COVID-19 Pandemic Creates Opportunity for Innovative Cyber Threat Campaigns

COVID-19 Pandemic Creates Opportunity for Innovative Cyber Threat Campaigns

Executive Summary

  • As the COVID-19 pandemic shows little sign of wavering, commercial IT vulnerabilities that were created, exposed, or accentuated by the pandemic have also crystallized rather than subsided. 
  • The two most common exploitations companies can expect are phishing exploits, often impersonating seemingly reputable emails related to COVID-19, and ransomware, which often precedes several steps of hackers attempting to enter a system.
  • Phishing exploits, a common method of entry for hackers to trick users and gain entry to a system, are taking advantage of public demand for information regarding the COVID-19 pandemic. 
  • Over the past month, Everstream Analytics has recorded cyberattacks on major manufacturers in the automotive, aerospace, and health & life sciences industries, among others. 
  • The Ekans/Snake ransomware, deployed against Honda Motor Company in June 2020 utilizes malware that seeks to disrupt the function of industrial control systems. It is a considerable escalation in the sophistication of industrial targeting by ransomware attackers. 
  • So long as the COVID-19 pandemic continues to drive high demand for remote work solutions, it is incumbent upon supply chain managers to understand the current commercial cybersecurity landscape, the ways cyber incidents manifest, and the novel intensity of the threat to supply chains. 
  • Supply chain managers can implement programs with suppliers that mitigate risk such as verifying data backups and implementing attack recovery plans to potentially outperform the competition if a cybersecurity crisis strikes. 

Introduction: The “new normal” in supply chain cybersecurity risk

As the COVID-19 pandemic shows little sign of wavering, commercial IT vulnerabilities that were created, exposed, or accentuated by new global health circumstances have also crystallized rather than subsided. Attacks on maritime and offshore energy enterprises have increased four-fold, compounding damage to businesses that were already confronting market shocks. This has spared no industry; even critical life sciences & healthcare facilities and institutions have found themselves the victims of attacks, despite pacts by some ransomware groups to spare them from targeting.

Concerns around IT vulnerability, previously theorized at the start of the pandemic, started to come to fruition upon the discovery of a phishing campaign targeting a consortium of industry leaders charged with procuring personal protective equipment (PPE) for Germany on June 8. This wasn’t the only form of cyber threat to businesses in a COVID-19 environment, however. The day before, Honda reported the Ekans/Snake ransomware at its corporate and production facilities on four continents. Around the same time, several other businesses reported ransomware attacks. While not tailored to COVID-19 specifically, many of these resulted in production disruptions that would have compounded pre-existing issues stemming from the pandemic. 

For as long as the COVID-19 pandemic continues, there will be a high demand for remote work solutions. These solutions often contain vulnerabilities that can imperil an entire organization by virtue of its breadth. Because of these twin risk factors, it is incumbent upon supply chain managers to understand the current commercial cybersecurity landscape and the novel intensity of the threat to supply chains. This Everstream Analytics special report will analyze the cyber threats of this most recent wave, the risks they pose to certain manufacturing sectors, and what options are available for supply chain managers to mitigate these threats.

How hackers leverage COVID-19 to disrupt supply chain operations 

The COVID-19 working environment has created new IT vulnerabilities and has accentuated known vulnerabilities for commercial enterprises. This section will briefly detail the two methods of exploitation that are most commonly being employed to disrupt commercial IT networks during the COVID-19 pandemic. Once a commercial IT network has been compromised, hackers may be able to steal sensitive information in a data breach or shut down systems operations until a ransom is paid. One can expect exploitation of the pandemic in cyberspace to include, but not be limited to, phishing, exploits with refined lures to either exploit information or install malware, or to exploit vulnerabilities in minimally populated and/or remote workplaces.

Phishing exploits

The most common method utilized by hackers to compromise IT networks is phishing. Phishing involves the impersonation of legitimate governmental, business, or personal entities in order to “fish” for a victim that will enable access to a network. This is often facilitated by tricking the victim into clicking a dubious link with malicious software —malware — embedded. Hackers often include information of public or personal interest to increase open and click rates. With the emergence of the COVID-19 pandemic, hackers have seized the opportunity to develop “phishing lures” designed to exploit strong public demand for updates on the constantly evolving global health situation, accentuating the risk of attack by this method. In an emerging trend illustrative of the ingenuity of methods, hackers have been utilizing seemingly legitimate email addresses with domains that include a COVID-19 related username preceding the “@” in order to falsely convey authenticity. 

Separately, hackers may trick users into downloading malicious attachments which can be circulated unwittingly by legitimate actors (i.e. employees and managers). This method can be paired with a phishing email but may also be used in any other context where a user may download or access files. For example, the emotet trojan, which has successfully hacked several German targets, utilized infrastructure such as Frankfurt municipal IT systems to distribute ransomware.[i] Moreover, hackers have impersonated popular COVID-19 webpages by legitimate entities, either as a means to extract personally-identifiable information (PII), financial information (FI), or other credentials.

While phishing incidents do not initially disturb production activities to the extent of data breaches and ransomware, it is of the utmost importance to be mindful of the danger such campaigns pose. According to the Kill Chain model of cyber threat analysis, phishing campaigns are often the first step toward more sophisticated attacks. It is by means such as phishing that, if not properly mitigated, ransomware operators can gain access to the intimate details of a company’s corporate network. From there, they can gain access to sensitive supply chain information, including details pertaining to production facilities. Therefore, it is essential that supply chain managers, in conjunction with their IT and physical security teams, understand and apply mechanisms for threat mitigation.

Remote and office workstation security exploits

The rapid transition to remote, digital workstation solutions and the corresponding decrease in activity at office workstations have generated new vulnerabilities for commercial enterprises. In a physical sense, below-average volumes of workers on-site create new opportunities for security breaches. Absences from stationary workstations or server rooms, or even the open display of PII, FI, and credentials around an office, can create an untold number of opportunities for an intruder or unauthorized visitor to compromise business systems. These opportunities even eliminate the need for phishing emails to gain access to such systems. Alternatively, it allows hackers the opportunity to better tailor phishing emails making them more authentic and actionable by referencing veracious details under the guise of a believable party in order to solicit information that can be used either to damage the company in its own right or to gain access to system information. These are called spear phishing lures.

In the digital space, new trends in workplace behavior and tool utilization have also led to innovative hacking techniques. Taking advantage of increased dependence on remote working solutions such as Zoom and Microsoft Teams, hackers have crafted impersonation URLs of the two virtual meeting solutions to trigger malware implantations. These applications comprise two vulnerabilities: UNC path injections, which launch unintended applications, and privilege escalation, which allows hackers to gain permissions to alter systems. This imperils both solutions by allowing hackers to insert their malware anywhere they please on a target’s system. An additional risk comes from the collection of PII, FI, or credential information from home virtual assistants. This is due to a voice recording stop fault in many common assistants. If hacked, this could provide a continuous source of critical information if recording continues. Reports of a broader hack exploiting these vulnerabilities have not yet manifested. Nonetheless, a failure to address individual vulnerabilities can jeopardize broader supply chain networks. 

Recent vulnerabilities in manufacturing sectors

Companies rarely disclose the specific vulnerability which enabled a breach to occur. Despite this, a series of notable hacking events have been recorded by Everstream Analytics over the past month. The following section details these examples.

Automotive: Honda ransomware

On June 7, automotive producer Honda Motor Company had its corporate and manufacturing operations disrupted by a ransomware program. The program, known as Ekans/Snake, blocks computer access and functions until an entity agrees to pay a ransom or successfully disarms the software. It utilizes malware that seeks to disrupt the function of industrial control systems. Owing to the attack, production was completely halted at facilities in Japan, the United States (Ohio), Turkey, India, and Brazil for at least 2 days, with individual countries gradually restoring production between June 9 and June 12. While the production halt was short-lived relative to other historical cases, the attack compounded pre-existing manufacturing complications with component supply continuity and occupational health-related production halts associated with the COVID-19 pandemic. Businesses already adversely impacted by the pandemic are at risk of further production disruption in the event of a similar incident. This was the largest attack on Honda since the multi-industry WannaCry ransomware attack in 2017. 

The appearance of the Ekans/Snake ransomware method shows how ransomware attackers are resorting to more sophisticated and targeted attacks. Of further concern is the malware’s use of nonpublic subdomains, indicating that the ransomware operator had substantial familiarity with the target system prior to execution. Forensic analysis of the malware shows reference to General Electric and Honeywell licenses, as well as targeting of IBM-related backups, meaning a deeper targeting of the components comprising the production supply chain of a company. Similar techniques were employed in the Ekans/Snake targeting of ENEL in Italy, the U.S., and Argentina (see Table 1).

Aerospace: ST Engineering ransomware

At 06:00 on June 8, ST Engineering’s Texas-based aerospace subsidiary VT San Antonio Aerospace discovered a data breach that was later determined to be the product of the Maze ransomware group. The attack successfully exfiltrated approximately 1.5 terabytes of data from a Maintenance, Repair, and Overhaul (MRO) software system. The material may have been stolen as early as in March. The lack of detection may have been facilitated by Maze’s successful evasion of McAfee and Windows Defender security solutions.

The breach has reportedly been contained to the U.S. commercial operations of Singapore-based ST Engineering. Recovery from the attack took a total of 3 days. Maze was notable as a non-adherent to the ransomware operators’ healthcare ceasefire and was continuing to hack hospitals as it was targeting ST Engineering. 

At 06:00 on June 8, ST Engineering’s Texas-based aerospace subsidiary VT San Antonio Aerospace discovered a data breach that was later determined to be the product of the Maze ransomware group. The attack successfully exfiltrated approximately 1.5 terabytes of data from a Maintenance, Repair, and Overhaul (MRO) software system. The material may have been stolen as early as in March. The lack of detection may have been facilitated by Maze’s successful evasion of McAfee and Windows Defender security solutions.

The breach has reportedly been contained to the U.S. commercial operations of Singapore-based ST Engineering. Recovery from the attack took a total of 3 days. Maze was notable as a non-adherent to the ransomware operators’ healthcare ceasefire and was continuing to hack hospitals as it was targeting ST Engineering. 

In light of the global COVID-19 pandemic, several ransomware operators mutually agreed to refrain from attacks on life sciences & healthcare facilities and institutions. Hacker groups such as Doppelpaymer and Maze, for example, stated their intent to avoid healthcare targets, and in the event of an unintentional infection, committed to provide free decryptors. However, no prohibition was made on entities indirectly connected to hospitals, such as utility providers or transporters, serving life sciences and healthcare clients. Other groups such as REvil continue to target the healthcare sector without reservation. For those adhering to the truce, their operators have nonetheless targeted certain businesses exposed to the myriad of threats. 

Life Sciences & Healthcare: German PPE Consortium phishing incident

On June 8, reports emerged of a phishing campaign targeting at least 100 members of the Task Force Personal Protective Equipment (TFPSA), a public-private consortium designed to procure personal protective equipment (PPE) for Germany. The consortium consists of several manufacturers from multiple sectors, as well as logistics operators in Germany. The phishing emails targeted operations, finance, and procurement executives within the companies and their known partners in the transport, chemical manufacturing, medical, pharmaceutical, energy, finance, and communications sectors. If successfully lured, users were taken to false Microsoft login pages which would funnel the ill-gotten credentials to the hacker’s server by way of a Russian-origin IP address. A total of 280 malicious URLs were traced to this campaign. At the time of reporting, a responsible party for this campaign has not been definitively attributed and the intended objectives remain unclear. However, it is clear that the authors of the attack had a deep infiltrative intent. The quantity of emails, as well as their targets, reveal an attempt to drill down into the supply chains of the consortium members, potentially indicating a degree of pre-existing familiarity with the victims. 

Additional notable examples

Table 1 lists several other cyberattacks which have been perpetrated in the past month. During these ransomware attacks, hackers held company systems hostage and disabled functions, demanding payment in exchange for a key to restore the systems. 

IncidentIndustryDate(s)CountryType
Fincantieri SpA / Vard Group ASShipbuildingJune 8NorwayRansomware
Natura / AvonLife Sciences & Health Care, Consumer, RetailJune 8 – 16Brazil, UK, Poland, RomaniaRansomware
Lion Pty LtdBeveragesJune 9 – June 26Australia, New ZealandRansomware
ENELElectricalJune 9ArgentinaRansomware
Fisher & PaykelAppliancesJune 11 New ZealandRansomware
LG ElectronicsEngineering & Manufacturing, TechnologyJune 25South KoreaRansomware / Data Breach
Table 01: Ransomware attacks and data-breaches recorded by Everstream Analytics since May 26 (excluding examples profiled above). Source: Everstream Analytics

Outlook and Recommendations

Ransom payment to ransomware operators is no guarantee of successfully securing one’s systems and data, as law enforcement officials discourage the practice in order to successfully apprehend those responsible because newer ransomware operators, instead of releasing data securely upon payment, are choosing to intentionally publish and expose, or “doxx”, their targets for malicious ends. 

The ongoing COVID-19 pandemic and continuing demand for information regarding its impacts will amplify the present challenges. Hackers will continue to devise new attack methods and search for new commercial entities to exploit for profit. 

Reports suggest that the North Korea-linked Guardians of Peace Advanced Persistent Threat (APT) is planning to target 5 million entities in South Korea, India, the UK, Singapore, Japan, and the U.S. This is one of many indicators which emphasizes the urgency and scale of the looming COVID-19 cyber threat. For supply chain managers, these are complex risks due to the lack of visibility into cybersecurity threats faced by suppliers, and the variety of cybersecurity standards and configurations that suppliers may employ. However, supply chain professionals can work with supplier contacts to initiate specific measures to ensure that supply chain partners are adequately prepared to minimize exposures to cyber risks. Everstream Analytics recommends that customers work with their suppliers on the following measures: 

  • Maintain data backups: Supply chain managers can work with suppliers to verify or stipulate that they are maintaining system backups. Regular and thorough backups are the best mitigation against ransomware, regardless of inclination to pay. As a best practice, companies which maintain ongoing, comprehensive backup programs create an effective “mirror” of current operations, enabling them to quickly jump to a parallel system in the event of an attack. 
  • Know your defenses: Mindful that customers will be challenged to assess cybersecurity across the entirety of an organization, firewall and vulnerability mitigation should be prioritized for those with not only the greatest access to the customer’s host network, but also for those with the greatest exposure to threats. This measure of exposure includes factors such as industrial control systems known to be vulnerable, or location or in an industry known to be a frequent target for attacks. Keeping abreast of the latest threats that target backups can further enhance an organization’s defense posture.
  • Enhance physical security: Verify that suppliers have adequate measures in place to protect office environments from compromise. While offices remain below normal occupancy, customers should ensure that supplier facilities have secured any physical documents with potentially compromising PII, FI, and credentials to reduce exposure. 
  • Synchronize threat preparation and response: Ensure that suppliers have business continuity in place should a cyberattack occur. Such preparation to enhance coordination and minimize confusion in the event that a crisis strikes can allow all parties involved to save time and act in unison to maintain supply chain agility. 
  • Know the systems of your suppliers: Awareness of technological tools, hardware, equipment, and operational systems of suppliers can empower those responsible for information security on your team to anticipate potential disruptions and take a proactive role in helping supply chain managers to mitigate threats amongst suppliers. 
  • Ensure social engineering awareness: Collaborate with IT partners to conduct realistic, frequent, and varied phishing testing at the supplier level and across the supplier network in order to identify vulnerabilities and reduce to the greatest extent possible the threat field that a potential hacker can exploit. Maintain information-sharing relationships with appropriate law-enforcement bodies to further enhance awareness and protection and encourage suppliers to do the same. Supply chain managers must also collaborate with IT teams to determine impact to a disrupted business, obligations to maintain cybersecurity, and standards to maintain, such as ISO/IEC 20071/2.

Share this post

Practitioner Spotlight – DuPont E&I Logistics Case Study [Webinar]  

Join us on Thursday, July 29, for the inaugural Everstream Analytics Executive Education Series, focusing on informing executives on current risk events and topics in sourcing, procurement, supply chain and logistics. In this webinar, Everstream expert Jon Bovit will share the latest global supply chain risk insights and current market trends, followed by DuPont E&I experts Scot Kessler and Sharri Bowman to discuss supply chain challenges and the solutions that helped them mitigate risk while fulfilling their growth vision.

July 29, 9AM EDT | 3PM CET