The main cyber-threat trends during COVID-19 and how they will affect the UK going forward were discussed by Eleanor Fairford, head of incident management at the National Cyber Security Centre (NCSC), during the keynote session on day two of the Infosecurity Europe virtual conference.
Fairford began by describing the new opportunities that the COVID-19 pandemic has presented to cyber-criminals and nation-state actors. Cyber-criminals have been able to “make the most of people’s vulnerabilities during this period and the increased threat surface that was presented by everyone working from home.” And for hostile nation-states, the pandemic provided more chances to steal highly sensitive information from other governments to gain an advantage over them, such as vaccine development.
She outlined the three areas NCSC regard as the biggest cyber-attack trends of 2020: cyber and fraud during COVID-19, the SolarWinds supply chain attacks and the proliferating ransomware threat.
Cyber and Fraud During COVID-19
In terms of cyber and fraud, Fairford revealed that during 2020, the NCSC observed more online scams “than in the previous three years combined.” Unsurprisingly, many were related to the COVID-19 pandemic - prominent examples include fake celebrity endorsement scams, vaccine adverts and fake online shops purporting to sell medical equipment or even COVID-19 ‘cures’. She added: “These are the sorts of techniques that really preyed on people’s vulnerability.” This is because of the enormous toll the pandemic has had on areas like health and the economy, making people far more anxious than they would typically be, and therefore more liable to be tricked.
Fairford also highlighted new measures the NCSC has taken to mitigate these scams and protect individuals and businesses. These include updating its active cyber-defense tools and measures, “which are being rolled out as widely as possible to provide a baseline level of protection.”
According to Fairford, the NCSC has emphasized protecting the NHS, the vaccine supply chain, and research institutions in this period. This includes monitoring for attempts to harvest NHS credentials in order to spoof this institution via phishing. In total, the NCSC observed 122 phishing campaigns in 2020 that used NHS branding, making them appear genuine. This compared to just 36 in 2019.
Fairford outlined another key initiative introduced by the NCSC last year to tackle the threat of online scams. This is the Suspicious Email Reporting Service, “which enables members of the public to send into the NCSC emails they had received which looked like phishing emails.” This has proven highly successful so far, with over six million reports received as of May 31 2021, leading to the removal of more than 45,000 scams and 90,000 URLs.
Encouragingly, Fairford said the NCSC took down nearly 30,000 COVID-19-themed attack groups last year alone.
SolarWinds Attack
She then moved onto the SolarWinds attacks that took place at the end of 2020, which she described as “the key cyber-espionage act of the last decade.” This incident, believed to have been perpetrated by Russian state-backed actors, was particularly “unique and noteworthy,” according to Fairford. This was primarily due to the method used by the threat actors to compromise SolarWinds and subsequently enable them to target 100 private companies and nine federal agencies.
This was achieved by interfering with SolarWinds software updates, meaning that “as you routinely updated your SolarWinds package, you would install a tampered update, and that provided a backdoor into your network.” She, therefore, noted that all customers that follow guidance on patching and installing updates “were more likely to be a victim of this particular attack.”
Part of the novelty of this method was that services remained unaffected, allowing attackers to go through affected organizations’ systems unnoticed for a very long time. In its subsequent analysis of the incident, she added that the NCSC observed “high levels of operational security techniques” being employed by the attackers, including wiping all traces of their activity.
Fairford believes the attack may well have remained undetected had it not been for FireEye’s initial discovery in December 2020.
No tags.
