Cyberattacks targeting hospitals, clinics, pharmacies and distributors of medical equipment soared in March worldwide as hackers took advantage of the strain that the coronavirus pandemic has put on the health sector.

According to Bitdefender, online attacks linked to COVID-19  rose by 475% in March 2020 compared with previous months. These numbers are expected to increase in coming weeks as the virus shows few signs of abating. Public authorities and healthcare institutions are among the top victims, demonstrating that cybersecurity should remain a top priority, especially during pandemics.  

An expanding attack surface during the COVID-19 outbreak 

A recent cyber-attack has targeted a hospital in the Czech Republic that is being used for tests against coronavirus, in an attempt to thwart efforts in fighting the pandemic. The mysterious attack forced the Brno University Hospital to shut down its entire IT network during the incident. The hospital postponed urgent surgical interventions and re-route new acute patients to a nearby hospital. Two of the hospital’s other branches, its Children’s and its Maternity Hospitals were also affected. Teams from the Czech National Cyber Security Centre (NCSC), the Czech Police (NCOZ) and hospital IT staff joined forces onsite to recover the hospital’s IT network.

Elsewhere, the Paris hospital authority, AP-HP has been the target of a recent cyber-attack according to the French cybersecurity agency. The target of the attack was to disable hospital services in Paris by overwhelming hospital computers. However, an ANSSI spokeswoman said there have been no other significant attacks related to COVID-19. 

Outside Europe, the U.S. Health and Human Service Department has also suffered a cyber-attack on its computer system, possibly linked to an incident aimed at undermining the response to the coronavirus pandemic. In Australia, the main internet site for online access to government services has been hit by a cyber-attack amid unprecedented demand from newly laid-off workers. 

Successful cyber-attacks can bring hospital activity to a halt by blocking the medical data of admitted patients by infecting computers with ransomware and then asking for money to regain access to the stolen data. Data like medical records are coded, making it impossible for medical staff to treat patients or perform surgeries. Hackers also sell patient data on the dark web for up to $400 per medical record. These records are usually purchased for fraud. 

Attempts to thwart progress on COVID-19 vaccine

And it’s not just hospitals at risk as hackers also target institutions supporting potential cures for the coronavirus. In the UK, a COVID-19 Vaccine Test Centre has been hit by a cyber-attack and stolen data published online. The medical facility is Hammersmith Medicines Research, which previously tested the Ebola vaccine and is now on standby to perform medical trials on any COVID-19 vaccine. It was hit by the ransomware Maze group, which had promised not to target medical organisations just days earlier. The test centre reports that the cyber-attack was spotted in progress, stopped and systems restored. Notwithstanding the swift reaction, the Maze group continues to extort medical organisations having managed to exfiltrate patient records, publishing some of them on the dark web and referring to Hammersmith Medicines Research as a “new client”. 

The move clearly contradicts the attackers’ statement to stop all activity versus any kind of medical organisation until the virus had reached a more stable situation. Financial gain clearly remains the main motive for criminal actors even in troubled times when more and more people rely on medical care and cures and despite the very vulnerable situation of medical organisations due to the coronavirus outbreak with seriously overstretched medical staff. 

Phishing: a prevailing ransomware attack during COVID-19

Ransomware attacks like this tend to follow a similar pattern to force the victim to pay up: naming the company attacked on the attacker’s website, publishing some of the stolen data as proof and then publishing more data, sometimes on a staggered basis to ramp up pressure. The last resort may be posting data to notorious cybercrime forums. 

Phishing is the second most prevailing attack vector for ransomware. As with all major global events, phishing scams are thriving in this period of doubt and fear with the continuous need for up-to-date information acting as a great breeding ground for this type of cyber abuse. Most campaigns lure people with the promise of important or breaking information on COVID-19, enticing them to click malicious links or open infected attachments. 

In the UK alone, coronavirus scams have so far cost victims over £800,000 (just over €900k) in just one month (February 2020). Malicious actors have been exploiting the notorious Emotet malware amidst growing death rates and reported cases. First detected in 2014, Emotet  is a banking trojan that spreads through malspam (spam emails) and tries to sneak into computers to steal sensitive and private information. Versions of this malware have evolved over time into a pervasive delivery platform to become one of the most prevalent threats of 2019. 

It’s a scam - the telltale signs 

The scale of the issue becomes clear when we start tracking phishing scams since early February, with some pointers on how it's done. 

On 5 February 2020, Sophos reported a global phishing scam exploiting the coronavirus, where the email carries the logo of WHO but contains the usual spelling and grammatical mistakes as indicators that the message is not what it seems. Upon submitting credentials to a fake WHO page, users are redirected to the real WHO site. A very basic attempt at stealing credentials, brimmed with red flags. 

On 25 February 2020, MailGuard reported a widespread email scam in Australia leveraging the coronavirus fear. The malicious emails are signed with “Dr Li Wei” and are titled “CORONA-VIRUS AFFECTED COMPANY STAFF.” The sender of the emails is from a freshly registered domain, likely created for the sole purpose of the scam. The message urges victims to open the attached file which allegedly would contain pictures, countries, names, and companies of COVID-19 infected people as of 22 February 2020. Once again, the trained eye can spot several grammatical mistakes as clues of its malicious nature. 

On 5 March 2020, Checkpoint announced that over 4,000 coronavirus-related domains had been registered since the beginning of 2020, with 3% being malicious and 5% perceived as malicious. People creating these domain names use a technique called typosquatting, that is, misspelling versions of legitimate domain names or using popular keywords like ‘corona’ or ‘covid’. Coronavirus-related domains have a 50% likelihood of being malicious compared with other domain registrations in the same period. 

Key Findings from PANACEA Research

PANACEA Research has found that medical staff often look for security workarounds as treating patients is their number one priority in highly time-pressured environments. However, these incidents are a stark reminder that IT and medical staff all need to be extra vigilant as cyber-attack risks increase as hackers take advantage of highly volatile circumstances. 

PANACEA Research has also reported that hackers usually trick staff at healthcare organisations into believing they are a trusted source before going on to infect computers, in this case by sharing information about medical procedures and therapies to treat COVID-19 infections. Not surprisingly, the World Health Organisation (WHO) is one of the names being used by hackers in an attempt to entice people into the hacker's den.

Authors: Stephanie Parker and Cristina Mancarella, Trust-IT

Sources

PANACEA Research documents (forthcoming)

PANACEA Research Webinar with cyberwatching.eu: Cyber Security for Healthcare: Human and Legal Perspectives