The main cyber-threat trends during COVID-19 and how they will affect the UK going forward were discussed by Eleanor Fairford, head of incident management at the National Cyber Security Centre (NCSC), during the keynote session on day two of the Infosecurity Europe virtual conference.
Fairford began by describing the new opportunities that the COVID-19 pandemic has presented to cyber-criminals and nation-state actors. Cyber-criminals have been able to “make the most of people’s vulnerabilities during this period and the increased threat surface that was presented by everyone working from home.” And for hostile nation-states, the pandemic provided more chances to steal highly sensitive information from other governments to gain an advantage over them, such as vaccine development.
She outlined the three areas NCSC regard as the biggest cyber-attack trends of 2020: cyber and fraud during COVID-19, the SolarWinds supply chain attacks and the proliferating ransomware threat.
Cyber and Fraud During COVID-19
In terms of cyber and fraud, Fairford revealed that during 2020, the NCSC observed more online scams “than in the previous three years combined.” Unsurprisingly, many were related to the COVID-19 pandemic – prominent examples include fake celebrity endorsement scams, vaccine adverts and fake online shops purporting to sell medical equipment or even COVID-19 ‘cures’. She added: “These are the sorts of techniques that really preyed on people’s vulnerability.” This is because of the enormous toll the pandemic has had on areas like health and the economy, making people far more anxious than they would typically be, and therefore more liable to be tricked.
Fairford also highlighted new measures the NCSC has taken to mitigate these scams and protect individuals and businesses. These include updating its active cyber-defense tools and measures, “which are being rolled out as widely as possible to provide a baseline level of protection.”
According to Fairford, the NCSC has emphasized protecting the NHS, the vaccine supply chain, and research institutions in this period. This includes monitoring for attempts to harvest NHS credentials in order to spoof this institution via phishing. In total, the NCSC observed 122 phishing campaigns in 2020 that used NHS branding, making them appear genuine. This compared to just 36 in 2019.
Fairford outlined another key initiative introduced by the NCSC last year to tackle the threat of online scams. This is the Suspicious Email Reporting Service, “which enables members of the public to send into the NCSC emails they had received which looked like phishing emails.” This has proven highly successful so far, with over six million reports received as of May 31 2021, leading to the removal of more than 45,000 scams and 90,000 URLs.
Encouragingly, Fairford said the NCSC took down nearly 30,000 COVID-19-themed attack groups last year alone.
She then moved onto the SolarWinds attacks that took place at the end of 2020, which she described as “the key cyber-espionage act of the last decade.” This incident, believed to have been perpetrated by Russian state-backed actors, was particularly “unique and noteworthy,” according to Fairford. This was primarily due to the method used by the threat actors to compromise SolarWinds and subsequently enable them to access the systems of up to 180,000 of its customers.
This was achieved by interfering with SolarWinds software updates, meaning that “as you routinely updated your SolarWinds package, you would install a tampered update, and that provided a backdoor into your network.” She, therefore, noted that all customers that follow guidance on patching and installing updates “were more likely to be a victim of this particular attack.”
Part of the novelty of this method was that services remained unaffected, allowing attackers to go through affected organizations’ systems unnoticed for a very long time. In its subsequent analysis of the incident, she added that the NCSC observed “high levels of operational security techniques” being employed by the attackers, including wiping all traces of their activity.
Fairford believes the attack may well have remained undetected had it not been for FireEye’s initial discovery in December 2020.
“It directly interrupts people’s access to workplaces, learning and key services”
The Surge of Ransomware
Unlike SolarWinds, in which the perpetrators operated behind the scenes and caused no disruption to any services, ransomware attacks have been shown to have a huge impact on individuals and organizations, especially in the past year or so. Fairford commented: “It directly interrupts people’s access to workplaces, learning and key services so this really does create an impact on people’s lives.”
She outlined two major incidents on local authorities in the UK last year – Redcar & Cleveland and Hackney councils. Both led to severe consequences: in the Redcar case, online public services were unavailable to 135,000 local residents for over a week and total recovery costs exceeded £10m, while in the Hackney council case, sensitive personal data of staff and residents ended up being published on the dark web.
There has also been particularly heavy targeting of hospitals and other healthcare institutions since the start of COVID-19, including the recent attack on Ireland’s healthcare service. Fairford also cited a ransomware attack on a hospital in Germany last year, which potentially contributed to the death of a critically ill patient who had to be redirected to another hospital.
Finally, Fairford discussed the recent ransomware attack on the Colonial Pipeline company, which led to the US’ largest fuel pipeline being taken offline. This demonstrated the substantial threat that ransomware poses to countries’ critical national infrastructure. A ransom of $4.4m was paid to the attackers, but pleasingly, the majority of the money has reportedly been seized by the US Department of Justice.
Fairford also highlighted how ransomware groups are becoming increasingly professionalized in their approaches, with many even “behaving like a sophisticated business-type operation.” In one example she gave, a group even has its own list of FAQs, detailing how victims should behave in the event of an incident.
Fairford concluded by outlining how these trends are expected to impact the UK cyberspace over the coming year. Firstly, she believes “the health sector will continue to be a priority target for nation state operations, particularly as research continues into variants and vaccines,” while disinformation campaigns related to the pandemic are likely to still be heavily utilized by malicious actors. Additionally, it is predicted that ransomware will continue to proliferate, including the growth of the double extortion tactic.
Another area she believes will grow are supply chain attacks, with SolarWinds demonstrating just how effective these can be to compromise a large number of organizations globally. Finally, Fairford said she expects to see extensive targeting of “UK companies that are really at the forefront of things like emerging technologies.”