Hackers Exploit the Pandemic

Nov 10, 2020

4 min

Siobhan Gorman

Criminals are opportunists, and the COVID-19 global onslaught has brought with it not just health threats but cybersecurity risks, too.

Within weeks of the COVID-19 outbreak, hackers have already commandeered the virus to unleash cyberattacks, sending emails purporting to provide coronavirus guidance laced with cyberattack software. In one more alarming case, they appear to have attacked a hospital and forced it to cancel operations and take key systems offline.

As the outbreak continues to intensify, the UK National Cyber Security Centre (NCSC) warned that the volume of these attacks will likely increase, pointing to the increased registration of coronavirus-related webpages.

Criminals are opportunists, and the COVID-19 global onslaught has brought with it not just health threats but cybersecurity risks, too. As companies move to protect the health of their workforce, it’s also important to protect the systems they’re using to run their businesses.

It’s especially important for hospitals to shore-up their cyber defenses. If they don’t, just as they are racing to respond to COVID-19, they could face situations like University Hospital Brno in the Czech Republic, which earlier this month was forced to divert patients and cancel planned operations while it worked to address an attack.

The most likely cyber threats are email “phishing” campaigns that use the coronavirus as a lure to get the recipient to open an attachment that contains malware. According to the NCSC, such “phishing” attempts are happening on a global scale in multiple countries, which has led to both a theft of money and sensitive data.

Similarly, known hacker groups have been launching websites purporting to sell masks or other safety-related measures for coronavirus, possibly to use them as another vector for cyberattacks.

The NCSC has also cautioned that these attacks are “versatile and can be conducted through various media, adapted to different sectors and monetized via multiple means, including ransomware, credential theft, bitcoin or fraud.”

The cybersecurity firm ProofPoint has seen a rise in these cyberattack emails with COVID-19 themes since January. Both ProofPoint and IBM’s X-Force cybersecurity unit identified a campaign that targeted users in Japan with an email masquerading as a coronavirus information email that carries with it a potent type of cybercrime software.

In the US, the Secret Service recently warned of scams from online criminals posing as sellers of high-demand medical supplies to prevent coronavirus. They’ll require payment upfront and not send the products.

Cyber criminals have also been posing as the World Health Organization and the US Centers for Disease Control and Prevention (CDC), sending fraudulent emails from the former and “creating domain names similar to the CDC’s web address to request passwords and even bitcoin donations to fund a vaccine” for the latter.

In addition to the use of the coronavirus as a cyberattack vector, the growing need for working remotely to mitigate the spread of COVID-19 has increased companies’ exposure to cyber threats. The increase in remote work creates more opportunities for hackers to make inroads from less secure locations.

Companies should also ensure they can provide adequate security when their whole workforce is remote. They should quickly work through the security implications of workers choosing to switch to insecure personal devices. With national-level pressures on home broadband, staff will also resort to mobile hotspots, which are often less secure. And enabling remote connectivity at scale, with the right security configurations, can be a challenge even with months of preparation time.

A recent US Department of Homeland Security COVID-19 cybersecurity notice pointed to the importance of making sure that security measures are up to date for companies’ remote access systems. Additional measures to consider include enabling multifactor authentication—which can require two or more steps to verify a user’s identity before granting access to corporate networks. The NCSC is also working to identify malicious sites responsible for phishing and cyberattack software.

A final looming cyberthreat related to Covid-19 is disinformation. The World Health Organization and other agencies have for months been combatting disinformation campaigns spreading false information about the origins of and treatments for COVID-19—reports that seed more confusion and increase risks to society.

All of that means that computer virus risks are emerging as the biological virus spreads—and both are a threat to business. Cyber risk mitigation efforts should account for the different ways that a company can be affected, including impacts on the technical, operational, legal and reputational aspects of a business. Often, the reputational effects of a cyberattack are more significant than direct the business or technical impact.

To mitigate all of the potential impacts of cyberattacks taking advantage of the Covid-19 outbreak, companies should:

  • Review and update crisis and cybersecurity response plans, and ensure internal and external communications response plans are robust.
  • Confirm that members of the crisis management team understand their roles and responsibilities.
  • Make sure all communications channels have the latest security patches.
  • Review and update access controls, particularly when remote access is used heavily, to make sure that only those who require access to sensitive systems to do their jobs have it.
  • Take extra care when handling medical information. For companies managing employees who have contracted Covid-19, it’s important that personal health information is handled with strong security measures, including encryption.
  • Educate employees about the cyber risks that may attempt to capitalize on fear of the Covid-19 virus—whether it be phishing email or disinformation.

Covid-19 poses a number of short- and long-term challenges to business resilience, and the virus’s trajectory is quick and unpredictable. But it’s possible to anticipate and mitigate a number of the cyber threats that will try to ride the virus’s coattails. The companies that do will be more resilient and better positioned to withstand the direct health and operational effects of the virus.

Connect with:
Siobhan Gorman

Siobhan Gorman

Partner, Washington, D.C.

Siobhan Gorman concentrates on crisis, cybersecurity, public affairs, and media relations.

Cyber SecurityCyberattacksNational SecurityLitigationMedia Relations

You might also like...

Check out some other posts from Brunswick Group

2 min

Cybersecurity introduction

This is a business imperative, not a tech issue, says Brunswick’s Cybersecurity and Privacy team Cyber threats are generating some scary statistics: $400 billion a year in losses from attacks, with some larger businesses experiencing more than 12,000 attacks each year. But there is also good news. Companies are recognizing that cybersecurity is not a technology concern but rather a critical business issue and one they are preparing to deal with. To address the significant business and reputational risks involved, companies are using a cross-functional, top-to-bottom approach, one that treats cybersecurity as a business imperative. Many companies are beginning to strengthen their “human firewall,” creating a business culture where every employee sees cybersecurity as their responsibility. People, not software, are often the weakest link in a security system and that is a problem no software patch will solve. Regulation is growing increasingly complex and governments’ expectations differ from those of companies and consumers. The rules are murky and lag far behind the technology – and the threat. To deal with competing and at times conflicting requirements, some companies are moving beyond the minimum demanded of them, and aiming for a higher standard. To be effective, a company’s cybersecurity program needs to weave these threads into its underlying business plan. Cybersecurity is more than just a strong defense, more than compliance. It must be a part of corporate culture. It represents an opportunity to differentiate yourself from your competitors, increase the efficiency of your operations and earn a greater level of trust from customers, shareholders and the community.

9 min

U.S.-Iran Crisis: Outlook and Implications

Executive Summary: The immediate crisis following the death of Iranian general Qassem Soleimani in a U.S. airstrike and Iran’s retaliatory missile strikes against two U.S. airbases appears to have settled down. However, the conditions for a future flare-up remain in place because the underlying conditions have not changed. Going forward, each side is likely to double down on its stated strategic objective, with Iran pushing for an end to U.S. presence in the region and the U.S. pushing for an end to the Iranian nuclear program. Further, the norms that had previously prevented an open exchange of fire between the two sides have been eroded. Why It Matters: The events of January 3rd and 8th represent the first time since the skirmishes of the “Tanker Wars” of 1987-88 that the military forces of the United States and Iran have directly and openly exchanged fire with each other. For the last three decades, the contest between the two states has been a shadow war of proxy conflicts, plausible deniability, and non-military measures. The American decision to strike Soleimani and the Iranian decision to fire missiles in response removed many of the guardrails that have set limits on previous escalations of tensions. The Iranian decision to renounce cooperation with the 2015 nuclear agreement places back into contention an issue that had previously brought the U.S. and Israel to the point of war with Iran in 2012-13. Business Impact: Markets have been largely taking a wait-and-see approach in order to determine the form of Iranian response to Soleimani’s death, and they responded with relief when President Trump signaled that the U.S. would not retaliate. To an extent, uncertainty in the Middle East had already been priced into the markets due to tensions in the second half of 2019. A significant or prolonged conflict would have an obvious negative impact on energy markets and regional economies. In addition, American and Western companies operating internationally or their employees could suffer collateral damage from any future Iranian proxy attacks against visible symbols of U.S. presence overseas. Looking Forward: In the immediate term, the resolution of the crisis represented one of the best possible outcomes: Iran has publicly signaled that the missile launches conducted on January 8th constituted the extent of their military retaliation to Soleimani’s death and President Trump’s White House address acknowledged Iran’s desire to de-escalate and spoke of finding mutually beneficial outcomes with no further mention of military action. Going forward, both Iran and the United States are likely to double down on their desired strategic outcomes. Iran will seek to use all of the levers of its influence to drive the United States from the region, beginning with Iraq but also including indirect pressure on the Gulf states that host U.S. forces. Offensive cyber operations and deniable proxy attacks against civilian infrastructure in the Gulf could be part of that campaign, returning to tactics observed in the past. For its part, the United States will continue its maximum pressure campaign over the Iranian nuclear program, with President Trump promising additional economic sanctions even as he stepped back from military action. Therefore, although both sides appear to be committed to non-military means, the points of tension that caused the most recent crisis are all still present and have arguably increased based on Iran’s increased non-compliance with JCPOA. It remains to be seen whether coming close to the brink of open conflict will have changed the risk tolerance of either side or whether the first acknowledged exchange of fires between the U.S. and Iran for 32 years will usher in a new period of low-level conflict. The View from Tehran: Iran has played Soleimani’s death for maximum strategic benefit. The messaging of the past 96 hours was aimed at various audiences within the country, the region, and around the world. Having been caught on the backfoot by the U.S.’s strike on Soleimani, the Supreme Leader allowed the IRGC to retaliate against U.S. forces in Iraq in a calibrated manner, likely calculating that a strike with limited casualties would satisfy demands for vengeance while not prompting a response. Khamenei’s Decision: Ayatollah Khamenei is an inherently conservative figure and one who is above all else motivated by the priority of regime survival. Given their long-standing personal relationship, there is ample reason to believe that his displays of emotion of Soleimani’s death, including weeping over his coffin during the funeral on January 6th, were genuine and heart-felt. However, his expressed desire for revenge has been tempered by the overarching imperative to avoid a conflict that would have threatened the regime’s hold on power, either from within or without. Rally Around the Flag: Within Iran, the regime is seeking to use Soleimani’s death and their subsequent retaliation to build national unity following a period of significant domestic unrest. This has been emphasized by the extended period of mourning for Soleimani, days-long funeral spectacle, and the invocation of religious and cultural symbols associated with Shi’a martyrs. The death of Soleimani comes on the heels of a series of mass protests in Iran that originally began on November 15th in response to proposed increase in the price of gas, but which have since expanded to a wider challenge to the regime. Media reporting from late December suggested as many as 1,500 Iranian civilians have been killed as part of a regime crackdown on the protests, which have been characterized as the most serious challenge to the regime since the Green Movement of 2009. JCPOA as a Wedge Between U.S. and Europe: Iran announced on January 5th that it would cease compliance with the remaining provisions of the 2015 Joint Comprehensive Plan of Action but would be willing to return to compliance if sanctions are removed. The nuance in Iran’s position highlights the fact that it is continuing to attempt to use the nuclear issue to drive a wedge between European signatories to the agreement and the United States, which unilaterally walked away from the treaty in May 2018. Regime Dynamics: Soleimani was a high-profile figure within Iran, but his outsized influence on Iranian foreign policy also created friction with other stakeholders in the regime, including leaders of the conventional military forces, the ministry of foreign affairs, and the intelligence services. He was one of few genuinely strategic thinkers in the Iranian national security apparatus and the one with the most extensive and deepest connections within the Arab-speaking world. His replacement as commander of the Quds Force is his long-time deputy who will be familiar with the day-to-day operations of the IRGC’s external operations arm but will not have the stature or the network of Soleimani. As a result, other stakeholders may jockey to move into the vacuum created by his death. The View from Washington: The present challenge for the U.S. is how to maintain both a deterrent posture and establishing the means to avoid further escalation. The policy on Iraq going forward will have to balance President Trump’s desire to disengage from the conflict while not creating the appearance of having been pushed out by Iran. Escalate to Deter: President Trump’s decision to kill Soleimani reflected an “escalate to deter” strategy, using a sudden and unexpected escalation of force during a crisis in order to reestablish deterrence after previous provocations in 2019 had gone largely unanswered. However, deterrence is only as good as the last demonstration of a willingness to respond. The decision to not respond to Iran’s retaliatory missile strikes reflected a pragmatic decision to de-escalate. National Security Decision-Making: Nearly three years into his presidency, Donald Trump feels increasingly confident making national security decisions based on his own instincts. The original coterie of experienced national security establishment members such as Jim Mattis and H.R. McMaster who had populated the Situation Room during the early days of the administration have largely resigned or been fired and replaced with individuals of lower profile and/or proven loyalty. Although the mechanisms of the formal interagency process continue to function, President Trump increasingly makes decisions based on a network of informal advisors and media sources. Domestic U.S. Considerations: The decision to launch the strike on Soleimani came during a period of high political tension in Washington, as it had been expected this month that the U.S. Senate would begin a trial in response to articles of impeachment passed by the House of Representatives in December. The Soleimani strike is being taken up by both Trump’s supporters and opponents as evidence of either his credentials as a decisive commander-in-chief or his unsuitability for office, depending on their perspective. Congress has proposed votes to limit President Trump’s independent authority to initiate hostilities with Iran, but this is unlikely to gain traction in the Senate. Separately, the first voting in the Democratic primary is less than one month away, and a sudden shift in focus to national security issues could have results that are difficult to predict, either boosting those with national security credentials (such as former vice president Joe Biden and military veteran Pete Buttigieg), or rallying support among primary voters for anti-war (such as Bernie Sanders). Third-Party Perspectives and Responses: Iraq: The strike at Baghdad International Airport that killed Soleimani also killed the deputy commander of Iraq’s Popular Mobilization Front, a coalition of militias that forms a part of Iraq’s official security apparatus. Iraq’s new Prime Minister Adel Abdul Mahdi has condemned the attack as a “massive breach of sovereignty” and an “aggression on Iraq”. Iraq’s parliament passed a draft law on January 5th calling for the removal of all foreign troops from Iraqi soil, but the law was non-binding and the session had been boycotted by most of the Sunni and Kurdish members of the legislature. Iranian presence has also been the recent target of Iraqi ire, such as in November when a crowd of Iraqis burned down the Iranian consulate in the Shi’a holy city of Najaf, and the Iraqi government will likely try to play both sides against each other to maximize its leverage for military and financial support. Withdrawal from Iraq would mean that the remaining American forces in Syria could no longer be supplied or supported through the western desert of Iraq and would therefore also have to be withdrawn. Iran will likely seek to use all its considerable levers of influence in Iraq to convince the government to see through the expulsion of American forces. The United States leaving Iraq and Syria due to Soleimani’s death would be a fitting legacy from the Iranian perspective and a perverse one from the American perspective given that Soleimani was responsible for the deaths of hundreds of American servicemembers in Iraq (and thousands of Iraqi civilians) through his support for Shi’a militias in the mid-to-late 2000s. Europe: Statements from European capitals emphasized the need for restraint and de-escalation. French President Macron is likely to view this event as further justification for his proposals that the EU develop a defense and security apparatus independent of NATO in order to avoid being entangled by potentially reckless American actions. Iran will likely continue to use this event as an opportunity to drive a wedge between the U.S. and Europe on the nuclear program and other issues, and their chosen retaliation was likely calibrated at least in part to allow them to continue positioning themselves as a responsible actor. For his part, Trump is urging the European signatories to join him in walking away from the JCPOA in order to increase Iran’s international isolation. United Kingdom: The British government has tried to tread a fine line in its responses to the strike, with Prime Minister Johnson calling for de-escalation while also stating that he “will not lament” the fact that Soleimani is dead. The U.K. is likely trying to balance its desire to remain aligned with France and Germany in trying to keep the JCPOA together with its traditional close alliance with the United States and Johnson’s personal relationship with President Trump. Russia: Unsurprisingly, Russian President Vladimir Putin condemned the American strike, which removed a valuable interlocutor for Russian forces in Syria. Russian troops and Iranian-backed militias in Syria had periodically found themselves with diverging interests in their campaign to support the Assad regime, and Soleimani performed a critical function in directing the activities of those militias to ensure that both Russia and Iran achieved their strategic objectives in Syria. A potential American withdrawal from Iraq and Syria would advance Russia’s interest in establishing itself as the indispensable foreign power in resolving the crisis in Syria and within the region more broadly. China: In line with their long-standing principle of non-intervention and their own interest, China condemned the strike, but the response was muted overall. Chinese interests are primarily economic and tied to ensuring a steady supply of petroleum. One of China’s newest and most capable naval destroyers recently participated in trilateral naval exercises with Iran and Russia in the Gulf of Oman. Although such exercises primarily serve a strategic messaging and diplomatic function, they do signal an emerging alignment of interests between the three states that would be significant for the response to any future crises.

4 min

Governing for Resilience

COVID-19 has raised the stakes for boards, argues Brunswick’s Paddy McGuinness, former UK Deputy National Security Adviser. We now live with COVID-19. Fewer business leaders are making the mistake of talking about “post-COVID” or “when this is over.” The better of them have factored in COVID-19 related constraints to their medium-term plans and are even thinking about how the world may change in the long-term. They are building capacity to take advantage of an early recovery within months, yet they are modeling and encouraging grit for current and indeed harder conditions to last much longer. In the past, when health emergencies—say the Spanish Flu pandemic of a century ago—subsided, there was a greater return to economic normality than had been expected during the crisis. Extreme events often heighten or even distort our perception of wider risks. That old journalistic cliché “one thing is certain, nothing will be the same again” is rarely true. But the pandemic has created the expectation that businesses will be resilient—that they will be able to respond to an event and recover to the state prior to the event, incorporating the lessons learned into business practice. Many business leaders feel they have not done too badly responding to a once-in-a-hundred-years event. Business Continuity Plans (BCPs), which were understandably sketchy for pandemics, were pulled out of second-line risk management and owned and improved in real-time by executive committees. The transition to remote working and, at least in Asia and some of Europe, the gradual return to offices again, has been managed. Services and even vital production have been maintained. Leaders have absorbed the personal and collective strain of this. Good reason then for some satisfaction as they delegate certain COVID-19 responses and focus on the economic tsunami that follows the pandemic. The public seems to largely agree with business leaders’ assessments. While many national and scientific leaders find themselves beset by “blamestorming,” corporate executives have been given more slack. They weren’t expected to have foreseen a pandemic. Their sometimes scrabbling responses are understood. However, behind this lucky pass lurks an expectation that businesses will now be more prepared for crises and foreseeable risks. Resilience cannot be relegated to BCPs and traditional risk-management structures. It is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Think how fast leaders have been expected to respond to the issues raised by the Black Lives Matter movement. Alacrity will be required. The speed and scale of decisions in response to the pandemic leaves board committees playing catch up to assure themselves that risks have been managed. The move to working from home has been rapid, so too the digitization of the business. Some see these as new, streamlined ways of working, yet the negative consequences are not yet fully apparent. Working from home, for instance, is attractive to some employees as well as chief financial officers, who may relish the chance to reduce fixed costs. Concerns about the impact on the coherence of the business’s culture, its productivity and innovation, the security of data held at home, hardships for those in difficult home conditions, and, indeed, the needs of the younger demographic who seem to favor a return to the office, need to be given due consideration. It may be a case of “decide in haste, repent at leisure.” Resilience is categorically a board issue—regulators, lawyers, politicians and the public say so. The reputations of individual board members and the collective are at stake. Boards also need assurance that the business has regained its balance and can manage parallel or interrelated crises. In recent weeks we have been helping several clients respond to major cyber events unrelated to the COVID-19 outbreak. They have probably needed more external support than otherwise because their leadership capacity was inevitably denuded by pandemic response. And they have benefitted from us already knowing each other and having experience of how to work together in crisis. After the Great Financial Crash there was a heavy focus on balance-sheet resilience and having the requisite finance skills on boards. Business leaders are now beset by advice on the heightened obligation to be resilient in much a broader sense of the word. Regulators, lawyers and risk consultants are sharing checklists of factors for executive committees to take into account when managing risks and for boards to oversee. The challenge here is defining what changes your specific business needs and how to actually bring those about. Shareholders will be expecting a judicious move away from “just in time” systems to ones that can endure foreseeable risks. This isn’t just about potential legal liability or reputational risk. This is about setting your business culture for success. Undermanage risks and the business is wide open to damage from foreseeable shocks with all the loss of confidence and capability that follows. Overmanage and the business losses its competitive edge just when there is opportunity in the recovery. In order to track broader resilience, boards and their committees will need access to a wider set of skills and insight. Board membership emerges as an obvious area of focus. Yet each board will take more time and belonging to too many—“over boarding”—may well be unacceptable. Risk methodology and information flows will also have to be reviewed, alongside how to strengthen board members’ awareness and skills. Before the pandemic, chairs and CEOs were already wrestling with this for their difficult-to-price risks, such as data, technology risks and cyber. Individual experts on boards created siloed responsibility for what should have been a shared risk. A focus on process and method often led to a focus on the management, rather than genuine oversight of, risks. External advice didn’t always help (as we have learned from the plethora of competing advice around COVID-19). No single intervention will meet the new standard for resilience. Nor will simple prescription. A broader and more articulated approach is required if governance is to maintain stakeholder confidence and corporate reputation.

View all posts