During the ongoing COVID-19 pandemic—in addition to the health scares and the rapid economic downturn—another hazard lurks: cyberattack. Cyber attackers are known to take advantage of unstable situations to gain access to IT systems. The motive is often financial—to obtain valuable information to sell or to take control of systems for ransom. Other objectives include performing political or industrial espionage, or destabilizing markets.
Cybersecurity may seem like a minor concern in the time of a global pandemic that is sickening and killing so many and causing economic hardship. Things may be bad, but a cyber attack would only make them worse.
Two IT-related situations, in particular, can create increased vulnerability to cyber attacks on businesses and other institutions during this crisis.
The sudden, huge increase in the number of employees working at home is stretching companies’ IT departments beyond their capability to ensure the safety of data and connections. Needed software updates, firewalls and other safeguards may not be installed or activated in a timely way, and secure connections may not be available from people’s homes, leaving systems open to intrusion.
In addition, fear and uncertainty about the pandemic can make people more susceptible to social engineering attacks, which account for the majority of cyberattacks, according to the World Economic Forum.
“In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems,” according to a security tip from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), This may involve the attacker posing as a non-threatening person such as a repair tech or a new employee, in order to establish the victim’s trust. The contact may be by phone, text or email.
During the pandemic, CISA communications say, cyber attackers could exploit people’s fears and concerns by launching phishing (email) schemes that appear to come from medical, charitable or governmental organizations. Phishing attacks usually employ a combination of manipulative emails and fake websites to induce victims to give out passwords, personal information or other sensitive data. Once a cyber attacker has an employee’s login information, this allows entry into a company’s network and any of its systems, such as cloud backups, industrial controls, etc. Other email attacks include attachments that unleash malware when opened or clickable links to dangerous websites.
A tough part of all this is that the increased cyber danger won’t go away after the pandemic dissipates and everyone goes back to the office. System breaches may not be noticed when they happen. The intruders who gain access to an organization’s network can take months to prepare and execute an attack. During this time, undetected, the attackers might search for and steal data, bank account numbers, trade secrets and other information, or they may put in place code needed for an overt attack later on.
ANATOMY OF A CYBER ATTACK
Learning about a real cyber attack can make the statistics and warnings more meaningful. Here is an example of an attack that happened a couple of months before the pandemic emerged. This attack was not pandemic related, but it shows the months-long timeline from breach to attack, as well as some of the challenges encountered by the targeted company in its recovery.
In a recent webinar Michael Beerman, CEO, Pilz Automation Safety, L.P. presented the story of the ransomware attack his company experienced in October 2019. The company is headquartered in Germany and has subsidiaries in the U.S. (where Beerman works) and more than 40 other countries.
A ransomware attack locks and encrypts a victim’s data, then demands a ransom be paid in order to restore access.
On Sunday, October 13, the company found its data blocked. The home office in Germany received a demand to pay a ransom to get the data back. The company decided not to pay the ransom, on principle, as that would fund future attacks.
The initial response was to shut down all computers and IT infrastructure throughout the company, bringing work to a halt. After that came a long and challenging effort to recover the lost data, including customer information, quotes, invoices, presentations and everything else. The information came from paper copies, customers’ records and many other sources. Though the company had backups, some were unusable, as they had been compromised in the attack, too. However, through a lot of hard work, deliveries resumed a week after the attack and production at all the manufacturing facilities was back up between the end of October and the end of November.
Early in the recovery, a forensics team determined that the initial breach had happened sometime in May. The “infection” arrived in the form of emails, sent randomly, which included malicious links or attachments. When anyone clicked on them, they unleashed malware into the company’s IT systems.
“We essentially let our attackers in,” Beerman said. “Once in, they spied on us” and spent the following months learning the company’s IT structure. “This learning allowed them to write specific code to lock down our data so securely it would be impossible for us to ever unlock unless we paid them to unlock it for us.” During all that time, May until October, the intrusion had gone undetected.
Recovery from such an attack takes over 300 days, on average, Beerman said, and, while the company had mostly returned to normal as of the April 2 webinar, he said they still had a ways to go. Having to deal with the COVID-19 pandemic so soon is tough, he said. At least the company’s IT is newly restructured and probably the safer for it.
CYBERSECURITY FOR TODAY
All the usual cybersecurity recommendations still apply during this pandemic. During this crisis, CISA offers reminders of the guidelines for keeping systems safe, including these:
- Make sure all computers have properly configured firewalls and anti-malware and intrusion prevention software.
- Secure systems that enable remote access and ensure that virtual private networks are updated.
- Implement multi-factor authentication for users.
- Remind staff not to click on links in unexpected emails and not open unsolicited attachments.
- Increase system monitoring to detect any abnormal activity.
- Revise incident response plans to take account of remote workers.
- Update business continuity plans as needed.
Continued vigilance for cyber safety may not be the most important thing right now, but it can be part of the overall recovery from the pandemic. If it is possible to avert cyber attacks now and when the world is healing from the pandemic crisis and its fallout, that little bit of prevention can only help.