Three Telco Security Alliance members and their threat intelligence units — AT&T (AT&T Cybersecurity and AT&T Alien Labs), Singtel (Trustwave), and Telefónica (ElevenPaths) — reported a 2,000% spike in COVID-19 related threats in March compared to February.

A report co-authored by the three operators, COVID-19 Insight from the Telco Security Alliance, investigated threat actors including organized crime and nation states taking advantage of the pandemic to launch campaigns against businesses and government agencies globally.

The group, which claims to be the first global security alliance between telecom operators, formed in 2018 and began sharing threat intelligence in January using the AT&T Alien Labs Open Threat Exchange. Members contributed more than 1 million COVID-19-related indicators of compromise between Jan. 1 and June 15. And in March, during the height of the pandemic, they experienced a 2,000% increase (+382,973) compared to February in terms of the number indicators.

“The global scale of the pandemic is something that we haven’t seen very commonly where every adversary out there is almost trying to take advantage of it in some way to compromise someone either opportunistically or targeted,” said Tom Hegel, a security researcher at AT&T Cybersecurity. “Just the sheer quantity of everyone kind of using the same lure or same context behind their attacks was really staggering.”

Of all phishing or malware from March to May, 2.7% were related to the ongoing pandemic and nearly 80% of COVID-19-related spam emails originated from the U.S.

The attacks originated from a variety of threat groups including:

• Kimsuky, which has been taking advantage of the 2020 South Korean legislative election in its campaigns.
• TA428, which spoofs users impersonating the Mongolia Ministry of Health.
• Vendetta, a relatively new player focused on COVID-19 email campaigns impersonating the director of the Taiwanese Centers for Disease Control and Prevention.
• HustleKing, which uses several Remote Access Trojans (RATs), aiming to steal information, including credit card details.

The threat researchers also noted an uptick in COVID-19-themed business email compromise scams requesting iTunes, Amazon, and Walmart gift cards using consistent messaging and insisting urgency.

And with phishing emails, attackers commonly used logos to impersonate the U.S. Centers for Disease Control and Prevention or the World Health Organization.

The attackers’ objectives varied, Hegel said, and ranged from financial gain to espionage and election disruptions.

“For example, Kimsuky typically focuses on things like espionage, or theft of intellectual property for political gain rather than like financial gain,” he said. “That’s more a long-term, nation-state, slow-intelligence type movement. While then you also get the opportunistic side, like HustleKing or Vendetta. Those are mostly financially motivated, so they’re either trying to gain access for their own financial gain, or to gain access to sell that to someone.”

Many companies assumed that once they closed their doors and their employees started working from home, this meant that hackers would no longer target their corporate systems, Hegel said. “There was this false assumption that security is not as critical, and, in fact, it’s kind of the opposite. We’ve seen adversaries ramp up and launch more attacks that have become more deliberate in targeting employees working from home. Just because you’re not in the office doesn’t mean the attacks aren’t extremely relevant to your organization.”

Businesses of all sizes need to take global events like the pandemic into account when it comes to their security posture, he added. Nation states and cybercriminals may be more likely to target large enterprises and government agencies if they want to steal intellectual property or sensitive information. But that doesn’t mean small businesses are immune.

In the United States, small businesses likely applied for government loans, and that gave attackers an in. They used these small business loans as a phishing lure to either steal money or entice employees to click on malicious links impersonating government agencies.

“So you always have to keep that in mind as the global events unfolds,” Hegel said. “They may not seem super relevant to you, but an adversary is just waiting to pounce on it at a moment’s notice. And with COVID we really saw every adversary just jumped on it.”