Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic

Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic

January 22, 2021 • Insikt Group®

Insikt Group

Click here to download the complete analysis as a PDF.

This report covers the cybersecurity threats tied to the COVID-19 pandemic that Recorded Future has observed over the past year, detailing the socioeconomic drivers that contributed to the threat landscape. This research is targeted toward those looking to understand the evolution of the COVID-19 pandemic’s effects on the cybersecurity landscape and the opportunism of cybercriminals and nation-state threat actors.

Executive Summary

The COVID-19 pandemic has created significant disruption to the global economy, and the cyber threat landscape has responded accordingly; criminal, extremist, and state-sponsored threat actors have capitalized on the pandemic’s worldwide economic crisis. Throughout the pandemic, the tactics used by threat actors have evolved to focus on the most pressing, timely concerns and exploit those public fears and uncertainty that present the greatest opportunity for successful victimization.

Recorded Future correlated aspects of this opportunism with changes in the socioeconomic climate spurred by the different stages of the pandemic, and their resulting effects on organizations and the public. Initially, threat actors largely capitalized on the public’s hunger for information about the new virus, and on shortages in personal protective equipment (PPE) and tests. Later, threat actors pivoted to attacks focused on stealing information related to the development of the vaccine, disruption of healthcare providers, and scams targeting financial concerns. Finally, the most recent threat activity shows threat actors pivoting to targeting organizations involved in the development and delivery of the vaccine using disruption and misinformation techniques.

As the pandemic continues, criminals will continue to target organizations focused on the delivery of the vaccine, especially as global distribution increases. Threat actors’ tactics will likely evolve to discredit the vaccine’s safety and efficacy, or seek to steal information of individuals who have been vaccinated or participated in trials. Finally, competing nation-states will continue to spread false information about COVID-19 in an effort to gain economic advantage over competitors and discredit adversaries.

Key Judgements and Findings

  • The opportunism of threat actors is primarily created by the socioeconomic conditions of the pandemic and is visible in the evolution of the themes used to target victims over the course of the pandemic.
  • Threat actors have targeted the healthcare and vaccine “ecosystems” with a variety of tactics aimed at financial exploitation, intelligence gathering, and destruction.
  • China and Russia each conducted coordinated and aggressive disinformation campaigns targeting Western democracies such as the United States and United Kingdom. Manipulating global audiences towards favoring their own systems of governance is a long-term strategic objective of both China and Russia. However, despite similar aims, their influence operations tactics vary based on unique tool sets and resources.
  • China and Russia each used information operations to target vaccine developers and the COVID economy in Western nations to gain business and economic advantage over competitors.


Threat actors, both financially motivated and state-sponsored, have taken advantage of different aspects of the pandemic to create thematic lures that entice victims into compromising their systems. These themes include scams around PPE shortages, changes brought on by the move to remote work, COVID testing and tracking, and most recently, vaccine development and the supply chain that supports its delivery. Ultimately, financially motivated threat actors are aiming to maximize profit and as such use tactics aimed at generating the most profit, crafting scams that most effectively play on the fears and concerns of their victims at each stage of the pandemic. Similarly, state-sponsored threat actors have used aspects of the pandemic to further victimize existing adversaries, as well as gain intelligence on scientific developments around vaccine candidates.

At the most basic level, existing businesses have deployed new products and services, including fashion companies marketing their line of masks, advertisement of COVID-19 safety protocols to draw customers, an increase in “virtual” versions of in-person events and seminars, and an increase in the number and types of experiences and products that can be delivered to one’s home. More significantly, new products and industries have also emerged, specifically those around COVID-19 diagnostics and testing, “COVID-19 cleaning” services, and the mobilization of a supply chain to bring the vaccine to the public.

The negative economic ramifications of sustained lockdowns have manifested themselves in public concern about foreclosures on homes, loss of business, inconsistent financial relief, lack of access to healthcare services and testing, and uncertainty surrounding how much “normalcy” a vaccine will bring and when. Threat actors and scammers have continued to exploit these fears in a variety of ways, preying on economic hardship and the public’s fear to profit financially or further intelligence goals.

Threat Analysis — The COVID Economy

The COVID-19 pandemic has caused stark changes in the world economy, and with it, groups who have benefited financially and those who have not. We have observed threat actors, both nation-state and criminal, take advantage of the pandemic to profit in a variety of ways. To understand what socioeconomic events created opportunities for threat actors to victimize individuals and organizations throughout the world, it is critical to understand the motivations of these threat actors.

What Motivates Threat Actors?

At a most basic level, cybercriminal threat actors are primarily motivated by financial incentives, and intrusions are driven by the potential for profit. Primarily, we see cybercriminal threat actors employ the following techniques to target victims:

  • Phishing: Threat actors send victims an email containing a malicious link or attachment that causes the victim to download malware or input credentials. These emails contain “lures” that may impersonate a website login page, a package delivery confirmation, or promise to provide information of interest to the victim. The actor profits only if the victim downloads the malware or clicks on the link, so it is of utmost importance for the threat actor to create an enticing lure.
  • Ransomware: Ransomware may be delivered by any number of methods, but phishing remains popular. While some ransomware may be deployed opportunistically, researchers have developed models based on game theory that suggest the “attractiveness” of a target depends on a number of factors, including an organization’s ability and willingness to pay a ransom demand (as designated by several factors).
  • Scams and Fraud: Frequently, scams are lower-tech ways criminals target victims, often with the promise of goods or services with the provision of money or personal information required up front. Often, scams are perpetrated through social media, telemarketing calls, text messaging, or even door-to-door visits. Scams may become slightly more “technical” with threat actors offering fake or repackaged commodity tools on dark web technical forums. Again, scams and fraud are only profitable if they succeed in enticing victims.
  • Business Email Compromise (BEC): Criminals send a message that appears to come from a known source making a legitimate request and this tactic relies primarily on social engineering to be successful. These requests may be for the transfer of funds, payments, or personally identifiable information.

Figure 2, below, shows the use of these and other attack vectors with COVID-19-themed domain lures between March 1 2020 and September 1 2020.

Malicious Use of COVID-19 Domain Lures

Figure 2: Frequency of use of attack vectors that use COVID-19 domain lures from March 1, 2020 through September 1, 2020

State-sponsored threat actors may be motivated by a variety of factors, though direct financial motivation plays a smaller role than other factors. Some of the key nation-states and their motivators include:

  • China: The Chinese government’s focus throughout the pandemic has been to control the spread of the virus within the country’s borders and to counter the narrative that COVID-19 originated in Wuhan. Throughout 2020, the Communist Party of China (CCP) made significant efforts to create the perception that they have the virus under control, that the fallout is minimal, and that the current Chinese mode of governance is more competent than Western models. China’s strong response was also likely driven by a need to ensure the continuation of economic growth, from which much of the CCP’s political legitimacy is derived. Chinese media have consistently pushed the narrative that China is a capable world power despite the challenges that COVID-19 presented throughout the year. The competition to create the first COVID-19 vaccine, have it approved, and sell it around the world is driving intense espionage campaigns around the world. In May 2020, the U.S. Department of Homeland Security and the FBI issued a joint statement warning that China was conducting cyberespionage operations targeting U.S. research institutions and pharmaceutical companies in an effort to steal proprietary information used to develop a vaccine. In July 2020, the U.S. Department of Justice announced indictments of two Chinese hackers who allegedly work for China’s Ministry of State Security, stating that the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments.
  • Russia: Much of the cyberespionage activity linked to Russian state-sponsored threat actors in 2020 has targeted organizations developing COVID-19 vaccines. At the onset of the pandemic, Vladimir Putin retreated to a largely private, protected environment, and put the onus on local governments to manage the pandemic in their respective regions. Russia has begun to deploy the Sputnik V vaccine to its citizens after announcing its availability before fully completing wide-scale trials, with the Gamaleya National Center of Epidemiology and Microbiology claiming a 92% efficacy rate, a claim that is questioned by international researchers. Despite the purported high efficacy rate of Sputnik V, there are indications that Gamaleya is also reaching out to foreign partners for support in improving the vaccine, including the makers of the Oxford/AstraZeneca vaccine. On December 21, 2020, Gamaleya, the Russian Direct Investment Fund (RDIF), and the Russian pharmaceutical company R-Pharm signed a memorandum of cooperation with pharmaceutical developer AstraZeneca to combat COVID-19. Putin was at his lowest popularity level since the beginning of his presidency at the outset of the pandemic, and by being seen as the driving force in the delivery of the vaccine to his constituents, he can likely increase his popularity and decrease the threat of domestic unrest. Experts suspect that Russia is undercounting their coronavirus death toll, reporting around 6,000 more deaths from all causes in May than the average of the last three years; on December 29, 2020, the Russian state statistics agency Rosstat reported “that the death toll from COVID-19 is more than three times as high as officially reported”. With the price of oil fluctuating at or below just over $40 per barrel for most of 2020, combined with economic sanctions imposed by the U.S. and the country’s struggles with the virus, Russia is suffering financially, further underscoring the need for the country to successfully combat the virus. There are also indications that Putin is seeking to pivot away from reliance on an oil-based economy, with Russian state-owned media source Tass reporting that the Russian president has declared 2021 to be a “Year of Science and Technology”. Putin further emphasized the pivot away from oil in a December 2020 announcement, stating, “If someone wants to still view us as a gas station, well that image is no longer valid.” At the same time, the president acknowledged that “the dependence [on oil and gas revenues] is still very large,” and this factor must be taken into account.
  • North Korea: North Korea is one of the most closed-off countries in the world, but smuggling activity, which is common through the Northern border with China, creates a vulnerability to COVID-19 infection. However, Kim Jong-un has repeatedly stated that there has been no outbreak in his country and brags that the Democratic People’s Republic of Korea is a “shining success” in the fight against COVID-19. Experts believe that North Korea would be particularly vulnerable to the pandemic if widespread infection were to occur because its healthcare infrastructure would be ill-equipped to handle large numbers of critically ill patients. However, North Korea is uniquely positioned to minimize the community spread of COVID-19 for a couple of key reasons: one, the borders are largely closed off and cross-border travel is strictly limited to essential personnel; and two, citizens within its borders are severely limited in their ability to travel and move about the country unchecked. Despite claims that North Korea has been completely COVID-free, alleged North Korean hackers targeted the computer networks of at least three vaccine development companies.

Exploiting the Economic Effects of COVID-19

Insikt Group observed malicious activity targeting several aspects of the COVID-19 pandemic and organizations economically impacted by it. This malicious activity included phishing schemes, fraud, and scams capitalizing on aspects of the pandemic, the exploitation of organizations involved in healthcare and the development or delivery of the vaccine, registration of domains that used COVID-19-related terms or themes maliciously, and disinformation campaigns seeking to confuse the public and control the narrative for financial, political, or ideological gain.

Domain Registrations

COVID-Related Domain Registrations

Figure 3: Total COVID-related domains registered per month from January 2020 through December 2020 (Source: Recorded Future)

According to Recorded Future data,the majority of domains related to COVID-19 were registered in March 2020 as seen in Figure 3, and monthly registrations continued to drop over the course of 2020. Public uncertainty about the virus and the desire for information were at a high in March, while the population was still working to establish its own understanding of credible sources of information and resources. It is important to note that not all of the registered domains were malicious, and the majority of the registrations appear to be opportunistic in nature.

Insikt Group defined a set of terms around five major themes and looked for the use of these terms in the newly registered domains since January 2020: “vaccine”, “cleaning/decontamination”, “personal protective equipment (PPE)”, “cures”, and “economic relief”. As seen in Figure 4 below, the domain registration curves for each thematic area closely follow the curve of overall domain registrations, as expected. Insikt Group observed a few interesting trends in the thematic data:

  • Distinct spikes in testing- and vaccine-related domains occurred later in 2020. The first spike, around August, occurred around the time that Moderna and AstraZeneca were beginning their phase 3 trials of their vaccine candidates. Similarly, on August 12th, the Institute of Biology at the Academy of Military Medical Sciences approved the Sputnik V vaccine created by Gamaleya National Research Centre for Epidemiology and Microbiology. The spike in the registrations of vaccine-related domains starting in November correlates with the timelines of the conclusion of the Pfizer vaccine clinical trials, the subsequent release of the data to the FDA for approval (November 13, 2020), and the commencement of phase 3 trials for several vaccines around the world. The Pfizer vaccine, the first FDA-approved vaccine available for COVID-19, was approved by the FDA on December 11, 2020 and distribution to the population began. The registration of vaccine-related domains continued to climb sharply through December 2020; while some governments have begun creating legitimate websites to disseminate information about the vaccine, the same trend is visible, although to a lesser degree, in the domains that Recorded Future was able to classify as malicious (Figure 5, below). This suggests that while many domains were registered at these key stages in the development and approval of the vaccine, to date only a small subset have been identified as malicious, with a large majority not yet classified.
  • Of the maliciously verdicted domains, two initial spikes in those related to “testing” occurred early in the pandemic. The first spike in testing-related domains occurred around the same time that tests in the U.S. were difficult to access (March and April), and that testing scams abounded. A timeline of COVID-19 tests per day can be seen in Figure 6, below, showing an increase over time.
  • A spike in both overall domain registrations and maliciously verdicted domains related to “economic” terms, such as those themed around financial relief topics, occurred in August when the U.S. Congress increased discussions of a second COVID-19 stimulus bill. An additional spike in economic-related domain registrations beginning in October and going into November aligns with a large increase in mentions of unemployment fraud in the criminal underground during Q4 of 2020, as identified by Recorded Future.
  • Domains related to non-vaccine and non-testing aspects of the pandemic such as PPE, cleaning and disinfection, and cures have experienced an overall decrease after the original registration spike starting in March 2020.

Domain Registration Frequency Per Month

Figure 4: Themes identified in all COVID-19-related domain registrations and certificate registrations from January 2020 through December 2020 (Source: Recorded Future)

Domain Registration Frequency Per Month — Risk Scored

Figure 5: Themes identified in maliciously verdicted COVID-19-related domain registrations and certificate registrations from January 2020 through December 2020 (Source: Recorded Future)

Total Test Results Over Time

Figure 6: Total COVID-19 test results increase per day in the United States (Source: Covid Tracking Project)


As the pandemic evolves, threat actors will continue exploiting the most “lucrative” opportunities for access to traditional and new targets. Recorded Future recommends that organizations continue to educate employees about new tactics that threat actors are using, including phishing lures, scams, and fraud exploiting the pandemic. Additionally, awareness of disinformation and sources of credible information is key to helping individuals avoid manipulation and foreign interference as the pandemic progresses. Additionally, we recommend the following steps to combat COVID-19 disinformation:

  • Share data sourced from science and trusted public health officials. Public health officials should seek out social media influencers to amplify truthful fact and science-based information about COVID-19.
  • Public health officials and social media companies have to work together to flag and take down misinformation around COVID-19. 39% of misleading statements in social media are related to the actions and policies of public authorities. Confirming and denying statements can help security teams flag false information.
  • Detect, understand and expose COVID-19-related misinformation through data science and behavioral analytics.
  • More advice on how to tell facts from misinformation can be found here.


While both state-sponsored and criminal threat actors have employed the COVID-19 pandemic to further financial, espionage, and intelligence-gathering goals, it is apparent that the way in which they do so is largely related to the larger socioeconomic situation. As the pandemic itself continues to evolve, and with the introduction of approved vaccine candidates in several countries, distribution of these vaccines, and the beginning of economic recovery, Recorded Future expects to see the focus of cyberattacks shift again. Future attacks will likely seek to negatively impact each of these areas, particularly:

  • Criminal threat actors will likely continue to target industries and organizations focused on the delivery of the vaccine, especially as distribution increases and these organizations become increasingly appealing targets. This will most likely be through attempting to disable the organizations, such as through ransomware attacks.
  • Both criminal and state-sponsored threat actors may target PII or patient data of those who have been vaccinated or have participated in vaccine trials, or test results of these individuals.
  • State-sponsored threat actors will continue to conduct malicious disinformation campaigns to target adversaries and global society in an effort to gain economic and political advantage.
  • Threat actors may seek to discredit the vaccines as “dangerous” or “ineffective” and continue the narrative that vaccines are being used to “track” individuals to further sow distrust.
New call-to-action

Related Posts

Gemini Annual Report 2021: Magecart Thrives in the Payment Card Fraud Landscape

Gemini Annual Report 2021: Magecart Thrives in the Payment Card Fraud Landscape

January 26, 2022 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory To read the...

Threats to the 2022 Winter Olympics

Threats to the 2022 Winter Olympics

January 26, 2022 • Insikt Group

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

The People’s Liberation Army in the South China Sea: An Organizational Guide

The People’s Liberation Army in the South China Sea: An Organizational Guide

January 19, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...