-and-nuisance soup for months.

Internet threat soup, pandemic edition. Source

Depending on demographics and income, personal devices like laptops will do double and triple duty. Kids will submit homework, roommates format CVs, do taxes, and partners borrow something that doesn’t freeze on the flavor-of-the-week teleconferencing app their work is rolling out. If ever there was a petri dish…

Blurring work & personal accounts

Work conferencing and chatting solutions are a mixed bag in the best of times. As users struggle with network latencies and bandwidth, and the need to talk to other organizations, many are pivoting to personal accounts on services like WhatsApp and iMessage.

While moving to end-to-end encrypted chats has many benefits, it can also contribute to the further blurring of work and personal accounts and devices, and paint a target on a device or an account that the owner has never thought to secure.

…and your adversaries have a video feed!

The desperately insecure internet-of-things/shit has slid into many homes. While the new home panopticon leaves many uneasy, it has only rarely entered the consciousness of defenders as a workplace threat.

Ok, most offices don’t have one of these but you get the point. Most offices don’t have masses of undocumented internet connected junk with microphones and cameras.

That should change right now. For the next while, masses of sensitive work business will be conducted in the vicinity of smart devices.

Defenders might find it useful to try and picture the internet of things the way nation states and other threat actors do: a massive new collection opportunity against their workforce.

Perhaps a memo-from-the-dept-of-silver-lining for this situation will be that the insecurity of these devices will finally attract some serious attention. Then again, probably not.

COVID-19 Will Give Hackers Wings

Investments in endpoint, network and cloud security raise the costs for potential attackers (in theory!). But when sensitive work business moves away from these devices and environments, the impact of that investment will be quickly degraded as IT staff and CISOs cannot monitor what happened.

The Defenders Will Be Blind

The personal devices and accounts pulling work duty will be largely un-administered and un-logged. On a given Thursday afternoon, IT staff is going to be busy helping everyone troubleshoot the 14th Zoom meeting of the week. In this environment, individual breaches are even less likely to be noticed.

The Blind Leading The Blind, Bruegel The Elder, 1568 (Also a plague year)

The predictable result of the new COVID-19 remote workplace will be like a shot of Red Bull for less skilled, less well resourced threat actors. Suddenly they will get wings!

At the extreme end, phishing and RATS will, for a while, probably do some of the work of much more sophisticated tactics.

Groups like the Syrian Electronic Army that, years ago, hit ceilings of technological sophistication that made it hard for them to effectively target companies and governments will undoubtedly give it another go, this time even more focused on personal devices and accounts. Meanwhile, the more sophisticated nation state operations have every incentive try harder, for more, and assume less attention will be paid to their operations.

We Are Not In *All* of This Together

The hugely ad-hoc insecure new workplace would be less terrifying if everyone were experiencing the COVID-19 pandemic at the same time, and in the same disruptive way. We aren’t. Each country and community is somewhere different on the timeline of the illness.

Some well known net exporters of sophisticated cyberattacks, like China, are busy trying to restart their economies, and no doubt looking at the interesting opportunities that COVID-19 presents for ticking items off their intelligence collection shopping lists. Other belligerents like Russia, while busy-denying-COVID-19-is-a-thing-domestically will almost certainly go after their usual list of geopolitical targets with renewed vigor.

Many juicy prizes are at their most organizationally vulnerable right now. Plenty of threat actors can’t wait to pick their digital pocket.

Many juicy prizes are at their most organizationally vulnerable right now. Plenty of threat actors can’t wait to pick their digital pocket. Meanwhile, the juiciest part of [insert your workplace here] is now vulnerable in new ways that none of us are completely familiar with.

Are Governments Immune?

Nope. They are among the juiciest of targets. 80 year old judges deliberating over billion dollar cases in sweatpants. Quarantined legislators in their home dens brainstorming with colleagues about China.

…governments have never been more within the reach of all the wrong people.

Militaries trying to do command-and-control over WhatsApp because having everyone in one bunker is a recipe for disaster. Even as they seek extensive new authorities over civilian populations, governments have never been more within the reach of all the wrong people.

Update: It did not take long

Yesterday [3/14/2 0] Reuters reporters Raphael Satter, Jack Stubbs and Chris Bing got a scoop: Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic”

-Urbelis, via Reuters.

Alexander Urbelis, a mustachioed lawyer with the Blackstone Law Group had noticed domain registration activity mimicking the World Health Organization’s internal mail server beginning around March 13th. The reporters, tipped by the Urbelis, contacted the WHO, which confirmed the attack.

Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike.

The report cited experts familiar with the matter who suggested APT group DarkHotel might be responsible, although others did not confirm.

Other cases of disruption-oriented attacks against governmental institutions include:

Not all COVID-19 related outages are attacks. While it was originally reported as an attack, the outage of the Australian government’s MyGov main web portal may have just been too much traffic.

While these reporters got one of the first stories like this, expect to read many, many more in the coming months.

Good luck!

--

--