COVID-19 Spearphishing Scams: Business as Usual for Cybersecurity Professionals

This week, IBM published a report advising of positive identification of cyber attacks targeting executives in organizations and companies with a role in impending COVID-19 vaccine distribution. Energy and manufacturing sectors, as well as web and software development companies have all been determined to have been targeted. The targets extend beyond United States borders and potentially include global organizations in Germany, Italy, South Korea, Czech Republic, and Europe as a whole.

What new and innovative method is being used? None. That’s right. The attack vectors are the same tried and true ones: spearphishing emails. Targeted executives have received emails luring them into clicking on bogus links and entering network credentials. When successful, attackers then use the stolen credentials to gain further access into the organization’s network. In this specific case, the goal appears to be disruption of the Coronavirus vaccine supply chain. What is the goal? Some believe it may be to sew distrust in pandemic response efforts, but the more likely possibility is that a disruption of some company’s supply chains equates to increased opportunity for other companies to yield higher profits from vaccines developed in their own country.

The good news is also the bad news. Targeted organizations simply need to review their current cybersecurity posture and ensure Continuous Monitoring tools and processes are in place. Where things take a bad turn is if the organizations didn’t have a real cybersecurity posture in the first place. Just as with any spearphishing attack – or any other cyber attack vector, for that matter – user education is key. Network users from the executive level all the way down to the mailroom need to be shown “what right looks like”. They need regular and recurring training on spotting suspicious emails, requests for action, and links. As has been said many times over, users are the first line of defense.

Beyond the user’s keyboard, it falls on the organization’s leadership to ensure IT and Cybersecurity staff are empowered to do their jobs. This comes in two forms. Staff must have the tools they need, such as firewalls, intrusion prevention systems (IPS), host-based security systems and other network traffic monitoring and response tools. This equates to putting funding where it’s needed. It doesn’t matter how great the organization’s products services are, if the employees can’t get on the network or the customer can’t access the website.

The second aspect of empowerment comes in the form of IT and Cybersecurity staff having the authority to do their jobs. If a computer isn’t compliant with the most recent operating system and application updates, it has to be quarantined until vulnerabilities are remediated. If IPS administrators aren’t authorized to block newly identified suspicious traffic “on the fly” or system admins aren’t allowed to immediately push out fixes to address zero day vulnerabilities, technical staff may as well be sent home.

In the end, the report published by IBM should come as no surprise. It only reminds us that whether the angle be COVID-19, Presidential elections, or social security scams, the avenues of attack generally remain the same, tried and true ones. For cybersecurity professionals, it’s simply business as usual. And as long as organizations recognize the importance of and support their IT departments, it can stay business as usual on the front end as well.