Podcast

Correlating the COVID-19 Opportunist Money Trail

Posted: 25th January 2021

By: CAITLIN MATTINGLY

Correlating the COVID-19 Opportunist Money Trail

The COVID-19 global pandemic has, predictably, attracted bad actors intent on using fear and uncertainty as a framework for a variety of actions, from run-of-the-mill money scams to targeting phishing, business email compromise, and even espionage.

Recorded Future’s Insikt Group has been following these money trails and correlating them with a spectrum of bad actors around the globe. They recently published their findings in a blog post titled, “Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic.”

On today’s episode we’ve got a pair of Insikt Group analysts joining us to share their expertise. Lindsay Kaye is Director of Operational Outcomes and Charity Wright is a Cyber Threat Intelligence Analyst.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 193 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Lindsay Kaye:

I am Lindsay Kaye, and I'm Director of Operational Outcomes at Recorded Future in Insikt Group. So our team is primarily responsible for developing a lot of the technical detections that go into the product; so things like VR rules, the sigma rules, doing also malware analysis and network analysis. Besides running the team, what I do is a lot of malware analysis and some software.

Dave Bittner:

All right. And Charity, how about you?

Charity Wright:

Well, I'm an Expert Cyber Threat Intelligence Analyst within Insikt Group. On a day-to-day basis, I'd say I specialize in really analyzing various cyber threats, but I focus a lot on Chinese threats and disinformation.

Dave Bittner:

All right. Well, today, we're talking about the research that you all recently published. This is, "Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic." Lindsay, let me start with you. What prompted the creation of this report?

Lindsay Kaye:

So in looking back at the last, I believe, nine or 10 months of the COVID-19 pandemic, one of the things that we wanted to understand really, was how has opportunism on behalf of cybercriminals and nation state threat actors really shown itself in the cyberattacks and cyber incidents that we're seeing? So in order to understand this, what we wanted to do is look at the larger socioeconomic climate behind it and see, how did threat actors take advantage of different aspects of the pandemic? Because as you know, it really has evolved over the last 10 months in how they targeted victims, what kinds of attacks were going on, and generally, what the themes of a lot of the phishing alerts that we identified were, and see how that all related.

Dave Bittner:

Well, let's go through it together. You've got some really interesting insights here. Is it useful to go through in a timeline way from the outset of the pandemic itself?

Lindsay Kaye:

And I think this is something that I don't know if you've checked out some of the domains that we looked at, but I think that the domain registrations really speak to a lot of what you're getting at, where there were different occurrences and then you see upticks in different domains around different themes. So we could talk about that if you'd like.

Dave Bittner:

Yeah, that's a good place to start. What were you all tracking here in terms of domain registrations, and what insights does that provide you with?

Lindsay Kaye:

So Recorded Future looked at all the domain registrations that had to do with COVID-19 and the COVID pandemic. One of the things that we wanted to understand was, were these domains being registered under any particular themes? So what we did was we looked at cleaning-related domains, economic, ones around PPE, so things like masks and other protective equipment, the vaccine and testing, just to see, have we seen any upticks at any point in the pandemic that would potentially relate to some of the different phases we were in?

One of the things that we noticed that was really interesting is as expected in March when there was a whole shortage of information, people were scrambling to figure out what is COVID-19, what are the risks, what is going on, how is the government responding, what should I do? There was the largest amount of registrations of all domains. But interestingly, we saw a couple of different spikes over the course of time in a couple areas. So first, related to some of the vaccines.

So around August, when some of the different vaccine candidates were going to some of their phase three trials or trials were completing and there's a lot of news there, we saw a second bump of vaccine-themed registrations. Then starting in October, and when you probably remember, there was a lot of discussion of, at least in the U.S. and I believe some in the U.K., of the approval of these vaccines now that a lot of these trials were wrapping up, we saw a large increase from October through December, which really does match with a lot of the timeline.

So not all of these domains are malicious by any means, but it is interesting to see how the latest themes of the pandemic really play out in some of what we see people registering. And for sure, some of these are legitimate sites of people registering vaccine-related domains for COVID, but it's particularly interesting to look at some of the maliciously verdicted ones where we see a smaller, but still, increase from in those timeframes.

Dave Bittner:

What insights can you gain from the types of domains that were being registered and what these actors are up to? What conclusions can you come to based on the information you gathered here?

Lindsay Kaye:

So predominantly during the pandemic for cyberattacks, we've seen a lot of phishing occur, and this is something you probably remember from the beginning of the pandemic when people were looking for information. So different phishing lures purporting to be from different package delivery companies, or, "What is the government doing? Click here to find out," or, "What is my company doing about the pandemic?" So, while it's hard to tell how all of these domains were used to some degree, you could definitely see how a lot of them could be used for phishing campaigns.

So, "Click here to find out about the vaccine," or as part of different scams. We did observe scams from cybercriminal threat actors around, "Get on the early access list for the vaccine," or, "Pay this money or provide your personal information," things around mask delivery scams from earlier in the pandemic when there were shortages and things like that. Predominantly, I would suggest that these would be used for phishing.

Dave Bittner:

Charity, I'm interested in your insight from the point of view of being able to unpack who the various actors were here. We've got … There are always those scammers who are chasing the latest news and will wrap their scams around things that are top of mind for people. So I don't think it's surprising to see them chase after something like the pandemic, but at the same time, there were other things going on here, right? There was espionage. There were nation state actors.

Charity Wright:

Absolutely. One of the interesting findings in this report is that so many different types of threat actors are trying to take advantage of this pandemic. It's very unfortunate, but one of the things we observed was not just criminals, but also state-sponsored threat actors. So various nations battling it out for an economic advantage in the distribution supply chain and when it comes to vaccines, who's going to release the vaccine first? But also, we saw an interesting factor where certain nation states were trying to save face around the globe, just in front of a global audience. Each government, each government’s leader wanted to appear to be the most competent. So that's really the core motivations that we observed from the state-sponsored threat actors.

Dave Bittner:

What about disinformation? How did that come into play? There's been a lot of news stories about that in the past couple of years as well.

Charity Wright:

Right. Disinformation actually played a huge role in gaining advantage during this pandemic. Especially throughout 2020, we observed China and Russia both using it for their own objectives, including spreading rumors about certain vaccines in other countries. For example, Russia was spreading a rumor that the Oxford AstraZeneca vaccine was actually derived from monkey DNA. So they were spreading rumors that humans that receive this vaccine would turn into monkeys.

As bizarre as that sounds, that narrative was actually disseminated around the world and started catching the eye of a lot of conspiracy theorists, which is very interesting, but there are so many different examples of how disinformation was used to manipulate society, to manipulate, let's just say the ignorance of a lot of people that don't know the truth about the vaccine, about how COVID is spread and about how people can actually protect themselves from COVID-19.

Dave Bittner:

Yeah. It strikes me that when you talk about something like the monkey story, which all of us would laugh and roll our eyes at, but it seems to me that even something that absurd chips away at people's feelings of trust. It injects just a little bit of doubt in their minds.

Charity Wright:

Absolutely. What they're doing is they're really playing on the fear that people have all over the world. People are scared of this virus. At the beginning, nobody knew where it came from, how it was spreading and how to protect themselves from it. So threat actors jumped in immediately to exploit that fear and start spreading these various rumors that just created confusion and chaos. In a lot of these instances, that was their goal, to spread the fear, spread the chaos, and that they come in with their own solution and say, "Oh, here, we have the answer. We have the vaccine that you need the most," and they try to gain an advantage over their adversaries and competitors that way.

Dave Bittner:

Lindsay, I'm curious, did you track any maturation over the course of the past several months, coming up on almost a year now, with the sophistication of these attempts growing. Were they able to learn from what worked and what didn't along the way?

Lindsay Kaye:

So we didn't really necessarily observe any sort of maturation, but we observed trends in what the interests of different adversaries were. So in the beginning, like Charity alluded to, there was that information aspect, and then you saw many, many different threat actors, even some more novice types dropping a whole different commodity malware and tools that you can get on the internet, as well as the nation state actors. So really the landscape was just, cluttered is the wrong word, but there were so many different threat actors involved, even some of the more novice criminal actors who saw this as an opportunity. Like Charity had said, there were so many people who were just like, "What is this? Where did it originate from? Who is hungry for information?" that people really capitalize on a lot of that.

Then we started to see some of the more sophisticated threat actors, so the state sponsored ones, trying to get information about vaccine development from some of the vaccine development companies. Then we saw that shift once as the vaccine started rolling out, looking to target some of the different aspects of the supply chain. So some of the cold chain, and this is something that potentially can keep evolving. So as distribution rolls out, it will be interesting to see how they continue to target some of this delivery mechanism.

Dave Bittner:

So where do we stand right now? We're in the midst of folks being vaccinated. As you say, that rollout is underway. Is there light at the end of this particular tunnel, or have these methods gone on unabated?

Lindsay Kaye:

So most recently, as you said, the vaccines are rolling out, now we're seeing threat actors targeting the public in addition to the corporations, with the idea of, "If you pay money, you can put your name on this vaccine list." So there probably is a light at the end of the tunnel, but while some scams and different cyberattack themes really are, we see, dwindling, now we're seeing new ones emerge and we've seen that throughout the pandemic and watched how it's changed. So there is a light at the end of the tunnel for some types of cyberattack themes, but new ones will emerge and this is probably something that will keep happening as the pandemic wears on and changes.

Charity Wright:

Absolutely. I have to agree with Lindsay on that. I think it will evolve and we have to evolve with the pandemic. As new strains of COVID-19 are discovered, there may be new vaccines that come out and we have to look at what has happened in the past, and then use that history to protect ourselves and organizations from these types of criminal attacks.

Lindsay Kaye:

So well put, Charity.

Dave Bittner:

So what are your recommendations then? For organizations and individuals who are looking to best protect themselves against these sorts of things, what do you recommend? What are the takeaways?

Lindsay Kaye:

So from a technical perspective, recognizing that phishing is an ever popular initial access vector, so just being cognizant that we've seen threat actors use different kinds of phishing lures to deliver malware. We've seen them target different remote technologies. So just being cognizant that this is something that will likely not change. So being cognizant, letting your employees know that this is something that will continue on, and especially as the pandemic themes change, what is the most current and relevant issue of the time? And just being cognizant of that.

Charity Wright:

For protecting ourselves against disinformation and false information that may be out there, it's really important for people to go straight to trusted scientific sources and public health official sources for information. We found that nearly 40 percent of misleading statements are in social media. So when you're seeing, let's say, news or rumors travel around social media, be sure to question the authenticity of the information and always look to see what the source is. If you have questions about the vaccine or the spread of COVID-19 or anything around this pandemic, definitely go to official sources for your information.

Dave Bittner:

Yeah. It's good to have those skeptical thinking tools at your disposal to be able to discern whether or not a source is likely to be good or not.

Charity Wright:

Absolutely.

Dave Bittner:

Our thanks to Lindsay Kaye and Charity Wright from Recorded Future’s Insikt Group for joining us. You can find more about this topic and the Insikt Group's research by checking out the blog section on the Recorded Future website.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.