Organizations — and individuals — must be vigilant and cautious given high-profile hacks: lawyer
On July 15, Twitter accounts of several high-profile individuals — including Joe Biden, Barack Obama and Elon Musk — were hacked in a bitcoin scam, resulting in nearly $120,000 being transferred in bitcoin following fake tweets posted to the verified users’ accounts.
The next day, Canada’s Communications Security Establishment, in conjunction with intelligence agencies in the United Kingdom and United States, announced that a Russian hacker group had been actively perpetrating cyberattacks, seeking COVID-19-related vaccine research in all three countries.
Both events are indications of the increase in cyberattacks — and the need for increased cybersecurity — in the wake of COVID-19, says Alexis Kerr, counsel in Norton Rose Fulbright Canada LLP’s Vancouver office whose practice includes data protection, privacy and cybersecurity.
“At the end of the day, cyberattacks are a crime of opportunity, and [COVID-19] presents a new opportunity to exploit people’s vulnerability,” says Kerr.
A remote workforce has enhanced and highlighted areas of risk.
“Back in March, … there was a very rapid transition from a more traditional work environment to employees working from home,” she notes. “Not all organizations were set up to do that, and we saw a rapid evolution of cloud solutions and virtual networks. … The rapid expansion was in many cases not done with due diligence necessary for such an implementation, which left vulnerabilities … that could then be exploited.”
Computers were brought home containing confidential information, and perhaps without the appropriate security patches and more, leaving them more vulnerable to attack.
“Another example would be the various workarounds that individual employees have come up with to download apps. We all started using videoconferencing packages … With Zoom, there was a huge, rapid adoption by many businesses, and then the well-publicized security issues.”
Zoom was quick to address those problems, but they highlighted that due diligence wasn’t there initially, she adds. “There wasn’t the ‘look before you leap.’”
Kerr expects the increase in cyberattacks to continue as long as COVID-19 continues, and for threat actors to infiltrate systems “particularly where there is huge value to encrypt information, of profit, or treatment for vaccines; there’s huge value to the confidential information that many organizations are generating right now. Because most of these attacks tend to be financially motivated, they will go where the value is.”
One kind of attack plays on people’s fear and need for information on COVID-19. Users are encouraged to click on links to fraudulent websites that have fake notices, ostensibly from the government regarding the Canada Emergency Response Benefit, for which a user needs to provide personal information. Other websites offer fake protective equipment, or mimic the sites of the World Health Organisation or Center for Disease Control and Prevention. The CSE and the Canadian Security Intelligence Service provided a recent bulletin on one in particular, says Kerr: a phishing email impersonating Canada’s chief medical officer, Dr. Theresa Tam, purporting to provide important COVID-19 updates.
“As soon as the attachment is opened, it enables delivery of malicious software or malware payload,” she says.
Although there is nothing new about these attacks happening, COVID-19 is an opportunity to perpetrate these attacks in a different way, but appealing to things in human nature that it has always done, says Kerr: greed or fear.
“The sophistication of attacks is increasing, and they’re becoming harder to detect.”
Kerr advises following best practices, including implementing software patches in a timely manner. In 2017, she points out, the WannaCry malicious software shut down 200,000 computers around the world and cost billions of dollars in damages, because organizations hadn’t installed a Microsoft patch that had been available for a while.
“Ensuring patch management on a regular basis is critical,” she says. “Similarly, ensuring that you’re updating anti-virus and anti-malware software daily is also critical. These things are changing sometimes on an hourly basis. Your anti-virus and anti-malware solutions are only as good as they are up-to-date in keeping up with the different permutations that threat actors use.”
Employee training in security is also essential; “your employees are both your weakest link and one of your best defences, and therefore training them to recognize and react appropriately when these threat actor messages do come across their devices is critical,” says Kerr.
“You need to train and test [them] repeatedly. When you test and you fall victim, you do need to follow up; one click by one employee can set off a chain of events that can essentially take you of business.”